i wanted to expand my local home network to combine my smart home components, the kids computers, tv and smartphones in a separate ip range. For this is want use an older Fritzbox 4040 with OpenWRT.
I'm flashing the Fritzbox 4040 successfully with OprnWRT 23.05.2 and connect the WAN port to the lan4 port of the Fritzbox 6591 with the classic AVM OS 7.20.
In the standard configuration OpenWRT have 3 Network interfaces (br-lan/wan/wan6) and when i connect to one of the four port from the 4040, the computer can connect the standard network.
Since 3 days i was complete to silly to create a functionally second network, how i can connect them successfully.
At first attempt i create 2 second network adapter as bridge called "br-smarthome" with the port 2 (perhaps port 2 i've removed from the stanard configuration of br-lan). The i create a new interface called "smarthome" with protocoll "static address" and "br-smarthome" as device, DHPC enabled. Saved and new start up, and at the first loo all seems ok, but i cant connect to the new network over port 2 and i don't know why ...
i don't want Vlans, so in the diagram i want 4 additional different network ranges which can communicate together and with the network over the wan in both directions.
You may or may not actually need to use VLAN syntax -- that depends on your device. But if you want to have exactly one port per subnet, that's certainly achievable. Do you also need wifi for each of those subnets?
We can help you create the additional networks... let's start with your current config and we can advise about how to fix it and/or how to add the networks.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
so i've seen more or less by chance, that i've a misconfiguration by the DHCP-Server of each subnet and add additional "managed konfiguration (M)" and the most ports/subnets are running now.
Wifi i've add both interfaces (radio01 & radio02) to the subnet smarthome, so wifi actors can connect direkt to the smarthome subnet.
It will be great,if then both radios will been in a seperate bridge and all subnets can benefit from this, but I think it won't work so.
The only thing that worries me at the moment is port 3 (LAN3), which cannot be pinged from outside from the Wan or within the subnet created on the Fritzbox4040.
I think that it is an incorrect firewall rule.
here the result of the requested outputs:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "AVM FRITZ!Box 4040",
"board_name": "avm,fritzbox-4040",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ipq40xx/generic",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd48:XXXX:XXXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.25.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.178.2'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.178.20'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
option broadcast '192.168.178.255'
list dns '192.168.178.2'
option ip6assign '64'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-smarthome'
list ports 'lan2'
config interface 'smarthome'
option proto 'static'
option device 'br-smarthome'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-lan3'
list ports 'lan3'
config device
option type 'bridge'
option name 'br-lan4'
list ports 'lan4'
config interface 'lan3'
option proto 'static'
option device 'br-lan3'
option ipaddr '192.168.75.1'
option netmask '255.255.255.0'
config interface 'lan4'
option proto 'static'
option device 'br-lan4'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option channel 'auto'
option band '2g'
option htmode 'HT40'
option legacy_rates '1'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'smarthome'
option mode 'ap'
option ssid 'FRITZ!Box 4040'
option encryption 'sae-mixed'
option key 'xxxxxxxxxxxxxxxxxxxxxxxx'
option macaddr 'XX:XX:XX:XX:XX:XX'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'smarthome'
option mode 'ap'
option ssid 'FRITZ!Box 4040 5G'
option encryption 'sae-mixed'
option key 'xxxxxxxxxxxxxxxxxxxxxxxx'
option macaddr 'XX:XX:XX:XX:XX:XX'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '2'
option limit '245'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'smarthome'
option interface 'smarthome'
option start '2'
option limit '250'
option leasetime '12h'
list dhcp_option '6, 192.168.178.2'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'
config dhcp 'lan3'
option interface 'lan3'
option start '2'
option limit '250'
option leasetime '12h'
list dhcp_option '6, 192.168.178.2'
option ra 'server'
option dhcpv6 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'lan4'
option interface 'lan4'
option start '2'
option limit '250'
option leasetime '12h'
list dhcp_option '6, 192.168.178.2'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'smarthome'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'smarthome'
config forwarding
option src 'smarthome'
option dest 'wan'
config forwarding
option src 'smarthome'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'smarthome'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'wan'
option dest 'smarthome'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan3'
config forwarding
option src 'lan3'
option dest 'lan'
config forwarding
option src 'lan3'
option dest 'smarthome'
config forwarding
option src 'lan3'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'lan3'
config forwarding
option src 'smarthome'
option dest 'lan3'
config forwarding
option src 'wan'
option dest 'lan3'
config zone
option name 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'lan4'
config forwarding
option src 'lan4'
option dest 'lan'
config forwarding
option src 'lan4'
option dest 'lan3'
config forwarding
option src 'lan4'
option dest 'smarthome'
config forwarding
option src 'lan4'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'lan4'
config forwarding
option src 'lan3'
option dest 'lan4'
config forwarding
option src 'smarthome'
option dest 'lan4'
config forwarding
option src 'wan'
option dest 'lan4'
The shown IP 192.168.178.2 have as target a pihole with unbound on a rasrberry pi 4 as dns resolver ...
I had created static IPv4 routes with the destination of the OprnWRT wan IPv4 address 192.168.178.20
For the lan3 entry i've type 192.168.75.1 instead of 192.168.75.0 ...
as real hardware i used a raspberry pi 3B + (now since that PI 4/5 has been released, i've enough of it flying around here ) with Raspberry Pi OS Lite Debian 12 (bookworm) on each lan port of the Fritzbox 4040. I think, when i need additional Wifi for an subnet, than i can use the old PI's for each of them.
All work's fine now, know backup the config ... ... thank you very much for the fast response and help ... And thank you very much, that you provide us this great project!
next problem today is, that i've no internet connection from any subnet over the wan, when i use as example a ping -c 5 google.com from any internal subnet.
I think the firewall restrict the access to the internet over wan, here is my firewall config
root@Fritzbox4040:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'smarthome'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'smarthome'
config forwarding
option src 'smarthome'
option dest 'wan'
config forwarding
option src 'smarthome'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'smarthome'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'wan'
option dest 'smarthome'
config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'
config forwarding
option src 'lan3'
option dest 'lan'
config forwarding
option src 'lan3'
option dest 'smarthome'
config forwarding
option src 'lan3'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'lan3'
config forwarding
option src 'smarthome'
option dest 'lan3'
config forwarding
option src 'wan'
option dest 'lan3'
config zone
option name 'lan4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan4'
config forwarding
option src 'lan4'
option dest 'lan'
config forwarding
option src 'lan4'
option dest 'lan3'
config forwarding
option src 'lan4'
option dest 'smarthome'
config forwarding
option src 'lan4'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'lan4'
config forwarding
option src 'lan3'
option dest 'lan4'
config forwarding
option src 'smarthome'
option dest 'lan4'
config forwarding
option src 'wan'
option dest 'lan4'
config rule
option name 'Allow-Samba'
option src '*'
option dest '*'
option dest_port '445'
option target 'ACCEPT'
) with Raspberry Pi OS Lite Debian 12 (bookworm) on each lan port of the Fritzbox 4040. I think, when i need additional Wifi for an subnet, than i can use the old PI's for each of them.
... thank you very much for the fast response and help ... And thank you very much, that you provide us this great project!