Bridge two IP-rages for DHCP isolation

Installing and Using OpenWrt Network and Wireless Configuration
1

I am trying to setup a network for my home-lab while also keeping my family network as clean as possible for the sanity of my family in case the home-lab blows up in my face and can't serve DHCP.

I want to be able reach my home-lab computers without setting up port forwarding for every single one of them but not letting the DHCP server interact with my family network.
a.k.a.
I want to be able to connect to all the "front" computers (192.168.99.x) from my computer (192.168.1.x) without setting up port forwarding for each and every one of them.

(I am going to change the ISP router to a OpenWRT router later but it is not a priority right now.)

The network will look like this when it is done:

β”Œβ”€Internet ┐                     
β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜                     
      β”‚                          
β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            
β”‚ISP Router         β”‚            
β”‚lan:192.168.001.001β”‚            
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            
          β”‚           β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
          β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€Fam.Devs. & My computerβ”‚
          β”‚           β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            
β”‚wan:192.168.001.009β”‚            
β”‚wavefront          β”‚            
β”‚lan:192.168.099.254β”‚            
β””β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜            
  β”‚                              
  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        
  β”œβ”€β”€storefront w. DHCP β”‚        
  β”‚ β”‚eth:192.168.099.001β”‚        
  β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        
  β”‚                              
  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        
  β”œβ”€β”€powerfront1        β”‚        
  β”‚ β”‚pxeboot            β”‚        
  β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        
  β”‚                              
  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        
  β”œβ”€β”€pifront1           β”‚        
  β”‚ β”‚                   β”‚        
  β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        
  β”‚                              
  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        
  β”œβ”€β”€pifront3           β”‚        
  β”‚ β”‚                   β”‚        
  β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        
  β”‚                              
  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        
  β”œβ”€β”€termfront1         β”‚        
  β”‚ β”‚pxeboot            β”‚        
  β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        
  β”‚                              
  β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        
  └──termfront2         β”‚        
    β”‚pxeboot            β”‚        
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
2

This is generally possible, but it depends on your ISP router. Does the ISP router have expose the ability to set static routes? If so, the process is straight forward:

  • Create a static route on the ISP router: 192.168.99.0/24 via 192.168.1.9
  • Disable masquerading on the OpenWrt wan firewall zone
  • Allow forwarding from the wan zone to the lan zone in the OpenWrt firewall.

Also, be aware that some OS's (Windows in particular) will block incoming connections from other subnets based on the host-level (Windows) firewall. You'll need to adjust those if connections are rejected.

All that said, if your ISP router doesn't offer static routes, you're generally out of luck.

3

ISP router does not support static routes but I think I can put that into my computer for the time being:

Routes
Routes633Γ—626 19.6 KB

4

I was originally going to say you could do it on your computer, but the problem is that symmetric routing requires disabling wan masquerading. And doing that without a static route on the upstream router (from the ISP) means that the network behind the OpenWrt router will not have internet access.

5

Okay, that make sense.
Did I understand correctly that I should do this on my wavefront router?:

FW
FW1304Γ—256 22.8 KB

6

Yes, this will work in your context with a static route on your computer. But if a static route doesn't exist on the main router, you will not have internet access behind the OpenWrt router.

And, just so that its s clear -- this configuration is only safe when the upstream network is fully trusted.

1 Like
7

I got some inspiration from what you said so I changed my ISP router for a OpenWRT one.
And to help anyone else with the same idea as me I wanted to show what I did on the "ISP" router and check if it is correct:

RoutingDetails
RoutingDetails1198Γ—557 55.3 KB

8

that looks right in terms of the static route. I can't verify anything else on your config, but I'm assuming it's working fine since you're not describing any problems.

9

It worked well after I fixed my home-lab main servers network settings. I live so you can learn.