Workgroup Client Bridge Configuration

I am struggling to find the proper configuration for a Workgroup Client Bridge (WCB) connecting several wired machines to a working Access Point (AP), all on the same NAT 192.A.B.x subnet.

I can get the WCB to associate (SSID) and authenticate (WEP) with the AP, can ping the WCB from anywhere on the network, but cannot connect to internet from the machine connected via the WCB.

The network configuration is:

Internet >> Firewall (Public IP, running NAT) >> Switch supports LAN (192.A.B.a thru .g) >>

> AP (192.A.B.x) supports wireless clients (192.A.B.p thru .t) >> >> WCB (192.A.B.y) supports remote wired client

The AP metrics are IP = 192.A.B.x, subnet, with default gateway = ISP public default GW IP 216.C.D.E

The WCB metrics are IP = 192.A.B.y, subnet, and here is the question....

What should the default gateway be for the WCB?

- the ISP public default gateway IP 216.C.D.E? - the AP's private IP 192.A.B.x ? - ? - other ?


Reply to
Loading thread data ...

Is there another way to ask this question that is more likely to garner a constructive response? Can't believe it's over the collective heads of this august group...


RWM wrote:

Reply to

Yes. I make it a habit of ignoring questions that don't bother to specify the hardware maker and model numbers. Supplying the absolute minimum amount of information just makes it more difficult to answer.

My guess would be Cisco hardware. Do I get a gold star?

OK, you have a successful wireless link. I'll assume that since it's a Cisco workgroup bridge, that it can bridge more than one MAC address. Depending on model numbers and configuration, there are a large number of "bridges" that will only bridge one MAC address. Probably not a problem here.

You asked about other ways to ask your question. I have a problem with word wrapped diagrams that I have to unscramble to decode. I suggest you change to a top down drawing instead of trying to wrap it across the page. Converting your mess into something readable. There's also no reason to mangle non-routeable IP addresses. I'll throw in my own assumed numbers for the LAN side.

Internet | Firewall ^ LAN= | Switch | | | |--> - ?

Reply to
Jeff Liebermann

Fair enough. Point taken.

Agreed, "WCB" is a Cisco giveaway, but no, this is a Senao 3054cb3 bridge and 2611cb3 AP, both operating in 802.11b mode.

The 3054cb3 will bridge multiple MAC addresses.

Point taken. Perhaps a list FAQ is in order... ASCII visualizations are not a specialty.

Converting your mess into something readable.

Understood, but easier to type.


OK, except this been configured LAN = WAN address for ~ five years.


Yes, except .199


Yes, and from wireless clients accessing via the AP.


It's IP-less. It's a pair of 8-port 10/100 switches.

Yes, with the caveat that its LAN address is its public WAN address.

Pair of dumb 8-ports; up a notch from prior 10-speed hubs...

OK, now this is interesting, in that the net has worked fine as previously indicated with WAN IP = LAN IP.

Understood, with the above caveat that with the exception of the Senao bridge, it works as is with the LAN IP = WAN IP = public.

(I should also mention that there is a fallback Proxim Rangelan2 bridge working on that segment now, with the gateway = WAN IP.)

Thanks sincerely for your response, Jeff. While making the indicated changes, any view as to why it works "as is"?

- Bob Mann

Reply to

So much for my gold star.

The 3054CB3 will bridge multiple MAC addresses. However I'm not so sure about the 2611DB3 operating in client mode. Digging.... Ah, the data sheet mumbles something about "Multi-Client Bridge Functionality" which I guess means it will bridge more than one MAC address. In any case, it should work with your one client computah with just one MAC.

Nope. Just my personal preferences and experiences. There are tools available to do ASCII drafting but I never use them.

I once wasted about an hour trying to troubleshoot what turned out to be a subnet mask problem. I couldn't figure out what was happening because the person with the question camouflaged all the IP addresses in various ways. Once I pried the real IP addresses out of him, the answer was obvious. In any case, there's no security reason to hide non-routeable IP addresses.

That can only work if the router/firewall/NAT device has dual IP addresses (alias) for the LAN interface. For example, if the WAN port was, while the LAN port was BOTH and I've seen this done and it does work, but only with high end or Linux routers.

