Access home net --> GuestWIFI of Fritzbox

Guny74 · April 17, 2021, 7:08am

Hello,

I have some smart home devices (security cam etc), which opens a connection to a internet service for to access via app. So it is like an VPN into my network.

So I want to put them into the guestwifi of my main Router (Fritzbox cable).

But I want to access these devices from other software in my normal LAN network.
The main router does not allow to access the guestlan from the normal network.

So my idea was: to install openwrt on a raspberry pi. The openwrt has a LAN interface in my home network (Zone lan) and a wifi client interface to the guestWifi (Zone wifiguest).
For every device I want to access in the guestwifi I create an alias interface (lanX) with seperate IP on the home network interface.

So far it works....

I tried to create a route from interface lan1 (192.yyy.xxx.13) to the target IP of the security cam, but I could not access it.

I there anything else to do ? I only use the UI not the command lines or config files.

Thank you

Here is a diagramm of my "solution idea" .

Regards

eduperez · April 17, 2021, 8:29am

Even if you create a route, your computers have not been told to use it. You would need to add it on the DHCP server (not the device with the DHCP server) so it announces the new route to the clients, but I doubt an original firmware would do that.

frollic · April 17, 2021, 9:49am

Why not put everything you dont trust on the wifi shared by the Fritzbox, then everything else behind the 2nd firewall of the openwrt device?

Everything attached to the Fritz should still be accessible from behind the openwrt.

Guny74 · April 17, 2021, 9:58am

I want to connect to 192.yyy.xxx.13 (than it should route/nat ? ) to the 172.yyy.xxx.2... that is my idea

Guny74 · April 17, 2021, 10:02am

Hello,

hm, because the Fritzbox has a lot features (strong wifi / nas etc) wich I want to use for my home net.
The openWRT is only a "raspberry pi 3"

Stefan1 · April 17, 2021, 10:21am

Where did you create this route ?

In openwrt or on the fritz box ?

On the fritz box you can add additional routes. I have a fritz box as main router and openwrt Access points with guest network. I added these as routes to the fritz box, so I am able to access guest network devices from my normal lan.

Guny74 · April 17, 2021, 10:50am

Hello Stefan,

I did it on the openwrt...

So you build up the guestWifi with the openwrt device, right ?
And how did you manage the routing from guestWifi over openwrt so that they cloud not access the local network ?

Stefan1 · April 17, 2021, 12:14pm

Just follow

And by the way please do not sign your post or use greetings:
https://forum.openwrt.org/guidelines#keep-tidy

If you like a post, use the like button

Guny74 · April 17, 2021, 12:46pm

Hello Stefan,

but does this solution work if my homenet is LAN/WLAN of the Fritzbox and so it is not behind openwrt, so the openwrt is one client of the homenet (=wan interface)....!?

Stefan1 · April 17, 2021, 1:40pm

yes, it does. An access point is always behind a router and client of a router. And you connect the AP via lan, not via wan interface. The firewall rules of the AP prevent access to your normal lan, if it is set up correctly (as described in the above link).
Check out the firewall rules, there is a rule called "Block guest access to private network". This is the one you are explicitly asking for.

Guny74 · April 17, 2021, 3:08pm

Thank you.

I will try It with the Raspberry PI, if it works i will exchange ist this an other hardware )openwrt compatible)

Guny74 · April 17, 2021, 4:35pm

I work on the guide and it the GuestWifi works fine,
I also create an static route on the fritzbox to route the new subnets (guestWifi) to the openwrt.

But it stops at the openwrt.

My zones looks like this. But I think there is a rule missing from lan --> guest , right ?

AND i could access all devices in my homenet (lan) from GuestWifi.... not so good...

Stefan1 · April 17, 2021, 5:13pm

Yes, you need a forward from lan to guest
If your lan is accessible from your guest network, then you need the rule I was talking about before:

From guest to lan, reject forward for all ips in your lan:

These rules are listed under point 4 of the description. Whether you reject or just drop without notice is your choice, but you need those rules...

Guny74 · April 17, 2021, 5:29pm

In the meanwhile I started from scratch and the second time I missed the Block "traffic rule" (the other two rules where there)...

Now It is safe.

And I add the forward rule....and now I could access my device at the GuestWifi.

Many Thanks for the help

system · May 5, 2021, 8:00am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.