Hello,
This is repeated, solution was created in 2023, but I want to explore best possible options now. I have 2 network, master and slave. Diagram will show you more details. How to make 192.* network reach 10.* network transparently. Devices in 10.* should not reach 192, but should have internet. This is done to avoid full bandwidth for iot and camera's. There was solution earlier, worked for years, now I have done reset and lost all settings.

Network1920×944 87.9 KB

After all reset, I added static route on master router, it did not worked.

Transparently?

Make a firewall rule that blocks forwarding from LAN to 192.168.1.0/24.

Not sure how that was accomplished by that setting - but OK.

I think you have masquerade option enable for wan zone ? disable that. Enable zone forwarding from WAN to LAN for allowing packet flowing from main network to openwrt network. Then continue to traffic rules tab to allow source zone lan to access !main-network-ip through wan zone

just use the routing table in 192.168.1.1 to be routed to the 192.168.1.225 for 10.0.0.x ip's.
add firewall rule in 10.0.0.1 to allow traffic coming from 192.168.1.x
and put a firewall rule in in 10.0.0.1 to reject forwarding (allow input) traffic going to 192.168.1.x
that should do the trick, it's the natural way to do this.
also, please put better title something like "Accessing a Subnetwork Through OpenWrt Without Reverse Visibility"

From Luci:

image516×530 38.2 KB

image334×728 36.9 KB

# === STATIC ROUTE FORM (IMAGE 1) ===
# Location: Main router (192.168.1.1)
# Purpose: Forward packets destined to 10.0.0.0/24 through OpenWrt

Interface:           lan
Route type:          unicast
Target:              10.0.0.0/24
Gateway:             192.168.1.225   # WAN IP of OpenWrt


# === TRAFFIC RULE FORM (IMAGE 2) ===
# Location: OpenWrt router (10.0.0.1)
# Two separate rules must be entered

# Rule 1: Allow 192.168.1.0/24 → 10.0.0.0/24
Name:                allow_main_to_subnet
Protocol:            any
Source zone:         wan
Source address:      192.168.1.0/24
Source port:         any
Destination zone:    lan
Destination address: 10.0.0.0/24
Destination port:    any
Action:              accept

# Rule 2: Block 10.0.0.0/24 → 192.168.1.0/24
Name:                block_subnet_to_main
Protocol:            any
Source zone:         lan
Source address:      10.0.0.0/24
Source port:         any
Destination zone:    wan
Destination address: 192.168.1.0/24
Destination port:    any
Action:              reject

If you want to do it in SSH

# === CONFIG ON MAIN ROUTER (192.168.1.1) ===
# Add static route so 192.168.1.0/24 devices can reach 10.0.0.0/24 via OpenWrt

uci add network.route
uci set network.@route[-1].interface='lan'
uci set network.@route[-1].target='10.0.0.0'
uci set network.@route[-1].netmask='255.255.255.0'
uci set network.@route[-1].gateway='192.168.1.225'        # OpenWrt WAN IP
uci commit network
/etc/init.d/network restart


# === CONFIG ON OPENWRT ROUTER (10.0.0.1, WAN: 192.168.1.225) ===
# Allow 192.168.1.0/24 to access 10.0.0.0/24

uci add firewall.rule
uci set firewall.@rule[-1].name='allow_main_to_subnet'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].src_ip='192.168.1.0/24'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].dest_ip='10.0.0.0/24'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='all'
uci commit firewall

# Block 10.0.0.0/24 from reaching 192.168.1.0/24

uci add firewall.rule
uci set firewall.@rule[-1].name='block_subnet_to_main'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].src_ip='10.0.0.0/24'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].dest_ip='192.168.1.0/24'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].proto='all'
uci commit firewall

# Optional: disable NAT masquerading on WAN to avoid hiding 192.x source IPs

uci set firewall.@zone[1].masq='0'
uci commit firewall

# Apply firewall changes

/etc/init.d/firewall restart

I didn't tested it, but I know that it should work.

What is the "main router" (192.168.1.0/24)? Is it OpenWrt?

If it's not OpenWrt, does it have a place to specify static routes? As suggested by @braian87b , this is how you would allow the 192.168.1.0/24 network devices to reach those on the 10.0.0.0/24 network (in addition to a few small tweaks to the firewall on the OpenWrt 10.0.0.0/24 device).

If you main router does not support static routes, this will not be possible.

