Hello world,
I'm fairly new to linux and linux networking in general so please bear with me. I have a MediaTek RT3352 router running OpenWrt. The router is configured to run in both STA+AP mode. In this mode, the router does not respond to ARP request from other devices in the same subnet. That is, this openwrt router is client to a next hop AP for internet access. It is also configured to be an AP to other devices, mostly wifi enabled security cameras. I first thought it was a ARP issue, so I tried the following:
[*] Turning off and disabling the firewall
[*] Changing and persisting sysctl to accept and not ignore arp/icmp packets
[*] Tuning iptables to accept icmp packets, etc.
This is what works:
[*] Broadcasting my ip using arping -- arping -A -c 2 -I 192.168.1.2
[*] Pinging the failing node from the router directly -- ping 192.168.1.3
Using tcpdump to capture packets on the router itself shows that the broadcast arp packets are either not being forwarded to the openwrt or that some kernel settings is causing the broadcast packets to be dropped. Using either wireshark or tcpdump on the sending host(laptop) shows that it is busily sending arp request packets to the openwrt router but gets no response - the packets don't show up on the router.
I'm beginning to suspect that it is not an ARP issue at all but a broadcast issue. Basically if the openwrt router is already in a host's arp table, then it can ping it, ssh into it, etc. I should also note that in true AP only mode, this is not an issue. It is only when it is configured in both STA+AP mode.
What am I missing? Please see below for my configuration. Any help or pointers will be greatly appreciated. Thank you.
System:
/ # ubus -v call system board
{
"kernel": "3.18.21",
"hostname": "OpenWrt",
"system": "Ralink RT3352 id:1 rev:6",
"model": "Allnet ALL5002",
"release": {
"distribution": "OpenWrt",
"version": "Bleeding Edge",
"revision": "firewall",
"codename": "designated_driver",
"target": "ramips\/rt305x",
"description": "OpenWrt Designated Driver firewall"
}
}
Sysctl:
/ # cat /etc/sysctl.conf
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
net.ipv4.conf.default.arp_ignore=0
net.ipv4.conf.all.arp_ignore=0
net.ipv4.ip_forward=1
net.ipv4.ipfrag_secret_interval=600
net.ipv4.icmp_echo_ignore_all=0
net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.icmp_ratemask=6168
net.ipv4.conf.wlan0.arp_accept=1
net.ipv4.conf.wlan0.arp_announce=2
net.ipv4.conf.wlan0.arp_filter=0
net.ipv4.conf.wlan0.arp_ignore=0
net.ipv4.conf.wlan0.arp_notify=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180
net.netfilter.nf_conntrack_icmp_timeout=30
net.netfilter.nf_conntrack_icmpv6_timeout=30
Network configuration:
/ # cat /etc/config/network
config globals 'globals'
option ula_prefix 'fd01:ea9e:adf8::/48'
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'wwan'
option proto 'dhcp'
option sendopts 'hostname:panel lease:86400'
option clientid 'xxxx'
config interface 'lan'
option proto 'static'
option ifname 'eth0'
option netmask '255.255.255.0'
option ipaddr '172.16.10.254'
option type 'bridge'
option gateway '192.168.1.1'
option dns '192.168.1.1'
Wireless configuration:
/ # cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '10180000.wmac'
option disabled '0'
option txpower '20'
option country 'US'
option htmode 'HT20'
option hwmode '11g'
option obss_interval '300'
option noscan '0'
option log_level '0'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list basic_rate '12000'
list basic_rate '24000'
list basic_rate '54000'
list supported_rates '12000'
list supported_rates '18000'
list supported_rates '24000'
list supported_rates '36000'
list supported_rates '48000'
list supported_rates '54000'
config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
option wps_pushbutxon '1'
option macaddr 'xxxx'
option disassoc_low_ack '0'
option max_inactivity '1810'
option skip_inactivity_poll '1'
option max_listen_interval '65535'
config wifi-iface
option network 'wwan'
option mode 'sta'
option ssid 'xxxx'
option encryption 'psk2'
option key 'xxxx'
option device 'radio0'
option macaddr 'xxxx'
option channel '0'
Firewall:
/ # cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wwan'
option network 'wwan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wwan'
config rule
option name 'Allow-DHCP-wwan'
option src 'wwan'
option proto 'udp'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DHCP-lan'
option src 'lan'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wwan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv4-Input'
option src 'wwan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
option limit '1000/sec'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wwan'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
option limit '1000/sec'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
config rule
option name 'Allow-MLD'
option src 'wwan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP-wwan'
option src 'wwan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP-lan'
option src 'lan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option src 'lan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1900-1901'
config rule
option name 'Allow DNS Queries'
option src 'lan'
option dest_port '53'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'