I have previously managed to get an old router connected up to access the internet via wifi and provide that internet access via the lan ports to some hard wired PC's. I followed this guide and had no problems. https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
However, I want to do something different on a different network.
What I'm trying to achieve
I want to hardwire an openwrt router to my lan using the inbuilt wan port, and create a sub-lan on the 4 lan ports. I want to route traffic of this local lan (from the openwrt router) through a VPN so that everything connected to the lan ports on the openwrt router is behind the VPN.
What works now
I have managed to make the router a dumb AP, by putting all 5 ports on the same VLAN. I've also got the VPN running (if I kdig out from the router I get a VPN ip address returned).
I have tried putting the WAN port on its own VLAN with a separate IP address, but I couldn't manage to make the LAN talk to it.
Whats not working
The thing I cant manage to do is connect a second VLAN with the WAN port to my existing LAN, and route VLAN 1 with the LAN ports to the rest of the network.
Once I get the LAN ports to route through the WAN to the wider LAN, I'd then like to get the VPN connected.
The setup of the second router is exactly like you would to connect it directly to the Internet. You want routing, not a dumb AP. Think of the first router and the existing LAN as part of the Internet.
Thanks mk24, I guess I should have also said I have tried said that I thought I had tried that. How do I set up the interface for the WAN port? My main router for the home LAN is set to 192.168.1.1/24 (I think this is the right nomenclature for 255.255.255.0 subnet mask) and is a DHCP server.
Do I set up the WAN port interface with an IP in the range 192.168.1.x or should it be something like 192.168.2.1? What is then the gateway and subnet? How can I ensure the devices connected to the LAN get an IP address from the DHCP server so they can talk to the rest of the local network?
The default OpenWrt configuration for most routers with more than one Ethernet port has one of the Ethernet ports acting as WAN and the others as LAN.
You have to have the WAN and LAN in different IP ranges. This would be easiest to do by changing the LAN IP of the second router to 192.168.2.1. The default setting of the WAN being a DHCP client will have the second router obtain a 192.168.1.X address automatically from the first router.
Here's where I'm at, I've reset the WAN and LAN ports as you described. LAN interface to 192.168.2.1 and left the WAN on DHCP (assume that means client).
The WAN port isn't showing up on my DHCP server, I can't see what IP has been assigned to it. I've tried adding in the gateway, netmask and dns manually.
I can connect to the router, via the LAN interface on 192.168.2.1. LAN DHCP server is working as it has allocated me an IP address on local machine as 192.168.2.186
Here is my /etc/config/network configuration. Problem is I can't ping out from the router to the internet.
The LAN port I was plugging my openwrt router's WAN port into was faulty. I noticed no orange light on the WAN port or the first router's LAN port, switched the cable and hey presto ... internet!
Yes I see 0 packets received on eth0.2 which suggests a physical disconnect from any network.
The point is that you don't need to know router 2's IP on router 1's LAN for your use case of providing a VPN secure connection to router 2's users.
If you want to access router 2 from the router 1 lan, you should set an option hostname in the wan configuration, and you will need to open ports in router 2's firewall.
ok, I have this all working well now (actually have it working on two devices).
One last issue. all devices connected to the second LAN get an IP in the range 192.168.2.x because I've set the static IP for the WAN port at 192.168.2.1.
How do I either:
a) use the DHCP server from the first LAN (192.168.1.1) to issue addresses in the range 192.168.1.x to devices on the second LAN; or
b) make both subnets visible to each other so I can see network resources on both subnets?
I have tried turning off the DHCP server on the second router but I don't get an IP address from the DHCP server on the first router and if I try setting a static IP on my PC in the 192.168.1.x range I can't connect to the network.
a) cant be done. b) you can disable nat/masquerading, but depending on the service and what you mean by "see" you may or may not need to do more.... you'd also need a route back from your edge router. for the 2 network. and possibly a rule to nat 2.x at the edge.
another option if you have a spare port... is ignore wan... set the second router in the same network as the first... with the first for gateway. then set clients for VPN to the second router as their gateway.
this option is interesting. I guess it was what I was trying to achieve in the initial post, but I thought I would have to separate the two lan's (using VLAN) and route traffic between them via vpn. I can easily switch the WAN port into the LAN vlan so all ports are lan.
Can you please explain how I would use the 4 other lan ports so their traffic is routed via the VPN for internet access?
if you've followed @mk24 's advice, then router2 needs a route to LAN1... that should be automatic.... then router1 needs a route back to LAN2....via the "WAN" ip of router2
regarding your question.... that suggestion is a same-lan-layer3- alternate-gateway setup... so 4 lan ports are irrelevant... as in that config the "router" is on the same subnet.....
it(router2) has the vpn connection.... all clients using the vpn use router2 as their default gateway... router2 has a default gateway of router1....
think of router2 as another client.... and the other ones just "go through it" to the vpn....