bridging DD-WRT leads to un-routable ip addresses
It turns out that I did miss one step. The last step of the instructions says
Set your computer back to auto IP and auto DNS.
{This refers to the computer wired directly to the secondary router, i.e. the computer earlier set to 192.168.1.9, which I couldn't ping}.
As soon as I set this to DHCP, I was able to ping from a machine connected to the primary router. The only thing that I can think of is that the primary couldn't see the MAC address of the machine on the secondary router until it made an ARP request, which it wouldn't have done while it had a static Ip... and yet, I had full network access on that box, so all of its packets would have gone through the primary...
I dunno. I'm going to chalk it up to some strange layer 2 nonsense. If someone can give me a clearer answer, I'll accept it. I want to set up dhcp and dns caching on the secondary router, because DD-WRT has dnsmasq, which is beautiful on home networks... so if ip addresses are only routable after having been registered with the primary router's dhcp server, I'm going to be coming back around to this...
Edit:
The answer, such as it is, came when I was trying to capture the MAC addresses of all the machines on my network (I was going to use these to set up dnsmasq).
$ sudo nmap -sP 192.168.1.0/24 | egrep '^(Nmap scan|MAC)'
Nmap scan report for 192.168.1.1
MAC Address: 00:18:39:08:1D:14 (Cisco-Linksys) # Primary
Nmap scan report for 192.168.1.2
MAC Address: 00:12:17:12:96:22 (Cisco-Linksys) # Secondary
Nmap scan report for 192.168.1.100
MAC Address: 00:12:17:12:96:22 (Cisco-Linksys) # Connected to secondary
Nmap scan report for 192.168.1.101
MAC Address: 90:18:7C:2A:21:C4 (Unknown)
Nmap scan report for 192.168.1.103
Nmap scan report for 192.168.1.123
MAC Address: 00:12:17:12:96:22 (Cisco-Linksys) # Connected to secondary
The kicker here is that all of the machines connecting through the secondary share the MAC Address of the secondary.
If I had a true bridge, the two routers would essentially be acting as a single switch (a layer 2 device). Packets from a given device on the subnet would be delivered to another via MAC Address.
That's not what's happening here. Instead, I have two interleaved subnets that have the same IP address space. Ordinarily, this would be a bad idea; if you're not careful, it could lead to IP address conflicts. In this case, it's not so bad, because all of the DHCP requests are handled by the primary router (I have DHCP forwarding set up on the secondary)
Packets from the primary are delivered to the secondary via MAC address. The machines beyond the router are on a second network segment, and therefore do not share MAC addresses with the primary network.
I mentioned that I had previously had the DD-WRT bridged with a different router. This was a true bridge, set up through WDS (Wireless Distribution System). The caveat with WDS is that both routers must use the same chip-set.
At the time that I set it up, I couldn't figure out why that mattered, but once I started thinking about it, it made sense. If I create a bridge between two routers, I'm essentially creating one big switch -- a layer 2 device. A switch has the 'smarts' to deliver packets via MAC address, rather than broadcasting packets and letting each device on the network sort out whether or not to accept them (that would be a hub, rather than a switch). The specifics about how the switch actually delivers packets is a layer 1 (i.e. hardware) decision. Generally, you don't have to worry about the hardware layer, because all of the decisions are made within the same physical machine. You can treat it as a black box. That doesn't work with WDS, because at that point you're trying to mix two boxes at the layer 1 -- i.e. hardware level, and at that level, chip-sets matter.
Barton Chittenden
Juggler, Bash jockey, Perl scripter, Linuxhead, code janitor.
Updated on September 18, 2022Comments
-
Barton Chittenden over 1 year
I'm bridging two routers. The primary (attached to the internet) is a stock Linksys WRV200 running Firmware Version: 1.0.39. The secondary is a Linksys WRT-54g running Firmware: DD-WRT v24-sp2 (10/10/09) mini.
I followed the instructions here, trying to create a wireless bridge: http://www.dd-wrt.com/wiki/index.php/Client_Bridged
Both routers sit on 192.168.1.0/24 -- primary is 192.168.1.1, secondary 192.168.1.2.
I have a Linux box connected by cat5 to the secondary with a static IP address of 192.168.1.9. This can connect outbound (I can ping the primary, and I have internet access on that box). However, when I try to ping from a laptop with a wireless connection to the primary (IP address 192.168.1.103), I get the following:
$ ping 192.168.1.109 PING 192.168.1.109 (192.168.1.109) 56(84) bytes of data. From 192.168.1.103 icmp_seq=1 Destination Host Unreachable From 192.168.1.103 icmp_seq=2 Destination Host Unreachable . . .
I can ping from 192.168.1.103 to the secondary router itself -- just nothing beyond it.
Here are the vital statistics of the primary:
Local IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 Running as DHCP server IP Address Range: 192.168.1.100 through 254 Destination LAN IP | Subnet Mask | Gateway | Interface 192.168.1.0 | 255.255.255.0 | 0.0.0.0 | LAN&Wireless 74.138.64.0 | 255.255.240.0 | 0.0.0.0 | WAN Default Route (*) | 0.0.0.0 | 74.138.64.1 | WAN 127.0.0.1 | 0.0.0.0 | 127.0.0.1 | LOOPBACK
The secondary:
Local IP Address: 192.168.1.2 Subnet Mask: 255.255.255.0 Gateway: 192.168.1.1 Local DNS: {not populated} Routing table: Destination LAN NET | Subnet Mask | Gateway | Interface 192.168.1.0 | 255.255.255.0 | 0.0.0.0 | LAN & WLAN 169.254.0.0 | 255.255.0.0 | 0.0.0.0 | LAN & WLAN 0.0.0.0 | 0.0.0.0 | 192.168.1.1 | LAN & WLAN
So... if I'm reading this correctly, the routers aren't actually bridged... the secondary is actually acting as a router, and isn't allowing packets from the primary to reach other side of its network, even though they're on the same subnet.
I did follow the instructions about disabling the firewall on the secondary. Here are the interesting parts of
iptables -L
(I've removed the empty chains).Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT 0 -- anywhere anywhere logdrop 0 -- anywhere anywhere state INVALID TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU lan2wan 0 -- anywhere anywhere ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere state NEW . . . Chain logaccept (0 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere Chain logdrop (1 references) target prot opt source destination DROP 0 -- anywhere anywhere Chain logreject (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
I assume that there's something simple that I'm missing here ... how do I set this up so that boxes connected to either router are routable?
-
hookenz about 11 yearsI've set this up before and it worked for me. Did you follow every single step? what router hardware are you using. I did once read that there were some issues with some chipsets working in client bridge mode.
-
Barton Chittenden about 11 yearsI don't think that it's a a hardware issue... I had the DD-WRT bridged with a different router this morning... I think that I just have something mis-configured.
-