Connect two bridge networks to each other

I have created a second bridge, that covers two additional wifi APs, which connects to wan directly. The main lan connects to vpn.



Now, I tried to do routing, but it didn't work, so it's empty for now.


How can I do so that devices on br-lan can connect to devices on br-bypass and vice versa? Can't even make them ping...

What exactly is your goal... what do you mean by bypass?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

So I want all devices connected to my router via VPNWIFI or lan ports to access internet via Mullvad VPN. Devices connected via BypassWifi should connect to internet straight, without vpn, via WAN. At the same time I want devices connected both ways to treat each other as if they are on the same networks, i.e. when I am on BypassWifi I want to access/ping devices connected on VPNWIFI or lan ports, and vice versa.

P.S. I know there is PBR, but I haven't found an explanation on how to filter sources based on wifi AP they come to network, and I'm keeping that option for later. I want to try to make my current config do what I want.

ubus call system board
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Redmi Router AC2100",
        "board_name": "xiaomi,redmi-router-ac2100",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
Network
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'CENCORED'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device 'bypass_dev'
        option type 'bridge'
        option name 'br-bypass'

config interface 'bypass'
        option proto 'static'
        option device 'br-bypass'
        list ipaddr '192.168.3.1/24'
        option defaultroute '0'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'CENCORED'
        list addresses 'CENCORED'
        option force_link '1'
        option mtu '1280'

config wireguard_WGINTERFACE
        option public_key 'CENCORED'
        option endpoint_host 'ONE OF MULLVAD IP SERVERS'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'

config route 'vpn_route'
        option interface 'WGINTERFACE'
        option target '0.0.0.0/0'
        option table '100'

config rule 'vpn_rule'
        option in 'lan'
        option lookup '100'

Wireless
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'VPNWIFI'
        option encryption 'sae-mixed'
        option key 'CENCORED'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'VPNWIFI5G'
        option encryption 'sae-mixed'
        option key 'CENCORED'

config wifi-iface 'bypass'
        option device 'radio0'
        option mode 'ap'
        option network 'bypass'
        option ssid 'BypassWifi'
        option encryption 'sae-mixed'
        option key 'CENCORED'

config wifi-iface 'bypass5G'
        option device 'radio1'
        option mode 'ap'
        option network 'bypass'
        option ssid 'BypassWifi5g'
        option encryption 'sae-mixed'
        option key 'CENCORED'

DHCP
cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.64.0.1'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'bypass'
        option interface 'bypass'
        option start '100'
        option limit '150'
        option leasetime '24h'
        list dhcp_option '6,8.8.8.8,8.8.4.4'


Firewall
cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'bypass'
        option name 'bypass'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'bypass'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'bypass_dns'
        option name 'Allow-DNS-Guest'
        option src 'bypass'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'bypass_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'bypass'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule
        option name 'Allow-mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        option dest_port '5353'
        option target 'ACCEPT'
        list dest_ip '224.0.0.221'

config forwarding
        option src 'lan'
        option dest 'bypass'

config forwarding
        option src 'bypass'
        option dest 'lan'

config rule
        option name 'Allow-All-1'
        option src 'bypass'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'Allow-All-2'
        option src 'lan'
        option dest 'bypass'
        option target 'ACCEPT'
        list proto 'all'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config forwarding
        option src 'bypass'
        option dest 'wan'

PRB is the way to do this.

https://openwrt.org/docs/guide-user/network/routing/pbr

There should be linked examples in the above wiki page.

I'm sorry, but I can't find an example about how to define source=AP. Subnet - yes, but I don't wan't to route whole subnet, as in "two APs/one subnet" this means both APs will be routed one way or another. And I don't want to route separate devices.

