# [Solved] WIFI Access Point DHCP troubles

## MasterGollom

Hi guys,

Based on this post: https://forums.gentoo.org/viewtopic-t-1045244.html I'm extending my network with an Access Point for the VPN-LAN

```
                          +-------------------------+                      

               (public IP)|   Router  DHCP-Server   |       SSID = mywlan

  {INTERNET}=============={                     WLAN}-----> 192.168.1.0/24

                          |                         |                      

                          |         LAN switch      |                      

                          +------------+------------+

                                       | (192.168.1.1)

                                       |

                                       |              +-----------------------+

                                       |              |                       |

                                       |              |        OpenVPN        |  eth1: 192.168.1.207/24

                                       +--------------{eth1    Client         |  eth0: 10.0.0.1/24            +-------------------+

                                       |              |                       |                               |    Access Point   |  eth0: 10.0.0.10/24

                                       |              |                   eth0}-------------------------------{eth0               |  wlan0: 10.0.0.2/24

                                       |              +-----------------------+                               |   DHCP-Server     |          SSID = mywlan_vpn                  

                                       |                                                                      |              wlan0}----------> 10.0.0.0/24

                              +--------+-----------+                                                          |                   |

                              |                    |                                                          +-------------------+

                              |  Other LAN clients |                                                       

                              |                    |                                                       

                              |   192.168.1.0/24   |                                                    

                              |   (internal net)   |                                                             

                              +--------------------+                                                         

```

So, I'm having two DHCP-Servers in my entire network. One for the LAN 192.168.1.0/24 and one for the VPN-LAN 10.0.0.0/24.

The Problem I'm experiencing now is that when I'm connecting my tablet to mywlan_vpn I'm getting an IP from the DHCP on the Router and not the DHCP on the AP (but only when I'm activating the bridge br0 on the AP)and my tablet is not accessing the internet via the VPN.

Here's how i configured the AP:

/etc/conf.d/net

```
modules_wlan0="!iwconfig !wpa_supplicant"

config_wlan0="10.0.0.9/24"

config_eth0="null"

config_br0="10.0.0.10/24"

routes_br0="default via 10.0.0.1"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

bridge_stp_state_br0_0

bridge_br0="eth0"
```

/etc/dnsmasq/dnsmasq.conf

```
interface=wlan0

no-dhcp-interface=eth0

dhcp-range=10.0.0.100,10.0.0.250,24h
```

/etc/hostapd/hostapd.conf

```

interface=wlan0

hw_mode=g

channel=10

ieee80211d=1

country_code=FR

ieee80211n=1

wmm_enabled=1

ssid=mywlan_vpn

auth_algs=1

wpa=2

wpa_key_mgmt=WPA-PSK

rsn_pairwise=CCMP

wpa_passphrase=0123456789

bridge=br0
```

When I disable the bridge br0 I'm getting an IP by the APs DHCP-Server. With the bridge enabled I'm getting an IP by the Routers DHCP...this is driving me nuts... I don't understand how this is even possible that I'm getting an IP from a DHCP that isn't even in the same network as the AP, am I missing something?Last edited by MasterGollom on Thu Feb 08, 2018 9:22 am; edited 1 time in total

----------

## chiefbag

If I'm reading this correctly this is what is happening.

1: The AP bridge will just forward all traffic to the "openVPN Client" box ( I assume this is a seperate box with a client running) ?

2: If that's the case the traffic is just forwarded through the "openVPN Client" box where the client on mywlan_vpn will receive a lease from Router  DHCP-Server ( 192.168.1.0/24 ).

3: Even if  "OpenVPN Client" is not a physical box the bridging is where you are missing the Access Point DHCP-Server lease.

----------

## MasterGollom

Hi chiefbag,

Yes this exactly what's happening. As long ass the bridge is deactivated, the clients on mywlan_vpn receive their IP from the AP. When activating the bridge the lease comes from the router DHCP. 

I cannot understand how it's possible to get a lease from the router, since the AP's network is 10.0.0.0/24. The 192.168.1.0/24 network should be invisible to the AP or am I wrong here?   :Embarassed: 

The openVPN Client is a seperate Gentoo box.

----------

## chiefbag

Take a look at the following link which will probably explain things a bit better then I can.

https://wiki.gentoo.org/wiki/Network_bridge

Essentially you are looping out your AP DHCP-Server box by creating the bridge as it's layer2.

You will need to run the DHCP Server on the bridge "br0" not "wlan0" I would think.

```
/etc/dnsmasq/dnsmasq.conf 

Code:

interface=wlan0 

no-dhcp-interface=eth0 

dhcp-range=10.0.0.100,10.0.0.250,24h

```

[Moderator edit: changed [code] tag to [url] tag; changed [quote] tags to [code] tags to preserve output layout. -Hu]

----------

## MasterGollom

Thx man, now I'm getting the IP from the right DHCP-Server, but there's one more problem...my Wifi clients can't ping anything. 

Pinging www.gentoo.org from the AP works fine, but when I try it from a Wifi client it resolves the IP from the site but I don't get a reply...

----------

## chiefbag

You might need to use iptables to masquerade your traffic leaving the AP as the source IP address of the client will be different and it will not be able to return through your AP box.

----------

## MasterGollom

tried this

```
iptables -A FORWARD -o br0 -i wlan0 -s 10.0.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -F POSTROUTING

iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
```

but it doesn't make any difference   :Crying or Very sad: Last edited by MasterGollom on Fri Aug 04, 2017 9:36 pm; edited 2 times in total

----------

## chiefbag

I might be wrong here, but just try masqurading on the interface leaving the box and not the bridge.

```
iptables -F 

iptables -i -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```

----------

## MasterGollom

I got it!

the following lines did the trick

```

echo 1 > /proc/sys/net/ipv4/ip_forward

nano /etc/sysctl.conf

look for: net.ipv4.ip_forward = 0 and set it to 1 then save & close

iptables -t nat -A POSTROUTING \-o eth0 -j MASQUERADE

/etc/init.d/iptables save

rc-update add iptables default
```

and it's finally working

thx chiefbag for your help and pointing me in the right direction

----------

## chiefbag

Your welcome, glad it's working for you 

----------

## Hu

MasterGollom: are there any remaining unresolved issues you want to address in this thread?  If not, please mark the thread solved.  :Smile: 

----------

