[SOLVED] Client-Bridge Mode with NAT br1

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Mon May 16, 2022 19:20    Post subject: [SOLVED] Client-Bridge Mode with NAT br1 Reply with quote
mac913 wrote:
OffSite #2

Router/Version: E3000
File/Kernel: DD-WRT v3.0-r46979 mega (06/21/21)
Previous/Reset: r46885 / No, Remote GUI Update
Mode/Status: Client-Bridge / Working Well
Issues/Errors: none / none
Services Used: WiFi 5G,NTP,SSH,Syslog,VLANx,BRx,
Services Disabled: WAN,QoS,ttraff,SFE,Telnet


This E3000 is used to connect the Security Camera System via wirelessly in Client-Bridge Mode with 2 Networks (br0 & br1). The cameras are on br1 that nats to br0 to Only update the camera's time clock online. This week I've noticed that the time clock on the cameras was off, don't normally check. Something broke nat to br1. I started back testing a build where nattiing to br1 works. Build r44483 mega K4.4 has working nat to br1.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon May 16, 2022 19:27    Post subject: Reply with quote
In other words, you made no resets or configuration adjustments related to changes and it broke. Have a feeling it's related to swconfig utility support added to Broadcom.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Mon May 16, 2022 20:31    Post subject: Reply with quote
I did erase nvram with reboot and manually configured. With Client-Bridge Mode still br1 would not NAT unit going back to r44483 (didn't test every build). But I believe it broke when the Advance Routing GUI changed and added Route Tables and other new features.
_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon May 16, 2022 23:56    Post subject: Reply with quote
Without flashing and testing current release 48886 and providing screenshots, logs, etc. there is no telling if it's since fixed or if it's a procedural issue or what. Probably best to try current release as nobody else seems to have reported an issue.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue May 17, 2022 0:58    Post subject: Reply with quote
If CTF is enabled try without
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Tue May 17, 2022 17:50    Post subject: Reply with quote
kernel-panic69 wrote:
Without flashing and testing current release 48886 and providing screenshots, logs, etc. there is no telling if it's since fixed or if it's a procedural issue or what. Probably best to try current release as nobody else seems to have reported an issue.


Is anyone running an E3000 in Client-Bridge Mode with br0 (lan ports 3 & 4) and br1 (lan Ports 1 & 2). br1 needs nat through br0 for br1 to get an internet connection?

It works with build 44483 and below but any build 45000+ does not with the same configuration. When I running builds +45000
no packets counts are show up when using this nat instruction....

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

Which I do see packet counts with build 44483 and all is good.

egc, Yes I left CTF Disabled since I'm not using the WAN port.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue May 17, 2022 18:19    Post subject: Reply with quote
If br1 is a separate vlan/bridge from br0, it shouldn't have to traverse br0, should it? Screenshots / startup scripts, etc. would greatly help us see the larger picture and this should be a separate thread starting with your post quoting your previous post. Dear mods, please rectify this.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue May 17, 2022 18:40    Post subject: Reply with quote
Split this from 2021 fw report thread and added some title

Complaints department is closed for new business until further notice.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed May 18, 2022 19:03    Post subject: Reply with quote
To be precise, in the current configuration, NAT is only needed *if* you're unwilling or unable to configure static routes on the primary router for the IP network of that bridge (br1).

IOW, if the primary network (br0) is 192.168.1.0/24, and you create br1 (192.168.2.0/24) on a client bridge, you could configure a static route on the primary router that points to the LAN ip of that client bridge as the gateway to the 192.168.2.0/24 network. But sometimes that's NOT possible, such as when the primary router is running OEM firmware and doesn't support static routing. At that point, NAT becomes necessary.

In general, given all the problems these various NAT acceleration gimmicks introduce, be it SFE, CTF, FA, etc., I suggest they ALL be disabled. Even though there is no active WAN on the client bridge, I just don't trust what quirks they may introduce, regardless.

