I’ve always thought the firewall color codes were arbitrary, though I might just have not paid attention all these years lol.

Just to clarify: I meant connect your OpenWRT device to your hotspot instead of the AP you’ve been working with. Just to rule out multiple MACs being blocked on the AP.

Beyond that, I’m not really able to help troubleshoot further, but worst case and if all you need is internet, you can set your OpenWRT device up so that it just NATs your downstream connections. Double-NAT, in most cases, is fine.

Hmm. Is the upstream AP some kind of fancy deal or a run of the mill consumer router?

I’ve seen some Cisco APs configured to not allow multiple MAC addresses from the same station. Caused problems when trying to do VMs on my laptop that had the network in bridge mode.

Are you able to put your phone into hotspot, connect to that instead of the upstream AP, and see if it works?

I did that with a GL.iNet travel router after flashing stock OpenWRT, and used it as a wireless bridge for several years. It uses relayd to bridge the Wifi station interface and Ethernet. Once you have an ethernet bridge, you can connect another AP or do whatever from there.

If you create a second wifi interface in AP mode (in addition to the station/client one connected to the upstream), you should be able to add that to the LAN bridge alongside the ethernet interfaces. That bridge will then be part of the relayd bridge, and it all should just work (should, lol. I haven’t tested that config since I only needed to turn wifi into wired ethernet with this setup).

Interfaces:

LAN Bridge: Ethernet interfaces to be bridged to the wifi

I have both of its interfaces in this bridge, and it also has a static management IP (outside of the WLAN subnet). This management IP is a static out-of-band IP since the devices connected over ethernet won’t be able to access it’s WLAN IP (in the main LAN) to manage it. To access this IP, I just statically set an additional IP on one of the downstream ethernet client devices.

The LAN bridge is in a firewall zone called LAN.

WWAN: Wireless station interface that’s configured as a client to the AP providing upstream access. I have this configured statically, but DHCP is fine too. Firewall zone is WLAN.

WLANBRIDGE: The relayd bridge (Protocol: relay bridge). It’s interfaces are the LAN bridge and the WWAN interface.

Disregard the WGMesh parts; that’s separate and not related to the wireless bridging mode.

Right? It’s refreshing to see a post here that’s about technology that works for us rather than yet another article about AI being shoved into more places that no one asked for or development progress updates on the Torment Nexus.

More posts like this, please.

Oh, nice! The Xiao seed, unlike the Heltec’s I have, comes with 8 MB of PSRAM which makes it suitable for acting as a store-and-forward node.

May have to pick up at least one of these since that’s one thing I’d like to add to the mesh I’m putting together.

Is there a c/NotMyJob in the fediverse yet? This could be the inaugural post if not.

Dennis Takes a Mental Health Day is probably the most accurate portrayal of me ever written.

I flat-out refuse to do business with any that requires I use an app. I won’t even scan a QR code for a restaurant menu; that’s my cue to go eat elsewhere.

See post edit. I’ve already answered that twice.

If they expected you to read the install script, they’d tell you to download and run it. It’s presented here for lazy people in a “trust me, bro, nothing could ever go wrong” form.

• There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release’s checksums file.

• Binaries can also be signed (not that signing keys have never leaked, but it’s still one step in the chain of trust)

• The install script is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there’s lots of things that can go wrong with that.

1. That’s been the way to acquire software since shortly after the dawn of time. You already know what you’re getting yourself into.
2. There are SHA256 checksums of each binary file available in each release on Github. You can confirm the binary was not tampered with by comparing a locally computed checksum to the value in the release’s checksums file.
3. Binaries can also be signed (not that signing keys have never leaked, but it’s still one step in the chain of trust)
4. The install script is not hosted on Github. A misconfigured / compromised server can allow a bad actor to tamper with the install script that gets piped directly into your shell. The domain could also lapse and be re-registered by a bad actor to point to a malicious script. Really, there’s lots of things that can go wrong with that.

The point is that it is bad practice to just pipe a script to be directly executed in your shell. Developers should not normalize that bad practice

I mean, how about:

1. Download the release for your arch from the releases page.
2. Extract to ~/.local/bin
3. Run

I just realized yesterday there’s a beta Linux version. It’s nowhere near as polished as the Android one, but it does seem to work. Hopefully that gets some love.

Oh, we can do that too, at least to varying degrees. Depends on the bank and what services they offer.

My bank will at least do what’s called “Bill Pay”. It’s (mostly) the equivalent of me telling the bank to write and mail a check to a company on my behalf. I don’t currently have that setup, but it is something I’m looking into. It’s been available for a long time, but years and years ago when I looked into it, only certain companies/utilities were supported by my bank.

It’s not like they are a secret.

They’re also not public info, either. Typically they’re combined with name, address, etc for fraud protection, but those details are even easier to acquire than account numbers. The routing numbers are public information, though. In the result of a data breach, a bad actor has everything they need.

What are any potential hackers going to to with my bank account numbers?

Just about anything they want since they’ll likely have your personal details too. When adding a bank account to any of my utility payment accounts, there is no verification whatsoever; enter details, authorize payment.

I don’t use CashApp and the like, but in the past, PayPal would deposit a few cents into the account, and you had to verify ownership of the account by entering those random amounts into the signup form to complete the process. That’s also trivially defeated if enough of your data was breached and in the hands of an attacker (e.g. call the bank, pretend to be you, and ask for the info).

Not to mention, why would attackers in phishing/scam emails ask for bank details if they’re not secret or are useless?

Yeah, I’ve been meaning to look into that. Especially so I can start unlinking my bank details from sites that will eventually expose them in a breach.

That maximizes my costs as well (plus hassle). I don’t even own a checkbook.

Gotta do what you gotta do 🤷‍♂️