Complex 2-router Home LAN + Wifi setup

I have a main router for my ISP on the 192.168.1.1 network. I also have a second router which is Running LuCI openwrt-23.05 branch (git-23.306.39416-c86c256) / OpenWrt 23.05.2 (r23630-842932a63d) on the 10.0.0.1 network. I'm sure it's not working because routes are not set up properly, but I have no idea how to "make the jump."

We'll call my main ISP router ROUTER A and the second (openwrt running on TP-Link Archer AC1750) ROUTER B.

ROUTER A runs a DHCP server and is my primary internet connection (although I could use static IPs for every device on ROUTER A's network). ROUTER B is a private subnet (10.0.0.1/24), but I also have it connected to the internet on the WAN port so I can download updates for openwrt and install opkg software. ROUTER B also has DHCP but I want the Raspberry Pi (which is connected to both networks with 2 ethernet cards) to be authoritative DHCP on the 10.0.0.1 network so that when I connect a device (laptop,desktop I'm fixing) to ROUTER B via ethernet because I have a nice little RaspberryPi4 serving PXE/tftp/nfs images for quick installs and troubleshooting.

Since I want the RPI4 to serve DHCP, PXE, TFTP, and NFS on the 10.0.0.1 network, I've turned the relevant options -OFF- on ROUTER B. However, for some reason, I can't get ROUTER B to connect to the internet via WAN port on 192.168.1.1 network (ROUTER A) at the same time clients are connected to ROUTER B for servicing.

Here's ROUTER B ip info (the one running openwrt):

root@ROUTERB:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:66 brd ff:ff:ff:ff:ff:ff
    inet6 xxxx::xxxx:xxxx:xxxx:6466/64 scope link 
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:66 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 xxx:yyy:ad39::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 xxxx::xxxx:xxxx:xxxx:6466/64 scope link 
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:66 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:67 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.155/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
9: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:66 brd ff:ff:ff:ff:ff:ff
    inet6 xxxx::xxxx:xxxx:xxxx:6466/64 scope link 
       valid_lft forever preferred_lft forever
10: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether xx:xx:xx:xx:xx:65 brd ff:ff:ff:ff:ff:ff
    inet6 xxxx::xxxx:xxxx:xxxx:6465/64 scope link 
       valid_lft forever preferred_lft forever

And here's the RPI4 connected via ethernet and wifi to ROUTER A and then to ROUTER B via a second ethernet card (it also runs a VPN so there are some tun interfaces):

root@rpi4:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether d8:xx:dd:a8:xx:66 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.22/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::xx3a:ddff:xxx8:xx66/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether d8:3a:aa:a8:xx:67 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.23/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::da3a:aaff:xxxx:xx67/64 scope link 
       valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.8.0.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::a6f8:6b9b:4f46:xxxx/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:xx:0x:47 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
6: enx3c19a0d4bdxx: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 3c:19:a0:d4:bx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.10/24 brd 10.0.0.255 scope global enx3c18a0d4bea6
       valid_lft forever preferred_lft forever
    inet6 fe80::3c19:xxxx:fex4:bea6/64 scope link 
       valid_lft forever preferred_lft forever

BUT all I can seem to do is ping 8.8.8.8 or other addresses, and I get this on running opkg update:

====
UPDATE: It was name resolution, apparently. When I went to network settings and added a DNS forwarder for Google 8.8.8.8, it (opkg update) started working!

Here's the ultimate goal:
I want the OpenWRT router (ROUTER B) to be a walled garden for incoming WIFI connections (which I think I can achieve with some prepared software packages like OpenNDS) to provide limited wifi service to neighbors, BUT I don't want them to be able to cross over to my home network devices (192.168.1.1. network). In addition, I'd like any device connected to the physical ethernet ports on the OpenWRT router to get DHCP on the private network (10.0.0.0/24) so I can utilize my PXE/TFTP server to install tools or new OSes.

