To keep a long story short, for various reasons, I need to set-up a wireless bridge. I have a LAN in my apartment with multiple devices connecting to it either via wireless or wires. The backbone of the LAN is either wired Ethernet or powerline using Devolo's WiFi 6 mesh system. There is no Internet router in the apartment. There is a second LAN in the basement which has the Internet router. From the basement to the apartment there is a UTP cable. I would like to connect the two LANs together, for the record they are on the same subnet. I have an air gap between the apartment's LAN and the UTP cable. I cannot use powerlines to bridge the gap, the connection quality is poor. But I could use wireless. I am after a device that I can plug in to that UTP cable that will connect to my apartment's existing SSID and act as a bridge without any NAT in between.
Does such a thing exist in GL-iNET's lineup?
I tried using repeaters with the ethernet port connected to the basement via the UTP cable and the wireless end connected (effectively repeating) the apartment's SSID. This offered some rudimentary connectivity, I could ping (ICMP) machines in apartment when on the basement LAN and vice versa but TCP traffic was getting blocked somewhere. With the repeaters it is not really possible to see what is happening behind the scenes so although in a way the two LANs were "connected", the repeating device did not act like a dummy switch between wireless and wired.
Note that most documentation I see online for products has the router on the AP and the clients on WiFi or on the wired side of the repeater. I want the router (plus other devices) to be on the wired side of the repeater/client/bridge and another set of clients on the AP side but no router on the AP side.
Any ideas? I've been led to believe that "client" mode is not enough due to NAT between the client and the AP and that I need a bridge. Can I set-up a bridge with a "bridge" unit and an AP or does it only have to be between two "bridge" units?
For wireless bridge both Access Point and the receiving Bridge need to agree to bridge traffic.
Let's say your router is A, your access point is B, your receiving bridge is C and your device is D.
In a normal network device D is wirelessly connected to B. To send data from D to A and back it will simply work. D will send to the AP it is connected to, which is B. And B can easily connect A using wired network. When A wants to reply to D, access point B knows D is connected to it, so it can be send back to D via B.
With a bridge setup something odd may happen. To send data from D to A, device D will send the data of course to C. C is connected to AP B and will send it there. However for AP B this traffic looks like it just came from bridge C instead of device D. AP is connected to router A, so the traffic will make its way to A. When A wants to reply to D, it will however address it to bridge C instead of D, because AP B doesn't know that traffic actually came from device D. So that's where things are messing up in many cases.
If both AP and bridge device implement something (like WDS) to preserve that data, such a setup may be possible. But in that case both sides of the bridge need to work with something like that. Doing it just on one side of the bridge will not work!
Using NAT this is bypassed because the bridge device C would be doing that NAT and therefore it is translating the data going from D passing to B and therefore also can reverse that on the way back.
WDS fixes that issue on layer 2 of the OSI model, while NAT does the same using a layer 3 solution.
Do a bit of reshuffling the connections
You have ... all the basic elements, just combine the correct way.
repeater, which will connect Internet WAN via Wifi (WLAN), get IP as DHCP client when requested
repeater which will connect all ethernet LAN ports on the bridge and the local non-guest wifi, and also acts as local DHCP server when enabled
(Guest wifi in SFT1200 has client isolation set!)
Repeater is OK. Select dhcp in the ethernet connection if the basement AP gives IP addresses
Select "Network mode" : "access Point" as mode would have been perfect when you had wired connection
The next alternative is "Extender" for that Network mode.
"Router" would have given you the NAT way of working,
"Extender mode" is a pseudo-bridged. "Pseudo bridged" or Layer 2.5 bridge, because the repeater/extender replaces the MAC address in the header. (A L2 bridge does not do that. On the other hand a L3 router or L3 bridge does not pass L2 traffic, only L3 (routed or routed+NAT traffic) )
In this one combined L2 (or L2.5) LAN network DHCP servers should not conflict. So DHCP server in the SFT1200 should be off. Could be "DHCP relay", if SFT1200 can do that. If not, then handing out a separate set of IP addresses of the basement network , could be a workaround. Or use fixed IP addresses.
