Configuring new router behind existing router

Hi all, new user, requisite apology at the end*

I want to do all the DCHP and DNS (filtering for ads and parental controls) configuration of my new router behind my existing router so I can test it without interrupting current internet access in our home.

The existing router is 192.168.0.1 to its clients. I have the new router's WAN port connected to a LAN port on the existing router, and the new router is 192.168.0.200 on the existing router's network. I can access it from computers on the existing network via the web interface @ http://192.168.0.200 just fine, and ssh@192.168.0.200.

Meanwhile, the new router's IP address for its LAN is 192.168.8.1. It also has DHCP enabled and some settings related to DNS filtering I am now trying to test.

So I connect a laptop to a LAN port on the new router (and turn off wifi on the laptop) but I never get a 192.168.8.x address assigned. It just spins forever "connecting". I can't even ping 192.168.8.1. I can, however, ping 8.8.8.8 from the ssh session into the new router, so it seems the new router can access the internet.

But ultimately what I want is for the existing router to continue to provide DHCP/internet access for its clients, including the new router, and for the new router to provide DHCP/internet access for its clients. Clients connected to the existing router would continue to get a 192.168.0.x IP address, and clients connected to the new router would get a 192.168.8.x IP address.

Without getting into all the details, what am I missing here? Basically all other config is untouched. I don't know much about NAT, I suspect it might be that. I can provide the details if that helps but I want to narrow it down a bit first.

*I did search this forum and google for existing answers but couldn't find anything quite the same as my scenario, or the posts included so many details it made it unclear if it was the same or not. Most people seem to want one DHCP server for the whole network, but I intend to totally replace the existing router with the new one when I'm done testing, so that's why I want both for now.

Thanks!

this shouldn't work via the WAN port, you must have changed some configuration to make it work, and broken the LAN side in the process.

or you're not using an image DLed from https://firmware-selector.openwrt.org/

Unplug the wan. You may need to power off and power on. You should now get an ip address.
In LuCI go to: Interfaces/lan->edit->DHCP/advanced settings and check 'Force DHCP on this network even if another server is detected.'

save, save and apply and see if that breaks anything. If you can get into LuCI, plug wan back in and see what happens.

Once you get it running from the lan side.

@frollic that could certainly be the case. Can you tell from the config below?
@LilRedDog I copied the config you mentioned. I tried unplugging the WAN to see if a connected laptop would get an IP and it didn't. Which is odd because I had that working a couple days ago. So I am guessing @frollic is on to something - I changed something along the way that broke things?

root@GL-MT6000:~# ubus call system board
{
        "kernel": "5.15.139",
        "hostname": "GL-MT6000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05-SNAPSHOT",
                "revision": "r23001+721-38c150612c",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05-SNAPSHOT r23001+721-38c150612c"
        }
}
root@GL-MT6000:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix [redacted]

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option macaddr [redacted]

config device
        option name 'lan1'
        option macaddr [redacted]

config device
        option name 'lan2'
        option macaddr [redacted]

config device
        option name 'lan3'
        option macaddr [redacted]

config device
        option name 'lan4'
        option macaddr [redacted]

config device
        option name 'lan5'
        option macaddr [redacted]

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'

config device
        option name 'eth1'
        option macaddr [redacted]

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option force_link '0'
        option ipv6 '0'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'

config interface 'secondwan'
        option ipv6 '0'
        option proto 'dhcp'
        option metric '15'
        option force_link '0'

config interface 'secondwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option metric '15'
        option device '@secondwan'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

root@GL-MT6000:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel 'auto'
        option band '2g'
        option htmode 'HE40'
        option disabled '0'
        option country 'US'
        option legacy_rates '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'GL-MT6000-1ca'
        option encryption 'psk2'
        option key [redacted]
        option wds '1'
        option isolate '0'
        option ifname 'wlan0'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option disabled '0'
        option country 'US'
        option legacy_rates '0'
        option channels '36,40,44,48,149,153,157,161'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'GL-MT6000-1ca-5G'
        option encryption 'psk2'
        option key [redacted]
        option wds '1'
        option isolate '0'
        option ifname 'wlan1'
        option disabled '1'

