Hello everyone:

Long time reading you guys, but first post ever.

I have a GL-inet AR150 with latest distribution. I have configured it as PseudoBridge using relayd as described in the relayd configuration page. (can't post links yet) It is working pretty well, besides some issues that I'll comment in another post.

The problem I have is that once I configured it and restarted, I can no longer SSH to the repeater, neither via its IP as client when connected to the master AP (192.168.10.2) , neither via ethernet cable at LAN port (192.168.1.1) . Both cases I get connection refused error.

I have LuCI installed, and I can access to it via the to above described methods, but can not log in using the console.

I have created a dropbear instance at port 22, over any interface, and opened port 22 at the firewall for both wan and lan zones, with no luck.

I'm sure it has to be something related to the firewall configuration, which is exactly the same as the one in the relayd configuration page.

Can please somebody enlighten me?

Many thanks in advance,

Raúl

I'd first ask you to think about do you even need or want a firewall on a strictly internal router. Do you need to protect yourself from yourself?

If yes, then check your forwarding rules since luci works you aren't blocking everything.

I put my bridge in the same zone as the lan and am done with it.

In https://wiki.openwrt.org/doc/recipes/relayclient,
1. Re-read "Enable access from client network", or
2. Just follow "Doing this via the Web GUI instead"

You should understand this IP address put in stabridge is allocated statically on main router. Otherwise change your computer IP address to subnet IP statically to access the sub-router.

Thank you for the answers.

@WWTK, that's true. I don't need a firewall at the repeater. By the way, is there a way to deactivate it temporally from LuCI, similar to

/etc/init.d/firewall disable

?

@ximibaba, Did this, but it didn't helped. Finally I reconfigured everything from a fresh install, and then its working as expected. Probably I missed something at some point, but no need to figure out what anymore.

Still, there is something that is not really fitting. If I arp from the main router, everything connected to the repeater shows the MAC of the repeater:

IP address       HW type     Flags       HW address            Mask     Device
192.168.10.109   0x1         0x2         e4:95:6e:41:af:93     *        br-lan
192.168.10.156   0x1         0x2         e4:95:6e:41:af:93     *        br-lan
192.168.10.2     0x1         0x2         e4:95:6e:41:af:93     *        br-lan
192.168.10.246   0x1         0x0         00:00:00:00:00:00     *        br-lan
192.168.10.151   0x1         0x2         e4:95:6e:41:af:93     *        br-lan
192.168.10.103   0x1         0x2         c0:0b:cd:e8:79:5b     *        br-lan
192.168.10.211   0x1         0x2         e4:95:6e:41:af:93     *        br-lan

Even more, some IPs are not correct, for instance, 192.168.10.156 is actually 192.168.10.125  and if you ping 192.168.10.156 nothing happens, while 192.168.10.125 works immediately.

Any clue for this?

Many thanks!
Raúl

it is good to hear it works after fresh install. Sometimes the issue happened on laptop side because the IP address changed between sub net and static/dynamic.

For the ARP, it is not an issue. ARP cache is not refreshed frequently and realtime. If you want to know the latest, for specific IP/MAC, use ping. After ping you will see arp cache get refreshed.
Or, try arp-scan.

You wouldn't really want to disable it, just put the bridge in the LAN firewall zone.  This way no rules beyond what is there are needed.

The info on the pages you were reading allow more customization but make it way more complicated than the average home user needs. IMHO

I install luci-proto-relay which also installs relayd
Next change the ip address of the lan to be on it's own net and save but don't apply.
Then join the Wi-Fi to the main router as a client with a static Ip or dchp reserved address.
Finally add a new interface changing the protocol to relay client and assign to lan fw zone

Save and apply and done.