2 Fritzbox 2 Subnet one OpenWrt

Hello
I have 2 Fritz boxes, both of which have an internet connection.
One has the 192.168.0.0 network gateway 192.168.0.1
The other has the network 192.168.1.0 gateway 192.168.1.5.
Now I have a Fritzbox 7362 with OpenWrt 22.03.3 r20028-43d71ad93e / LuCI openwrt-22.03 branch git-22.361.69894-438c598.
I would like to connect these between the two networks.
I would like 192.168.0.0 --> 192.168.1.0 in both directions
& 192.168.1.0 --->192.168.0.0.
Can someone help me with how I have to set something where so that I can use the LAN access in both directions.

Sorry for my English ... gladly also in German ..
Kind regards
Sralus

You'll have to provide some more information.
How many Fritzboxes are there? 2 or 3?
What version are they running? ubus call system board
Are they located in the same area? Can you connect them directly with a cable?

Hi I have 3 Fritz boxes
I have a Fritzbox 7590 - 192.168.0.1 GW - AVM & Freetz
A Fritzbox 7490 - 192.168.1.5 GW - AVM & Freetz
A Fritzbox 7362 -

root@OpenWrt:~# ubus call system board
         "kernel": "5.10.161",
         "hostname": "OpenWrt",
         "system": "xRX200 rev 1.2",
         "model": "AVM FRITZ!Box 7362 SL",
         "board_name": "avm,fritz7362sl",
         "rootfs_type": "squashfs",
         "release": {
                 "distribution": "OpenWrt",
                 "version": "22.03.3",
                 "revision": "r20028-43d71ad93e",
                 "target": "lantiq/xrx200",
                 "description": "OpenWrt 22.03.3 r20028-43d71ad93e"

and yes I have two Lan cables that can be connected to the 7362, each coming from the two Lan networks 192.168.0.0 and 192.168.1.0...
This is to be used as a LAN/LAN bridge.
Unfortunately I don't know how to connect these LAN subnets with each other..
Kind regards

If I understand correctly, you want the lan of 7362 to use both internet connections of 7590 and 7490?
Is this drawing correct?

1 Like


Hi
That's how I would like it.
DHCP servers are running in both networks.
But I would like to go from the 0 to the 1 network and from the 1 to the 0 network.
I would be happy if you can implement it like this.

Kind regards

Do the 7490 and the 7590 support static routes? If so, this can be done. If not, it won’t be possible at the router level.


Hi
Yes, I believe that this can be set with the Fritz boxes.
(See image)
Kind regards

ok.... good. Assuming the 7490 also has a similar thing, you should be fine.

Your OpenWrt 7362 will have 2 networks (192.168.0.0/24 and 192.68.1.0/24). Each network will need to have an address on the associated network that is not being used by any other devices on your networks, and not in the DHCP pool. Let's say, for example, that it has 192.168.0.2 and 192.168.1.6. You'll assign the two networks to the same zone with the zone forward rule set to accept (the lan zone works for this application).

  • On the 7590, you'd set a static route as follows:
    192.168.1.0 255.255.255.0 via 192.168.0.2

  • On the 7490, you'd set a static route as follows:
    192.168.0.0 255.255.255.0 via 192.168.1.6

EDIT: I can give more specific advice about the FB7362 with OpenWrt if you post the /etc/config/network file here


OK ..
I once added a picture of how it would have to be adjusted in the 7590?
Wouldn't that work without changing something on the Fritz boxes 7590 & 7490? Aslo to configure the 7362 so that it goes over it?
Kind regards

The picture looks correct (assuming that the OpenWrt device will use 192.168.0.2... adapt as necessary if OpenWrt uses a different address).

Each of the routers needs to be aware of the other network. Therefore, you must have the static routes installed on both sides.

But a device connected to one of the 7x90 routers won't know how to reach the other network, so it will ask the 7x90 router to handle the routing... but without the static route, the 7x90 router won't know where to send the traffic, so it will either direct it to the wan or drop it (depending on the configuration, packets with RFC1918 addresses in the destination may be dropped before they hit a public WAN because RFC1918 is not routable on the public internet).