config wifi-iface 'guest2g'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option ifname 'wlan0-1'
        option encryption 'psk2'
        option key [redacted]
        option ssid 'GL-MT6000-1ca-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'

config wifi-iface 'guest5g'
        option device 'radio1'
        option network 'guest'
        option mode 'ap'
        option ifname 'wlan1-1'
        option encryption 'psk2'
        option key [redacted]
        option ssid 'GL-MT6000-1ca-5G-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'

root@GL-MT6000:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list ipset '/youtube.com/block_youtube'
        list ipset '/googlevideo.com/block_youtube'
        list ipset '/ytimg.com/block_youtube'
        option authoritative '1'

config dhcp 'lan'
        option interface 'lan'
        option start '50'
        option limit '201'
        option leasetime '720m'
        option dhcpv4 'server'
        option dhcpv6 'disabled'
        option ra 'disabled'
        option ra_slaac '1'
        option force '1'
        option ignore '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'console.gl-inet.com'
        option ip '192.168.8.1'

config domain
        option name 'console.gl-inet.com'
        option ip '::ffff:192.168.8.1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'secondwan'
        option interface 'secondwan'
        option ignore '1'

config host
        option name 'lenovo-chromebook-wifi'
        option dns '1'
        option mac [redacted]
        option ip '192.168.8.205'

config host
        option name 'lenovo-chromebook-eth'
        option dns '1'
        option mac [redacted]
        option ip '192.168.8.209'

root@GL-MT6000:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'secondwan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-*'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config zone
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config rule
        option dest_port '80'
        option proto 'tcp udp'
        option name 'GL-web interface'
        option target 'ACCEPT'
        option src 'wan'
        option enabled '1'

config rule
        option dest_port '22'
        option proto 'tcp udp'
        option name 'GL-ssh'
        option target 'ACCEPT'
        option src 'wan'
        option enabled '1'

config ipset
        option enabled '1'
        option name 'block_youtube'
        option family 'ipv4'
        option storage 'hash'
        option match 'dest_ip'
        option maxelem '256'
        option timeout '7200'

config rule
        option name 'block_youtube'
        option src 'lan'
        option proto 'all'
        option ipset 'block_youtube dest'
        option family 'ipv4'
        option target 'REJECT'
        option dest 'wan'
        option enabled '1'
root@GL-MT6000:~# 

Seems you have firewall settings rejecting all DNS requests?

You have rules for allowing ssh and http access through the WAN port as well.

Can you describe which rule rejects all DNS requests? I see the one named block_dns but it is not enabled. The one called block_youtube is not supposed to be blocking all traffic, just the block_youtube ipset, but I could have that configured wrong.

The ssh and http access through WAN you refer to are GL-ssh and GL-web interface, correct? I get why you are calling it out, but I do need those things, otherwise how would I ssh to the router or access the web interface? How are they normally configured? FWIW I didn't set those specific rules, they are either defaults or were created by one of the UI apps from a settings change I made. Similar story with block_dns, but I did create the block_youtube ipset, rule, and list ipset entries in dnsmasq config.

true, it wasn't ...

from the LAN side ?

btw, ^ appears to be a Gl.iNet build, not official openwrt ?

if you want support, here, install proper openwrt - https://openwrt.org/toh/gl.inet/gl-mt6000

I guess it depends. I need to be able to configure the router, and it's helpful to do that from a computer that also has internet access. Previously I was not and it was painful (no copying/pasting long config and commands for example).