However it does cause problems with some Windoze and Mac clients that do not appreciate having a default gateway that is outside of the netmask range. For example, if the client's LAN IP is, but the gateway is, some operating systems just will not push packets at the gateway. Fortunately, this has become somewhat common with VPN's, so the later operating systems all accomidate this arrangement.

I think there are some potential security implication by having clients use the WAN side IP instead of the LAN side. I wanna do some reading first before I proclaim this to be a problem.

Any chance the PC on the wireless link is some ancient junker running Windoze 95 or 98 first edition?

So, what does your DHCP server deliver to the client? What does: IPCONFIG look like?

Also, it would be interesting to see the routing table. Dump: ROUTE PRINT and see where the default gateway points.

Also, what's the make and model of firewall/router/NAT box ?

So you can literally ping anything from anywhere on the LAN side. That means the LAN side is working (as you noted). The problem could only be a routeing problem going to the internet.

That's not the way it's normally done. If the router does NAT, the LAN side IP address must be a LAN address. As I previously mentioned, there may be a 2nd IP address which might be routeable, but that's rather unusual. Is this network part of a larger VPN based enterprise LAN? If so, the routeable IP address on router may actually be a tunnel to elsewhere on a corporate LAN.

If it's running NAT, it should have an IP address on the LAN side. Try setting the gateway to (or whatever) on the PC going through the wireless link and see if that magically fixes things.

In theory, the Senao radios are a bridge which works on the MAC layer and know nothing about IP addresses. Unless there's some filtering going on, I can't think of anything I could do in the Senao bridge radios to allow pings, but no internet access. The MAC address for the WAN IP and the LAN IP would be the same so anything sent to there router should be accepted. Weird.

You must like antique wireless hardware. Frequency hoppers are ancient. Well, if it works with the Proxim Rangelan2, then is should work with the Senao. Offhand, I can't think of any reason it shouldn't work. So far, the only thing that's either wrong or odd is the use of the WAN side IP as the gateway.

I just did a fast check on my office W2K box to see if I could put the gateway outside the LAN netmask range. Yep. It works. So, it's not a problem, just an unusual way of setting up a network. It should work as is, but it's not usually done like that. That leaves the question of what inside the Senao bridge radios is causing the problem.

Can you test the computer that's going through the wireless link with a direct ethernet connection? I'm just curious if it works without the wireless. If it does work with an ethernet cable, then it has to be something screwy in the Senao radios (by process of elimination).

Good luck.

Reply to
Jeff Liebermann

The firewall is an original SonicWall device; not sure if it has dual IP capability for the LAN interface, in any case it only allows one IP to be specified.

This is an interesting observation, in that I have never been able to successfully create a VPN link through the Sonic in this configuration.

A mix of WinXP, Win2K and one ancient Win98SE machine.

They are all static IPs; no DHCP enabled anywhere on the network.

These are from a working wireless client (via the 2611CB3 functioning as the AP):

C:\\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ARIES-2 Primary DNS Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intersil PRISM Wireless LAN PC Card Physical Address. . . . . . . . . : 00-02-3B-3A-1C-56 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : Subnet Mask . . . . . . . . . . . : Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . :

C:\\>route print =========================================================================== Interface List

0x1 ........................... MS TCP Loopback interface 0x2000003 ...00 02 3b 3a 1c 56 ...... Intersil PRISM Wireless LAN PC Card =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 1 1 1 1 1 1 1 Default Gateway: =========================================================================== Persistent Routes: None

SonicWall/10 (the original FW appliance)

No, it's a plain vanilla (well, with a twist) SOHO network.

I have tried this (as well as on the bridged machine, with no joy, but that is with the unusual firewall gateway IP. I will change that and give it a try.

But you know, no one else has them, so they are relatively secure both by design and limited user population.

You should see my tin cup and string setup. And sneakernet still works, too.

Any of the laptops works hard-wired, so I was sort of warming (cooling?) to that possibility... I have seen a certain flakiness manifest on occasion with the Senao radios (CB, AP and cards).

Thanks, Jeff. I'll report back.

- Bob

Reply to

It doesn't. Single IP address per interface. I have a bunch of the original SOHO-10 routers in service and on my router pile. They are excellent routers but rather slow. Add a few filters and they can't do more than about 1Mbit/sec WAN to LAN.