There are 2 problems now ...
How to further handle the SFT1200, as it's own LAN IP address is not reachable on that unified LAN with the basement subnet.
"Pseudo bridge" needs it's local ARP table populated. The basement LAN will only see and use the SFT1200 MAC address, with different IP addresses. The SFT1200 pseudobridge (relayd) will change the MAC address to the local MAC value, that value is based on the IP address in it's local ARP table.
Consequence of the pseudo bridge concept is that the local device must communicate FIRST, before it comes reachable
ALL this is due to the fact that regular wifi only uses 3 MAC addresses (Source-Sender-Receiver) and the 4th (Destination) is missing, so just taken equal to the (Receiver).
3 possible options to mitigate the 3-address problem
WDS is 4 address mode.
Bridge 4-address, but implementation is vendor specific.
A L2 type tunnel transports in 4-address mode (L2TP, Zerotier, PPTP-BCP, SSTP-BCP, L2TP-BCP, PPPoE-BCP, MPLS/VPLS, VXLAN,...) and is a bridge-able connection.
Very quick thought while I am digesting the above posts. I wonder if the devices I could communicate with from the basement to the apartment are the ones with static IP addresses while anything requesting a dynamic IP address was failing because the DHCP server, which is in the basement, is unreachable by them.
EDIT: On a second thought, I think that is not true because my laptop could get a dynamic IP address, it could ping the router@basement, it could ping the devices@apartment, but somehow it couldn't reach anything beyond the router. The traffic was getting blocked somewhere.
DHCP is known as being one of the things that fail with a pseudo-bridge. The dhcp D-O-R-A handshake implementations have problems with the interpretation of the packet header MAC and the DHCP payload MAC. Some DHCP servers let you set which one to use, DHCP servers also can switch to broadcast mode if the initial handshake fails.
The other confusing point is the data in that local ARP table of the pseudo-bridge. These entries do time-out (disappear after some idle time), and then the devices in the apartment are not reachable. Just a ping from the apartment device will re-populate that table for that device.
Some vendors some years ago decided to save memory by merging the DHCP (MAC-IP) table, with the ARP (MAC-IP) table. Indeed without L2.5 bridges, both have identical lines. Also DHCP servers do have options like the allowed max number of IP per MAC. All devices behind the apartment router use the same MAC (the one of the router) in the packet header, but have different IP, and different MAC in the DHCP request payload
Workarounds like "always broadcast", use of DHCP relay/forwarder, extra local DHCP server with free part of the subnet, etc may be needed.
The search for the right combination can be a long and frustrating journey.
Unfortunately GL.inet removed Zerotier from the SFT1200 (they claim memory limits), but similar small travel routers have it. It's one of the Applications Plug-ins, but how to configure it ?
If don't know if this relayd method and the GL.inet repeater method can coexist.
the OpenWRT relayd package and luci-proto-relay package are already installed on the SFT1200 with version 4.7.2 . Maybe GL-repeater is just using relayd when set to mode "Extender"
Thank you very much for your very thorough replies. I guess to simplify my quest, would buying a pair of Marble GL-B3000 allow me to set-up a pure wireless bridge between them? They seem to be rather inexpensive and rather capable.
I see a 52% price reduction offer today. Indeed inexpensive.
The B3000 Marble is higher in the list of capabiities and supported features than the SFT1200.
So according to this it is the better device for home use, at about the same price today.
At least with the Marble, WDS and Zerotier are supported features.
But SFT1200 is my only GL.inet, and not everything works as documented (eg DFS)
The "pure wireless bridge" will work better with WDS, than the AP-station pseudo bridge.
I don't know if "mesh" would be possible in the GL.inet GUI.