BACKSTORY:
I had a ProxMox host with fully virtualized pfSense feeding into my WAX206 (stock Netgear firmware) in wireless AP mode for a while but recently switched over to OpenWRT firmware on my Netgear WAX206 to make it our home's primary router/firewall.
REQUEST:
I would like for my WAX206 to maintain primary firewall and routing for our house, but I still want to use my ProxMox hosts for homelab stuff in a separate subnet and am trying to avoid double NAT / other configuration errors / complications / etc.
CURRENT TOPOLOGY:
ISP cable modem --> OpenWrt --> ProxMox
DETAILS:
Stock OpenWrt v23.05.0 install with flat network and 3 SSIDs established on 10.0.0.1/24 subnet currently.
ProxMox1 host connected to LAN4 of WAX206 running OpenWrt.
ProxMox1 host has ( 6 ) 1Gb NICs onboard.
I intend to deploy Adguard Home on ProxMox1 and have OWrt using it rather than running AGH on WAX206 since there is only approximately 17.60MB storage available on WAX206 after clean install of OWrt.
Since my ProxMox1 host has WiFi, I plan to run OWrt virtualized on it with wireless hardware passed through to extend wireless coverage on the side of the house it is located.
I have a 2nd ProxMox host (ProxMox2) that I would also like to be added to the network as well, but given my home's constraints and ProxMox2's lack of WiFi, it will need to be plugged into one of the 6 NICs on ProxMox1.
I also plan segment / subnet / add VLANs to our home network in the future to isolate the SSIDs and LAN ports once I get some of the above sorted out.
QUESTION:
What is the best way to go about getting this setup going as intended given the only other single piece of additional hardware I have on hand is a 5 port unmanaged 1Gb switch that is not VLAN capable?
It isn’t clear what physical topology you are attempting to create - a diagram could be helpful here.
However, for preventing double nat:
disable masquerading on the proxmox uplink connection (that connects to the openwrt device).
on openwrt, set static routes for the network(s) on the proxmox system with a gateway address that is the address proxmox has on its uplink to your openwrt network
As for VLANs - you need to use a managed switch if you are passing VLANs though that path.
Thank you for the quick reply. VLANs aren't a top priority at the moment if I don't actually need them to achieve my goal. As to your other points mentioned, I will have to look into them more to understand everything better.
Here is my initial diagram I was able to get together today... still have more detail to add when I can find the time:
The MAC addresses are not useful at all for our understanding of your network/subnet spaces (IP addresses are needed for that). But, as far as the original double-NAT question, what I said earlier is the approach you will take on your OpenWrt + Proxmox devices.
I can give more details if you provide:
the subnet you'll be using on OpenWrt for the main network (i.e. 192.168.1.0/24 or whatever you're actually using)
the subnet(s) that will be used on Proxmox
the address of the proxmox upstream connection (i.e. the one that is a member of the OpenWrt lan).
It looks like all the networks exist on the OpenWrt router, right? If that's the case, there is no routing happening on proxmox, thus no double NAT (unless I'm missing something). This means just normal client connectivity with a single router.
Yes I agree. Although I do not have any managed switches in the mix either so ProxMox will need to play nice w/OWrt's VLANs, along with hardware passthrough, etc. Also, at some point, when getting ProxMox2 and OWrt2 online, I will likely have more issues and concerns to ask about since they will ultimately be branching from ProxMox1 for their connectivity to the internet.
I am currently struggling to get back into my ProxMox1's web GUI since I set it up shortly after my OWrt was established at a near factory state. I went into the local console directly and changed the network address and hosts file then rebooted, but I think there is likely something up with my firewall / VLAN configs / DHCP reservation / etc.
I may just blow it away and re-install from scratch to see if it picks up the dynamic DHCP offer since it was a clean install of ProxMox8.1 anyways with nothing on it.
The only problem with your configuration is that you have VLAN 40 assigned to 3 different networks (according to the table)... it can only be assigned to one.
You've got it assigned to 10.20.40.0/24 in OpenWrt... the other two networks (on proxmox) are also listed in that table as VLAN 40, but those are 10.30.40.0/24 and 10.40.40.0/24 -- those cannot also be VLAN 40.
Unless... if the latter two networks are actually proxmox NAT masqueraded off the 10.20.40.0/24 network (in essence, VLAN 40 would be the proxmox 'wan') -- in that case, you would have double NAT. To fix that, you would turn off NAT masquerading on proxmox (and ensure the firewall accepts the desired traffic) and set static routes in your OpenWrt router like this (in this example, the proxmox address on the 10.20.40.0/24 network is 10.20.40.5 -- I'm just making this up to show how the route would be formed on OpenWrt -- you'd adapt as necessary:
10.30.40.0/24 via 10.20.40.5
10.40.40.0/24 via 10.20.40.5
Yes, due to limited hardware and physical locality, out of convenience and learning, ProxMox2 and OWrt2 will be fed from ProxMox1... I may try deploying an instance of pfSense or OPNsense on ProxMox1 to stand in front of them and see if I can get it all working, but that is a low priority at the moment.
Ultimately everything from ProxMox1 and beyond falls into LAB territory and I don't NEED it all up and working full time the way I do OWrt1 for internet.
My schema is more or less:
10.[ DEVICE_ID ].[ VLAN ].[ HOST ]
I was planning to change the 2nd octet for each different physical device ideally.
I was also under the impression multiple subnets can live together within the same VLAN?
Thank you for the example, that is very helpful and gives me more to read up on.
For the time being my immediate goal is to get ProxMox1 stood up and back into the web GUI now that I have VLANs and different subnets established on my local network.
One subnet per vlan. Otherwise you are not separating the traffic and you will experience problems, especially if there are dhcp servers on those networks.