Main router is also openwrt. Problem started when I introduced one domain controller in network, 192.168.1.142. This DC has its own DNS server. I want to force the windows client to use openwrt 192.168.1.1 as DNS server. but if I use this DC is not resolving. If I use DC, I loose 10.* network from DC clients. In this I lost and reset the routers now doing from scratch. I added only one static rule as of now, I will try as suggested by braian87b and will update you.

I tried, as I have added, static route, so I could reach 10 network but, this made open wrt router disappeared from the list of connected devices. which is fine not big deal. but when I added firewall rule to slave router, it appeared again. when I added second firewall rule, it worked, but it blocked internet as well. I guess, 192.168.1.0/24 except 192.168.1.1 should be there.

We can review your config (we need to see both devices):

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "XXXXXXXXXXXX",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "CUDY X6 v1",
        "board_name": "cudy,x6-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fX27:35X7:7X78::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.142'
        list dns '192.168.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config route
        option interface 'wan'
        option target '10.0.0.0/24'
        option gateway '192.168.1.225'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

All this is from main router. Right now firewall changes have been removed as suggested. Below is second router.

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "Xiaomi Mi Router 4C",
        "board_name": "xiaomi,mi-router-4c",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx39:019c:0bg72::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'ec:41:18:44:bx:7e'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '4 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

I applied this for time being.

config rule
        option name 'Block'
        option src 'lan'
        list src_ip '10.0.0.0/24'
        option dest 'wan'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

Remove the masquerading here:

Add forwarding from wan > lan:

config forwarding
        option src 'wan'
        option dest 'lan'

You can remove the src_ip line:

Restart and that should do the trick.

Also, you should be upgrading your devices -- 23.05 is a bit old, but 23.05.5 is still supported. That said, it's best to upgrade to 24.10 to stay current.

Thank you @psherman . I am taking break, since you mentioned to upgrade firmware. I will update firmware, restore above settings, and come back. in your comment 1) Remove the masquerading here: - is this slave router ? 2) Add the forwarding from wan > lan, again assuming on slave router. 3) Its obvious for slave router. I can remove.

Regards
Kishor

Yes, it would be the downstream router.

Yes, same deal. downstream.

Also... while we're discussing this... all of this can actually be done on a single router. Is there a reason you want to have two routers like this? (it's fine and technically acceptable, but it's a bit easier to administer and cleaner if you use the primary router for all routing functions).

I'm experimenting with a monitoring project for my network. I have several cheap cameras and IoT devices connected to my router, and my goal is to track where these devices are connecting. Initially, I wrote a shell script to log their IP addresses and push them to a server for analysis. However, tasks like camera, view, video frame transfer, firewall blocking, dropping packets created a significant processing load. My small initial routers couldn't handle it; their disk space and memory quickly filled up. To resolve this, I've now dedicated a separate, more robust router for this monitoring, leaving my main internet router solely for ad-blocking to maintain its performance.

Fair enough. With that in mind, everything we've discussed should allow you to achieve the goals. Let us know what happens.

Both routers have been updated to latest version as mentioned. Only One modification is done on main router to add static route.

image1969×280 22.8 KB

I tried all settings, did not worked so finally on slave router, reset performed to default. With static route on main, I can not reach on 10.* network. even gateway 192.168.1.225 is not reachable.

I added

config forwarding
        option src 'lan'
        option dest 'wan'

[/quote]

Nothing changed. from main to slave no entry. from slave to master, its open.

Let's review the configs from both devices:

cat /etc/config/network
cat /etc/config/firewall

In addition, please show how you are testing, and also the operating systems of the hosts use for the tests.

Testing is simple. both routers have different SSID so, my laptop connects different network.

As I said, I have static route on main router to reach slave router. the moment, I (remove) checkbox removing Masquerading under firewall, general setting. slave router looses connectivity to internet. Right now every thing is default.

image2021×377 35.5 KB

Network -

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'bbbbbbbbbbbba7d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'ec:bbbbbbbbbb44:ba:7e'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

Firewall -

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Current status - Main to slave- no entry. from slave, all doors open.

On the downstream router (10.0.0.1), verify that the address of the wan is as expected (192.168.1.225):

ifstatus wan | grep address

Make sure that you have added a foward rule (this appears to be missing):

config forwarding
	option src 'wan'
	option dest 'lan'

And turn off masquerading.

You didn't post your main router's config, so I cannot verify that everything is correct, but from the screenshot, you appear to have the wrong interface:

The interface should be lan.

Reboot both devices and test.

Sorry, I am being late on this. current state is I can access 10* network from 192. and 192.* from 10*. I tried applying block firewall rule on slave router. it blocks entire internet. not sure where I am making mistake.