I'm not sure if the original SOHO can even be configured as a non-NAT router. I can fire one up on Thurs and check.

I have several VPN's running through a somewhat later Sonicwall TELE router. No problems. I also a have a few where the router both initiates and terminates the VPN. No need to go through the router. I vaguely recall that there had to be some tweaking of GRE (general router encapsulation protocol) and redirecting the ports used by IPSec VPN pass-thru to get it to work through the router.

I mean't the one computah that's going through the Seneo wireless. Is it a Windoze 98SE machine?

Well, that's understandable. As soon as someone setup the Sonicwall to *NOT* use NAT, it turned off the internal DHCP server. No way for the internal server to deliver routeable IP's. Using the Sonicwall as in "gateway" mode (I think that's the correct term for NAT turned off), will function, but that's not the way it's usually done. Is there a good reason why NAT and DHCP are off?

Amazing. Well, that will work if the Windoze client allows a gateway that's outside the netmask. I'll confess that this is the first time I've seen it done like this.

Well, the local LAN and gateway all route correctly.

Original? There were huge numbers of firmware updates on the SOHO/10. The bin files in my collection show 5.170 as the latest version. There are some later versions (5.6) but my support subscription expired long ago and I was too cheap to renew.

formatting link
I don't think there's anything broken in the Sonicwall. My best guess is that the Senao bridges are doing something, but I can't figure out what it might be.

The machine at the end of the wireless bridge should be configured the same way as the others. Bridges don't know anything about IP addresses and therefore cannot really mess with the IP layer stuff. It should be totally transparent.

I have a bunch. Paid about $500/ea for them. I installed most of them in 1999 to 2000. Most are still in service.

Yeah. If that's the case, it has to be Senao. Much as I object to your LAN IP layout, it does work. That leaves Senao.

How about doing something disgusting? Setup one Seneo as an access point. No router, no DHCP on the access point. Setup the other end as an ordinary wireless client. No bridging, just a simple client. Kinda crude, but has fewer things to go wrong than a transparent bridge. Personally, I would rip out the Senao radios and replace them with a pair of WAP54G bridge radios and be done with it.

Reply to
Jeff Liebermann

Jeff Liebermann hath wroth:

I finally found a login that worked. The latest for Sonicwall/10 is as of Nov 2001. 5.6 is for something else.

Release notes, which apparently don't require a login:

formatting link
Duh... Is there some chance that the wireless linked computer exceeded the 10 user limit on the Sonicwall? The way it acts is kinda stupid. Instead of expiring the ARP table for old connections and replacing them with the latest connection, it just accumulates them until it runs out. The older versions of the firmware gave no error message. Just no connection to the internet. The easiest temporary fix was to power cycle the Sonicwall, wait forever for it to boot, and then hope that your machine is first in line before it runs out. The client count is displayed on the first page (general) of the setup.

Reply to
Jeff Liebermann

Yes, the desktop is a Win98SE machine, though I tend to set up and test the link with a Win2K laptop so I can hot-swap networking specs and IPs.

OK, but the Sonic/10 ( FW, 6 current conections) is in "NAT Enabled" mode and DHCP is NOT enabled.

Right, it is running the final FW.

Yes, they are bulletproof and the XR 500mw radios have great coverage; mine have been running without a hiccup since 1999.

What I meant by "no one" is not very many people in the non-professional war-driver/AP-snooping crowd have them; not really consumer wireless gear.

OK, this is the way the 2611CB3 is set up now; as an AP, no DHCP.

If it was a laptop with PCMCIA slot, I would go that way, but the remote client is a desktop, so I am using the 3054CB3 as a wireless adapter.

That will be the reluctant next step. The 2611CB3 in access point mode works fine, so I may first just try a replacement for the 3054CB3 wireless adapter.

Again, thanks.

Reply to

The 5-series F/W throws and logs (on the Sonic and in Syslog) an error if the number of IPs exceeds to license limit of 10, so I don't think that's the issue. The bridged workstation would be IP # 8.

Reply to

Thanks for your help, Jeff.

The setup began to work again (despite the non-standard gateway IP) when I switched to Channel 10, so I suspect heavy traffic congestion on prime channels or more likely intermittent flakiness in the AP and/or CB radio(s).

- Bob

RWM wrote:

Reply to
RWM Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.