Am I crazy, or is this possible by configuring the network interfaces as such on the OpenWRT (ROUTER B) router? I should be able to prevent access to my private home LAN by configuring the network interfaces properly on the OpenWRT (ROUTER B) network settings, right? I'm such a newb please forgive me.

Thanks for any help,
Jacob

So it sounds like everything is working now... great!!

Ok... this can be handled in two ways....

  1. this router only services the guest network

or

  1. the router services multiple networks/purposes, including a guest network.

It's quite simple... In either case of the above scenarios, a simple firewall rule (or set of them) is sufficient to prevent access from the guest wifi network to the trusted lan. If the trusted lan is the upstream (192.168.1.0/24), you'll make a rule on the OpenWrt side that rejects traffic from the guest network's zone to the 192.168.1.0/24 network on the wan zone.

On this point, just a note of caution... check the terms of your ISP service contract and your local laws to make sure you're not creating any liabilities for yourself. Some ISPs (based on the service type) may prohibit sharing in this way and/or you may potentially be liable if someone uses the network you provide for illegal activities -- in such situations, even if you use a captive portal with T&C's about what is and is not acceptable on your network, the authorities may simply look at it as "originating from your ISP account" and thus hold you responsible.

This forum is not the place to ask for or debate the details of what is allowed with your ISP or your jurisdiction's laws around internet sharing and responsibility, but the above is simply to ensure that you are aware of the potential issues and do your own due diligence.

1 Like

I don't quite understand how to do this. BTW, thanks for such a great and thorough answer!

There are two approaches:

  • If all routing happens on the main router, simply not allowing forwarding from the guest > lan zones will be sufficient.
  • If a secondary router creates the guest network, you'll follow the guest wifi on a dumb AP guide (which includes the firewall rule I mentioned).

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

The main router handles all internet traffic, plus the private home network. The other router (ROUTER B) does 2 things (or at least I want it to lol): handle ethernet only connections for my PXE/TFTP server that runs on a Raspberry Pi 4b with 2 NICs - one is connected to the main router (internet, home network on 192.168.1.0/24) AND the other has an internal IP of 10.0.0.10. ROUTER B needs to only use the Raspberry Pi as DHCP and DNS on 10.0.0.0/24 network - this private LAN will assign IP addresses via the RPi for use as a PXE-boot/TFTP server. BUTTT the Wifi radios on ROUTER B should be the Wifi Guest network (in maybe the 192.168.2.0/24 space) where ONLY ROUTER B issues DHCP addresses to the Wifi Guests. (In the future I'll be using something like CoovaChilli and FreeRadius to handle payment and authentication, but for now it'll probably just be OpenNDS as a walled garden.

I feel like I should draw a pic or take a photo of the network... would that help, or am I explaining this well enough? Also, I've read the link you sent. At the top it assumes:

This article assumes an OpenWrt default configuration already modified as a wireless access point (aka “Dumb” Access Point, aka “dumbAP”).
For the procedure, refer to this article: Create dumb AP with LuCI.

Should I be reading https://openwrt.org/docs/guide-user/network/wifi/dumbap#configuration_via_luci_the_openwrt_web_interface and doing that before I follow the link you sent above?

Thank you so, so much. You're awesome.

-Jacob

So, would this be somethink like an iptables rule (I use Ubuntu and iptables/ufw) on the main router or in Openwrt (ROUTER B) to deny or drop traffic from the Wifi Guest (192.168.2.0/24) to both the ethernet private LAN (10.0.0.0/24) and the uplink/private home network (192.168.1.0/24)? Confused or am I explaining this correctly, psherman?

Thanks!
-Jacob

I see you've marked a solution in this thread... does that mean everything is working as you wish? Or do you still have questions?

A visual topology diagram is always useful, IMO.

1 Like

No, I just marked it because you did give the solution, I just am not fast enough to commit it all. :slight_smile: I removed it and when I'm complete with all my questions I'll go back and mark it at that time. Sorry.