I think I was assuming that for the new router to act like a router in the sense that the existing router provided it internet + existing network access, that connection needed to be existing router LAN -> new router WAN. And then any devices I expect the new router to do DCHP/DNS for would need to be plugged into the new router LAN. And since existing computers are on the existing router's network, yes, SSH/HTTP through the WAN port. But it sounds like I'm wrong about this. How would you recommend doing it? If the connection goes existing router LAN -> new router LAN, and I also want the new router to be a DHCP/DNS server for client devices, how does the new router distinguish between those client devices and devices upstream?

In any case I will install the firmware you linked and start from there.

I've installed the firmware linked above by @frollic but haven't done any config beyond that yet. First I wanted to show this diagram I made of what I'm trying to do. I hope this is clear, I thought I'd start with this and get advice up front before starting to make configuration changes.

Looks like a perfectly safe way to segue form one router to another.

From a clean installation of the firmware linked above, and with the hardware connected like the diagram above shows, I am now trying to follow this post: Blocking websites on your router to implement some basic access controls. My basic goal to start is to block youtube, and the next step would be to target that to only specific devices.

However, twice now I've followed that guide and it has left things just basically broken, DHCP not working and internet access not working. I've narrowed it down to what seems like a very innocent change:

4. Set up the list of domains to block using dnsmasq
In your /etc/dnsmasq.conf file, add the following:

cache-size=10000
min-cache-ttl=3600
max-cache-ttl=7200

After this I do service firewall restart and service dnsmasq restart. Then from the green PC I'm using to configure the router, it looks like I do not get an IPv4 address assigned, but do get an IPv6 address assigned. At that point I can't reach 192.168.1.1 from the PC. If I manually configure an IPv4 in range like 192.168.1.50, then I can. But no internet access.

Why would changing these cache settings affect DHCP and internet access? It looks to me like these are just changing how long DNS entries are cached for.

Is there a way to check what the default values of these config settings are with uci or some other way? I couldn't quite figure it out from what this page https://openwrt.org/docs/guide-user/base-system/dhcp.dnsmasq#etcdnsmasqconf describes but I think it must be possible.

dnsmasq is handling both DNS and DHCP.

why not simply use one of the adblock packages available in openwrt ?

and if you use the Android YT app, you'll need https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns too.

I looked into something called banIP a couple weeks ago but ultimately I could not figure out a key part to this. I want it to only apply to some devices in the network. Today with my TP-Link router I am doing this by giving MY devices static IP addresses outside the DHCP range and only applying the DNS filter to the DHCP range. But now I am looking for more granular control: more than 1 target device range, so that some devices have a blacklist applied, some devices have a whitelist applied, and my devices have no filter with the exception of ad blocking which applies to all devices.

So just now I looked through the docs for adblock (https://github.com/openwrt/packages/tree/master/net/adblock/files) and there is mention of a "jail" for guest wifi/"kidsafe" but not really any info on how to set that up. I don't really like the idea of separating devices by logic wifi network, and that only gives 2 categories. I basically want to be able to add my devices manually to the "all access" zone, add some kid devices to the "blacklist access" zone, and have all other default to the "whitelist access" zone. Having different DNS filter rules for different lists of client IP addresses would do this (paired with static leases), but I don't see a way to do that. That's why I have been looking into the very manual way that I've been struggling with.

Anyway if adblock or something else CAN do what I describe above and I just need to understand the config better can you point me in the right direction? I've seen "KidSafe" in a few docs and posts as if it is an app or feature that is well known but as far as I can find it isn't a package or feature of OpenWRT.

Don't think you can apply multiple rules in dnsmasq.

But you can run multiple dnsmasqs with different filters applied, then implement some kind of logic, in for instance the firewall, directing the requests to the correct dnsmasq.

As for individual DNS settings, see https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#client_classifying_and_individual_options.

And don't run into this issue Adblock ignores dnsmasq instance.

Where should I start with multiple dnsmasq instances? I came across the concept a couple weeks ago and it seemed like overkill at the time, but maybe it's actually simpler than configuring 1 instance the way I want.

Can anyone point me to info on what KidSafe means in the context of OpenWRT? Is it a package?