I'm not an expert but do not think that is possible, as I understand it each AP should set a different vlan which you could then route,

You have 4 SSIDs defined... VPNWIFI / VPNWIFI5G, and BypassWifi / BypassWifi5G. Each pair is setup against their own subnets: 192.168.99.0/24 (lan) and 192.168.3.0/24 (bypass), respectively. So the solution is simple -- use PBR to create policies by subnet.

You can't differentiate the physical interfaces (on their own) with PBR, but your physical interfaces are already mapped to their own subnets. I don't understand what you mean when you say you don't want to make policies that affect the whole subnet when the mapping appears to be direct from the respective SSIDs to the networks.

Your options for PBR are:

  • create subnets where each subnet is subject to routing policies and those subnets are associated with the physical interfaces (this is what you've already got).
  • You can also make policies for specific destinations (i.e. streaming services, your bank, etc. whatever you want to go through the VPN or the wan, you can make policies for).
  • And you can make policies that affect specific source IPs (including groups of addresses, but not whole subnets)... so if you want your STB or your laptop to always go through one path or the other, assign it a DHCP reservation so it always has the same address and make a policy based on that address.

But you already have the topology that allows you to use PBR to route via subnet policies.

That I have already, the devices on 192.168.99.0/24 are routed to VPN (route vpn_route, rule vpn_rule) and devices on 192.168.3.0/24 simply go to wan. What I don't have is that devices on one network can't communicate with devices on another network. I am connecting to BypassWifi with laptop and getting and address 192.168.3.13, I can't ping my homelab, which is on VpnWifi with address 192.168.99.66.

P.S. And I achieved that without PBR, but simply having the route and the rule.

I see forwarding rules to allow the two zones/networks to talk to each other:

So, that's good.

But the following two rules may be the result of the issue. Remove these two rules. Then reboot and try again.

Unrelated... you can get rid of these two rules because you have the bypass zone input rule set to accept:

Those two rules were disabled anyway, but made sure and deleted them for good.

Firewall
cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'bypass'
        option name 'bypass'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'bypass'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGINTERFACE'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config rule
        option name 'Allow-mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        option dest_port '5353'
        option target 'ACCEPT'
        list dest_ip '224.0.0.221'

config forwarding
        option src 'bypass'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config forwarding
        option src 'lan'
        option dest 'bypass'

config forwarding
        option src 'bypass'
        option dest 'lan'

Alas result is the same. What about this, does this look right?

What other hosts do you have on the 192.168.99.0/24 network (ideally non-windows, bare metal, like a linux box -- could just be a raspberry pi, for example)? Have you tried connecting to those hosts from 192.168.3.13 (your laptop)?

I have two linuxes on that network, one a debian and the other one is openmediavault on raspberry (so also debian). Testing from laptop with dualboot, so I can test from linux or windows. I tried connecting/pinging both, result is the same.

meaning you cannot reach them?

This is probably due to the PBR -- add rules that specifically provide routing betwen the two networks.

Ok, I must say I tried it before, but now I tried it with setting gateways in routes and it works.

Additions to network config
config route
        option interface 'bypass'
        option target '0.0.0.0/0'
        option gateway '192.168.3.1'
        option table '101'

config route
        option interface 'lan'
        option target '0.0.0.0/0'
        option gateway '192.168.99.1'
        option table '102'

config rule
        option in 'lan'
        option dest '192.168.3.0/24'
        option lookup '101'

config rule
        option in 'bypass'
        option dest '192.168.99.0/24'
        option lookup '102'

Previously tried it without setting gateways and it didn't work.

Problem right now, the Samba shares on the homelab is still not seen. I'm guessing because of broadcast nature of that thing. I would appreciate if anyone had any suggestions for that

Can you connect directly via smb if you specify the IP address?

Yes, that works. It's a bit slow on start, like initial opening of the share is somewhat slow, but it works. And even accessing with share name, not ip address works, probably because already installed mdns/avahi with reflection before.

So is the problem now solved?

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

Thank you. If someone later stumbles upon this and has a suggestion about samba discovery, will be much appreciated.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.