Configuring Subnets for Family, DMZ, Backups, and LAN?

Installing and Using OpenWrt Network and Wireless Configuration
1

My goal is to setup an OpenWrt router, IPv4 without Double NAT and make subnets for:

  • WAN
  • LAN
    ** LAN / WAN Access
    ** Management LAN?
  • Family LAN
    ** LAN / WAN Access
    ** (Double NAT here with pfsense behind it to prevent the boys from accessing bad websites using SquidGuard, they won't be using any services, so it's okay)
  • DMZ (ddns access)
    **Everything below secured via SSH private key / public key port forwarding
    *** gitea webserver accessed
    *** wiki accessable externally
    *** nextCloud server with del.icio.us type bookmarks
    ** Maybe knockd for hiding the ssh port.
  • Backups (BareOS / Bacula)
    ** Separate Subnet for backup servers
    ** Want to keep this separate from WAN, but still able to do backups from other subnets likely through routing rules between subnets.

I decided to go with subnetting since I never seem to be able to understand the OpenWrt documentation for switches / VLANs though I've tried many. many times; see below:

ProposedPortDiagram_
ProposedPortDiagram_1074×216 6.38 KB

I used the python3's ipaddress library to come up with the subnets above.


>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[1])
IPv4Network('192.168.57.64/26')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[1]).hosts())[0]
IPv4Address('192.168.57.65')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[1]).hosts())[1]
IPv4Address('192.168.57.66')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[1]).hosts())[-1]
IPv4Address('192.168.57.126')
>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[1]).netmask
IPv4Address('255.255.255.192')
>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[2]).netmask
IPv4Address('255.255.255.192')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[2]).hosts())[0]
IPv4Address('192.168.57.129')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[2]).hosts())[1]
IPv4Address('192.168.57.130')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[2]).hosts())[-1]
IPv4Address('192.168.57.190')
>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3]).netmask
IPv4Address('255.255.255.192')
>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3])
IPv4Network('192.168.57.192/26')
>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3]).netmask
IPv4Address('255.255.255.192')
>>> (list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3])
IPv4Network('192.168.57.192/26')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3]).hosts())[0]
IPv4Address('192.168.57.193')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3]).hosts())[1]
IPv4Address('192.168.57.194')
>>> list((list(ipaddress.IPv4Network('192.168.57.0/24').subnets(new_prefix=26))[3]).hosts())[-1]
IPv4Address('192.168.57.254')
2

And it should look like the following diagram:

ProposedDiagram
ProposedDiagram936×1026 44.3 KB

I've determined that my ISP router has settings in it which allow you to create a Poor Mans Bridge Mode by exposing the OpenWrt's WAN ip on its own DMZ, and I already know how to do that on my Verizon DSL-2750B.

After planning my course of action (see above), and going over the documentation to the best of my ability, and installing a vanilla OpenWrt 19.07.2 installation, I plugged in a thumbdrive and did an extroot /extroot_data configuration so I could store the changes in github / gitea (locally).

So far I've been able to change the lan interface from 192.168.1.1/24 to 192.168.57.1/26 by changing the following two lines in the default config:

config interface 'lan'
...
        option ipaddr '192.168.57.1'
        option netmask '255.255.255.192'
3

If you don't NAT on the OpenWrt router you might face 2 issues.

  1. ISP device will need a static route for the 4 lans you have on OpenWrt.
  2. ISP device might not support to NAT networks which are not directly connected.
    Other than that there isn't anything complicated in your plan, although I would go for 4 * /24 networks, rather that /26. It's free and anytime soon you'll find /26 small when the refrigerator will have wifi.