The outside computer gets a DHCP provided address from the outside router and works as normal.
The inside computer gets a 192.168.2.XX address from the openwrt router and only can connect if I have IP masquerading on in the firewall rules. I would like to be able to use non-masquerade connections between the inside => outside as well as outside => inside.
here is my network file:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfd:84f4:5814::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'eth0'
option macaddr '22:4e:7f:82:5d:03'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wan'
option device 'wlan1'
option proto 'static'
option ipaddr '192.168.0.25'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
Here is my firewall file:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
option masq '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'lan'
They have to be different subnets if the 5 GHz link is a regular AP-STA connection (not WDS).
For it to work without NAT, "Outside Router" needs a route to the 192.168.2.0 "inside" LAN. Install a static route in Outside Router: 192.168.2.0/24 via 192.168.0.25. If that router is not running OpenWrt, stock or other firmwares usually also support installing routes.
It's also a good idea to set up a DHCP reservation so that "Inside Router" always has the same IP on Outside's LAN. Routes are defined by IP address not name.
The default OpenWrt firewall allows lan->wan forwarding. You will need to add wan->lan if you want the Outside PC to be able to reach Inside machines. wan->lan forwarding will not work with NAT enabled on wan.
The config I uploaded is currently working, but if I take out option masq '1' in wan zone of the firewall config, it doesn't work. My question is why?
I have a static route on the outside router to point to the inside lan. The inside router mac has a static reservation on the outside router.
The openwrt inside router is an old netgear wndrmacv2 with the wireless configured as a client to the outside router, and that is why there has to be a subnet for the inside router/computers. Everything would be simpler if I could make that bridge transparent.
When masquerading is enabled, the router 'masquerades' all of the devices behind the router such that the traffic to appear as if it is a single device on connected to the upstream network. This is why you only need a single IPv4 address for your entire home network to be connected to the internet. Regardless if you have one device or many, the router will sort all the traffic accordingly, but the ISP/upstream network only knows about the one address (usually assigned to the wan), so it doesn't need any details about what's behind that address.
If you turn off masqureading, the actual address of the devices behind the router is reported as the source (and eventually destination for the response traffic). The problem arises when the response traffic comes into the upstream router -- if the router doesn't know how to get that traffic back to the requester, it can only drop the packets. So... when the outside router gets traffic that is destined for the network of the inside router, it has no idea how to send it there. A static route is required to say "here's the gateway for that address" -- in your case...
The 192.168.0.25 is the device on the network that the outer router is responsbile for and it serves as the gateway (or pathway) to send traffic to 192.168.2.0/24.
If this route isn't installed on the main router, you must use masquerading on the second router.
When I log in to the openwrt router:
I can ping the inside subnet (good, that is the subnet the router is responsible for, the router is at .2.1 ).
I can ping the outside subnet (good, the router is connected to that as .0.25 )
I can ping the internet (good, connection thru the outside router is working)
Here's where it gets weird;
From a computer on the inside subnet
I can ping the inside router at 192.168.2.1
I can ping the inside router at 192.168.0.25
I can ping the outside router at 192.168.0.1
Cannot ping my pi-hole raspberry pi at 192.168.0.3
Cannot ping anything on the internet
As soon as I enable masq in the firewall, everything works normally.
Also pinging from computer on outside subnet to computer on inside subnet does not work reliably.
(might work, first ping shows redirect from the .0.1 router to the .0.25 gateway then pings work, a few seconds later pings dont show the redirect and fail.)
I think that might be an issue with the outside router though.
This is a completely jumbled and confusing set of configs... there are things in each file that don't belong there whatsoever. I'm not sure how this ended up as it appears now, but it's not going to work... further, it is going to be more difficult to fix it than it will be to start from scratch. Please reset to defaults and we'll start over.
relayd is what you want if you actually want all of your devices to be on the same subnet. If you're trying to setup multiple subnets and route between them as an intentional network topology, you want to operate in a normal routed mode.
Either way, you need to reset your router to defaults because the current state of your configs will be quite difficult to fix. You'll want to start with a clean slate and adjust based on the method you choose (relayd vs routed).
Quite literally, everything. For example, I'm not sure how an interface definition and a firewall zone ended up in the dhcp file. Then your network file had a messed up loopback and a lan firewall zone defined in there. Switch port stanzas that don't belong there and routes that were unnecessary. Your firewall file was also clearly gutted... there were just so many things in the wrong places that it wouldn't make sense to try to fix it.. resetting was the best way to go.