Ok... sounds good.

A diagram would be helpful.

The DHCP server in OpenWrt can be configured to advertise the Pi as the PXE server. OpenWrt can also serve TFTP and NFS natively, from an external drive. This won't be particularly fast since the C7 has a lot less CPU than a Pi.

If you can install static routes into the ISP router you can get rid of NAT in the OpenWrt router. The routes would be for example
10.0.0.0/24 via 192.168.1.151
192.168.2.0/24 via 192.168.1.151
192.168.1.151 being the IP that OpenWrt holds on its wan interface. This should be configured as a DHCP reservation in the ISP router so that it does not change.

Whenever possible though it is best to use the OpenWrt router for all routing and treat the ISP router as only a link to the Internet. This means that no other part of the home network is connected to the ISP router, only the OpenWrt router.

1 Like

Any other help? I sent the diagram.

Sorry... it's been a few days and I've lost some of the context. Where do things stand? What have you tried (and what has worked or failed)? Or are we still in the ideation phase to find the best solution?

I agree with @mk24's comments. But there are many ways to approach the problem.

Yes, it's been a while. I am not sure if I should first create the dumb AP first (as in https://openwrt.org/docs/guide-user/network/wifi/dumbap), then follow the instructions for Guest Wifi (at https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap), or if I can just start at the Guest wifi article.

My needs have also changed. I wish to have the Guest Wifi on the OpenWrt router- separate from the home network- but I also need the ethernet ports ONLY on the OpenWrt router to be on a separate network to serve DHCP, TFTP and PXE. I don't want to use the built-in DNS, DHCP and TFTP servers on the OpenWrt router because there's not enough space for system images and I've already got a Raspberry Pi serving NFS, HTTP, TFTP and PXE for the 10.0.0.0/24 network (which is the private network that should only be accessible by connecting an ethernet cable to one of the ethernet ports on the OpenWrt router and served by the Raspberry Pi on its second NIC on the 10.0.0.0/24 network with an IP of 10.0.0.10.

As simply as I can put it, I have 2 routers. Router A is my ISP router and is on 192.168.1.0/24 and has an IP of 192.168.1.1. Router B is the OpenWrt router, which should provide Guest Wifi (with walled garden / captive portal through OpenNDS) on a separate network (maybe 192.168.2.0/24) with DHCP only for Guest Wifi clients on that network. Separately, the OpenWrt router (Router B) should operate an additional network (10.0.0.0/24) ONLY on the Ethernet ports, and should use the Raspberry Pi for DNS, DHCP, TFTP, and PXE for Ethernet connected devices only- but still needs internet connectivity for downloading system images for OS installs and troubleshooting machines that I'm fixing.

Is this too complex? Is there a better way to achieve my goals? I think I saw the option to specify specific ethernet ports on the OpenWrt router for interfaces but I am so lost. I purchased this router (tplink AC1750 Archer) specifically to use OpenWrt and learn, but my goals may be too lofty. I apologize in advance for being a pain in the ass.

Thanks to ALL,
Jacob

Ok, thank you for your notes. I can install static routes in the ISP router, so I'll look into that. Right now, my ISP router is connected to every device in my home (phones, tablets, TVs, PCs) but I could easily(?) connect the smart switch that's serving them to the OpenWrt router IF I was confident enough to ensure that the Guest Wifi and private 10.0.0.0 network for working on PCs and imaging them won't ever get access to the home network. This may be too advanced for me, as the only firewall I have used is iptables or UFW and I'm not really confident in how to write those rules.

However, if there is a way to configure the OpenWrt router to provide all three functions (home ethernet and wifi, Guest Wifi, and private ethernet network on maybe 1-2 ethernet ports on the OpenWrt router for the TFTP, PXE, DNS, DHCP) then this might work for me. Thank you, again.

Warm regards,
Jacob