Hi,
I have two independent networks here, means two hardware routers and all the stuff around. What I would like to achieve is to get rid of the second (Linksys) router and keep everything running on Omnia. My current setup looks like this:
The thing is, I need to keep those two networks (my home network and Corp network) separated, independent, and they must not reach or interfere with each other in any way.
I tried to setup Omnia this way:
-starting from default settings
-deleted SSID from radio0 so there is “No network configured on this device” Qualcomm Atheros QCA9880 802.11bgnac (radio0)
-on https://192.168.1.1/cgi-bin/luci/admin/network/network/lan > Physical Settings > withdrawn (uncheck) Ethernet Adapter: “eth2” (lan)
-attached radio0 to Corporate WIFI and created new network “corp”
-on Physical settings of “corp” interface checked “create a bridge over specified interface(s)” and choosen Ethernet Adapter: “eth2” and Wireless Network: Client “corp wifi”
Also tried to create two Interfaces and assign one to Corp WIFI and one to LAN4 and create firewall forwarding.
I expected this would work, but the Corp Desktop was never able to reach Corp AP. The WIFI interface received IP address from Corp WIFI AP, but not so the Corp Desktop.
doesn’t it do -on Physical settings of “corp” interface checked “create a bridge over specified interface(s)” and choosen Ethernet Adapter: “eth2” and Wireless Network: Client “corp wifi” ? LAN4 is on eth2
That should and that I missed and thus withdrew my comment. What Firewall zone is that bridge assigned to? It should permit DHCP (perhaps also DNS) pass through to the lan4 client.
If you can access the Linksys management interface then check whether there are particular settings required, e.g. IPsec or some other security measures.
You could also debug with a packet inspection (on the TO and/or the lan4 client) via tcpdump
It is not assigned a firewall zone. Correct me if I’m wrong, bridge works on OSI Layer 2 and forwards all frames, while doesn’t do anything on Layer 3 as a firewall.
On Corp WIFI there is no enterprise security, it is cheap SOHO router, only WPA2. I’m able to connect my laptop or phone with simply password only.
Yes I will do some more testing tomorrow…
A bridge does not need an IP address to function. Without one it will just perform layer 2 switching, spanning tree protocol and filtering (if configured).
An IP address is required if you want your bridge to take part in layer 3 routing of IP packets.
@xsys Could you confirm if my understanding is correct that the Linksys is a wifi client (not an AP) and that it essentially brings the corp desktop into the corp wifi as wifi client?
If so there are some gotchas in that you can’t just bridge wifi as client to a network unless you negotiate WDS ( Wireless distribution system - Wikipedia ) or use L2 NAT (natting MAC addresses).
In addition you used eth2 which should work but some people had problems using the 2nd CPU port to go connect to any LAN ports.
In addition I’m not sure that the switch is configured to join LAN4 and the 2nd CPU port (port 6 / eth2) together. (sorry don’t have an Omnia handy straight away to check)
Also,
as soon as you share infrastructure there is always a possibility of impact.
The first I can think of is that by default you would have clients connecting on 5G and 2G wifi to the Omnia and after your config the clients can only use either but not both anymore.
Other instances are load on CPU could cause certain instability.
And as you are bridging via the CPU make sure you have a firewall rule in which denies traffic from the bridge and related interfaces to cross to any others. (yes, it is L2 but there are certain configurations possible where the Linux kernel may find L2 traffic on the bridge interesting enough to use the L3 information of the packets and forward them based on L3).
config interface 'foo'
option ifname 'eth2.2'
option type 'bridge'
It is possible with kmod-trelay
trelay relays ethernet packets between two devices (similar to a bridge), but without any MAC address checks. This makes it possible to bridge client mode or ad-hoc mode wifi devices to ethernet VLANs, assuming the remote end uses the same source MAC address as the device that packets are supposed to exit from
That should not be a problem and AP + STA should work simultaneously but I am not 100% certain as not having tried it.
Since opensource wireless drivers used in LEDE do not support bridging in client mode, the traffic between LAN and the wireless client must be joined by routing it.
I hadn’t noticed that. That implies a plain bride wouldn’t work as default. (I use WDS mode or the STA as client and IP Nat like a standard home network setup with an ISP uplink).
Sounds like @xsys would need to follow the above article and he might be lucky to get it to work.
Side effect is that this could work for more than one corp desktop.
I also just noticed the
That could imply that the “corp” network isn’t set to bridge only but picks up DHCP which guarantees a collision.
I never got that to work reliably. But it is a while I’ve had a reason to try.
Note that the side effect is that you will share the same RF channel with all the side effects.
This is why I use an additional radio usually.
If I’m reading that correctly it works for a single crop desktop (which may be enough in this case) and it requires that the ethernet frame encapsulated in the Wifi frame has the correct destination address to the client. That may not be the case unless the STA address is the same as the MAC of corp desktop.
The background is that the AP gets a frame from LAN with an dest MAC. That dest MAC the AP needs to match to an STA to send the ethernet frame to. Usually that mapping is done by taking the dest MAC as STA destination. If the corp desktop uses an different MAC the AP wouldn’t know where to send it to and drop it (it will not flood to all STAs like a bridge would).
Yes Linksys is client, as shown on the first picture. It acts as a WIFI card for the Desktop, since the Desktop is out of the Corp WIFI range. It does not work as a WIFI-bridge, hence no WDS is utilized. It is set to mode “bridge” what means its WIFI and LAN interfaces are bridged.
I wanted the same setup work on Omnia, not WIFI-to-WIFI bridge but WIFI-to-LAN.