I have configured my OpenWRT router with:
I want to configure a device, connected to the eth5 using the navigation subnet provided by the ISP (lets say x.x.x.128/30, available for devices 129,130 - gateway dynamically assigned by the ISP thourgh the PPPoE) without any NAT/firewall rules.
How would i do that?
This is not natively supported by OpenWrt.
The project would involve a script under /etc/ppp/ip-up.d (or maybe under /etc/hotplug.d) which removes the IP from pppoe-wan, adds an onlink route to br-lan for this IP, cleans up any stale onlink routes, and reconfigures dnsmasq to issue the lease via DHCP to a device with a chosen MAC.
Sorry, I misread. The ISP assigns a static x.y.z.23 to the tunnel via PPPoE and routes .128 - .131 via the same PPPoE link.
In this case, it is supported, here is how:
In /etc/config/network:
config route
option interface 'lan'
option target 'x.y.z.128/30'
In /etc/config/firewall:
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list masq_src '!x.y.z.128/30'
Then, on devices, add x.y.z.129/32 and x.y.z.130/32 IP addresses (yes, with /32 as the netmask) and 192.168.1.1 (or whatever your router LAN IP is) as the gateway. BTW, with this /32 netmask, I think that device IPs ending with .128 and .131 will also work.
Thank you very much @patrakov, I confirm that your solution works perfectly. you have no idea how much time we lost between various configurations and other devices like opnsense, tplink, zyxel...
Can I ask you for some more informations on this configuration?
In this case, why is ‘limited masquerading’ necessary?
What do you recommend, to maximise PPPoE performance, between software flow offloading and hardware flow offloading?
With this configuration, the openwrt router has no direct access to the internet, particularly for software updates. is there any way to configure it?
Limited masquerading means "NAT disabled for certain address ranges". This is exactly what you have asked for.
I recommend software flow offloading. OpenWrt presents an option to enable hardware flow offloading even if the hardware does not support it, so don't enable it unless you are sure it is supported. If you enable it on unsupported hardware, it will fall back to software offloading with broken WiFi roaming.
As for the "router has no direct access to the internet" issue, this is unexpected. Could you please provide the output of ip route?
root@OpenWrt:~# ip route
default via x.y.z.15 dev pppoe-wan
x.y.z.15 dev pppoe-wan scope link src d.e.f.23
a.b.c.128/30 dev br-lan scope link
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
root@OpenWrt:~#
The output is exactly as expected. What is the IP address that the router is supposed to use when accessing the internet? Is it d.e.f.23?
No, d.e.f.23 is the point-to-point IP of our ISP.
The router should use one of the 4 IP in this subnet a.b.c.128/30
Only two of those are usable: 129 and 130. The first and last addresses in a v4 subnet block are reserved.
If the ISP is routing additional addresses to your line you can expand the subnet definition at your end. As far as I know this is used only to set up routing tables and possibly filter IPs at the port driver.
Creating a separate "DMZ" lan for servers that are routed directly from/to the Internet would be more secure.
In this case all 4 ip addresses are valid and usable (i tested them all)
My advice would be to choose hardware that is fast enough without any magic tricks. The more advanced forms of hardware acceleration can be very capable, but they are also fragile in nature.
@patrakov do you have any idea why this happens?
I also encountered a second problem: I have a web server on the ip x.y.z.130, when I try to access a website I get the ip of the point-to-point (d.e.f.23). why?
I don't know. I will be busy in meetings in the next hour, but then we can attempt a video meeting to troubleshoot. A link will be posted via a private message.
I solved by setting input, output and forward to accept as in the screenshot.
Are there any problems? I have a firewall after openwrt anyway.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
