Allow WAN to access LAN

Context

Hi, this perhaps seems like a ridiculous question but I am currently in a ridiculous scenario. Perhaps it's best to start off with my current setup and then explain why it is this way:

Garbage ISP router is the key here. I'm renting, the wifi on the isp router is so bad I could write 5 paragraphs on it (goes way beyond just being slow), and the landlord can't be bothered to even call them up. On top of this, the router has no configuration interface (the isp requires that the contract holder call them to activate it, and that's not gonna happen). I'm forwarding ports by running a cron job that continually allocates them through UPnP. The ethernet interfaces on it however seem to work properly.

Goal

So I set things up as above, everything is now ok. The one problem I do still have however is that in order to forward ports, I now have to do it twice - once on the openwrt router and once on the isp router. And ofc I also can't access the machines on the .2 network from the .1 network.

I would like to keep "free travel" between both networks, as would happen if the openwrt router was merely serving as an access point/switch. The reason I'm not doing that however, and instead aim to keep this separate .2 network, is I'm doing split DNS, statically allocated addresses, and I don't want to depend on the isp router's DHCP (or anything else) - it frequently goes haywire or just straight up dies, and I'd like my .2 network to keep working normally when it does.

Question

I understand that if I just bridge wan with lan, I'll have two "competing" DHCP servers. With nat however, 192.168.1.5 can never talk directly to 192.168.2.3. I was thinking perhaps "walling-off" DHCP traffic (essentially making 2 different DHCP "domains") might work, but then the openwrt router would have to send out ARP "updates" on the .1 network so the isp router would know which port to route the .2 destination packets to (assuming that would even work).

So is there a good way to achieve this?

Thank you.

You can set your OpenWRt router as a dumb AP
You then have one large subnet for seamless access.

If you do not want this and you want the OpenWRT router on its own subnet with own DHCP server then you have to set a static route on the ISP router:
ip route add 192.168.2.0/24 via 192.168.1.5

The next step is to allow traffic from the ISP routers subnet (192.168.1.0/24) on the router:
/etc/config/firewall:

config rule
	option name 'allow_forward'
	option src 'wan'
	option dest '*'
	option target 'ACCEPT'
	list src_ip '192.168.0.0/16'
	option enabled '1'

config rule
	option name 'allow_input'
	option src 'wan'
	option target 'ACCEPT'
	list src_ip '192.168.0.0/16'
	option enabled '1'
2 Likes

Perhaps my post was a bit long. I mentioned the ISP router has no configuration interface. Hence my speculation in the end with regards to using ARP to manually 'force' this routing on the part of the isp router, but that was assuming it would hold .2 network addresses in its ARP table which I'm not sure it would.

Also wouldn't allowing traffic like that cause conflict between the two DHCP servers? Or does it know not to forward broadcast data?

Broadcast data are not broadcasted between subnets.

If your ISP router has no configuration possible then consider setup as a dumb AP.

Note if you can SSH into the ISP router you can just add the routes manually but I guess that is also not possible

1 Like

If they are PCs like on the diagram, you could configure the routes directly on the end devices in the 192.168.1.x network, pointing the 192.168.2.x network towards the OpwnWrt router, then allowing the .1.x individual devices' IP on the OpenWrt router's firewall.

Though a better solution would be to connect all your end devices behind the OpenWrt router. If you want to keep them separated you can configure 2 different VLANs, and have different DNS settings on each network if that's what you want. Edit: of course you can still permit on the firewall any specific traffic you want to pass between the VLANs.

1 Like

this does sound like the wiser way to do all this. thank you

1 Like