The static route on each of the 7x90 routers ensures that the router knows the path to get to the other network.

This one, running OpenWrt, is the 'gateway' from one network to the other. It will have addresses on each of the networks, so it will already know how to route between them. It is the metaphorical 'bridge' here (but not a technical networking 'bridge' -- that is a very different thing).

OK
I understood that so far.
Would the Fritz boxes 7490 and 7590 continue to work if the 7362 were not connected?

Here my network conf. from the 7362..


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf2:3a4b:8123::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'b'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '08:96:D7:EA:56:9A'

config device
	option name 'lan2'
	option macaddr '08:96:D7:EA:56:9A'

config device
	option name 'lan3'
	option macaddr '08:96:D7:EA:56:9A'
	option ipv6 '0'

config device
	option name 'lan4'
	option macaddr '08:96:D7:EA:56:9A'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.254'

config device
	option name 'dsl0'
	option macaddr '08:96:D7:EA:56:9D'

config interface 'wan'
	option device 'dsl0'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option ipv6 '1'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config interface 'LS3'
	option proto 'static'
	option device 'lan3'
	option ipaddr '192.168.0.253'
	option netmask '255.255.255.0'

config interface 'R2'
	option proto 'static'
	option device 'lan2'
	option ipaddr '192.168.1.254'
	option netmask '255.255.255.0'


For normal internet access and all the other features, yes. The only difference is that it will now be able properly direct traffic destined for the 'other lan' to the right place.

These are fine except for the fact that they are missing the gateways for the respective networks.

Add this to LS3

	option gateway '192.168.0.1'

Add this to R2

	option gateway '192.168.1.5'

And then make sure both LS3 and R2 are assigned to the same firewall zone (I'd suggest the pre-defined lan zone), with the zone forward rule set to accept.

Keep in mind that the addreses you have here do not match my earlier example (which is fine), so the static routes need to reflect the actual addresses:

  • On the 7590, you'd set a static route as follows:
    192.168.1.0 255.255.255.0 via 192.168.0.253
  • On the 7490, you'd set a static route as follows:
    192.168.0.0 255.255.255.0 via 192.168.1.254

Thanks very much !!
I'll test that tonight

Hi
I have made the routing entries but get no connection to the 1er network.
How do I have to set the firewall exactly?
or what can it be?
Kind regards

let's see the screenshots for both 7x90 devices (the main config/address and the static routes pages), and the following config files from the OpenWrt box.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf2:3a4b:8123::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '08:96:D7:EA:56:9A'

config device
        option name 'lan2'
        option macaddr '08:96:D7:EA:56:9A'

config device
        option name 'lan3'
        option macaddr '08:96:D7:EA:56:9A'
        option ipv6 '0'

config device
        option name 'lan4'
        option macaddr '08:96:D7:EA:56:9A'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.254'
        option delegate '0'
        option defaultroute '0'

config device
        option name 'dsl0'
        option macaddr '08:96:D7:EA:56:9D'

config interface 'wan'
        option device 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'LS3'
        option proto 'static'
        option device 'lan3'
        option ipaddr '192.168.0.253'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'R2'
        option proto 'static'
        option device 'lan2'
        option ipaddr '192.168.1.254'
        option netmask '255.255.255.0'
        option gateway '192.168.1.5'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'LS3'
        list network 'R2'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'LAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'LS3'
        list network 'R2'
        list network 'lan'

config forwarding
        option src 'LAN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'LAN'

Delete all of these. You already have a lan zone defined (lowercase lan above), and all three networks are assigned there... you cannot have the same network(s) in multiple firewall zones.

Let's see the screenshots from the 7x90 devices.


these look good.

Can you show the main lan address configuration of those two FBs.

Hi
Now it works had not activated the hook of the route set in the 7490.
what do I have to delete from the firewal config?
and the DHCP servers don't bite each other anymore, do they?

Kind regards