If all those are disabled, and you see no packet counts on the NAT rule, then it suggests there's no forwarding from br1 to br0 taking place for some reason, since NAT only happens once a routing decision takes place.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu May 19, 2022 3:53    Post subject: Reply with quote
The Camera Security System is nowhere near a LAN connection and unable to run a line to it, so the configuration I've been using for +10 years was a router setup in Client-Bridge Mode where the PC System is on br0 no NAT required. The Cameras are a separate subnet on br1 since I don't trust these 4K HikVision from China they only get Port 123 access to update the time clock once a day. PC Sytem has a 2nd NIC for the Camera Access.

As for Firewall Rules I been using since WRT610v1 on K2.4 from https://forum.dd-wrt.com/wiki/index.php/Multiple_WLANs and scroll down to "Restricting Access" only for WAP.

In any case same configuration on a E3000 on build 44483 K4.4 works fine. Going to builds 45000+ K4.4 breaks br1 NAT. I disabled all CTF & SFE still br1 NAT is broken.

I just don't have the time to trouble-shoot "Client-Bridge Mode" on current builds. I do know that "Client Mode" will NAT br0 and br1 on all builds plus 45000+ but I don't want to create another subnet at this time but I feel I might have too if I want to run current builds. For now build 44483 works.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2


Last edited by mac913 on Wed Jun 01, 2022 3:25; edited 2 times in total
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Fri May 20, 2022 23:13    Post subject: Reply with quote
the-joker wrote:
Split this from 2021 fw report thread and added some title

Complaints department is closed for new business until further notice.


I would change the Subject to "Client-Bridge Mode with NAT br1"

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 21, 2022 13:12    Post subject: Reply with quote
Done.

TBH I would have approached this with an unbridged VAP like so https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1260059#1260059

and then block via firewall all WAN traffic except for the necessary port to once or twice a day to get updated time from the NTP.

Much simpler iMO rather than struggling with creating bridges which seems to generally cause more trouble for setting up.

Having a Broadcom myself, I am quite happy with the results and sturdiness of that setup as above posted on said thread.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sat May 21, 2022 17:06    Post subject: Reply with quote
I see your approach using VAP.

On the Camera Security PC it has 2 Gb NIC cards. 1st Gb NIC has full Internet access for VNC (remote access), Updates and Viewing Camera's via Live or Recordings. The 2nd Gb NIC is on a different Subnet for hardwired connections to 4K Cameras for uninterrupted streaming/recording 24/7. This basic setup has been working for over 10 years with hardware/software upgrades along the way.

Having no wired connection to the R7000 Gateway Router at OffSite #1 for the Camera Security PC to have Internet Access I'm forced to use a single Wireless connection to push 2 Subnets. From the get go Client-Bridge Mode 1st on a WRT610v1 (bricked on a newer build) then forced to use an E3000 has been working perfectly; only now limited to build 44483 Mega K4.4. Unless I change the configuration which at the Offsite location and don't have the time as life is keeping me busy and the Offsite is working fine.

When I get time to experiment. I will post my findings.

Thanks for your suggestions!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
lexridge
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 962
Location: WV, USA

PostPosted: Sat May 21, 2022 18:05    Post subject: Reply with quote
Kinda off topic, but instead of opening a port to set your clock once or twice per day, you could do what I do and run an internal ntpd server. Very easy to set up.
_________________
Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate

Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r53562
Features in use: multiple VLANs over single trunk port

Linksys EA8500 WDS Station x2 - DD-WRT r53562

Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port.

OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.

Forum member #248
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue May 24, 2022 9:58    Post subject: Reply with quote
Well as long as we go offtopic, most of these Chinese cameras have alternative firmware projects that supply more secure solutions and are maintained regularly.

But indeed, a closed to LAN loop for security is better than even opening any ports for any usage whatsoever so internal NTP server maybe even better.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum