Connectivity Between Two Subnets

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi All,

I have my ISP supplied router (192.168.0.1), and a pc (192.168.0.11) directly connected to the isp router, an asus router running openwrt (192.168.0.10) directly connected to the ISP router, and a couple access points plugged into the asus router on the subnet 192.168.1.1. My wireless devices can connect/ping to the pc that's wired in, but the pc can't ping 192.168.1.1 or any wireless devices. This leads me to believe the operwrt router is dropping traffic from it's wan port, but that's just a guess.

I've been playing with the "Firewall - Zone Settings", trying to make everything allowed between the two subnets, but still can't ping 192.168.1.1 from the PC.

I saw some similar posts but wasn't able to make sense of the answers. Sorry, I'm a networking baby but I'll do my best.

network config:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '????'

config interface 'lan'
	option ifname 'eth0.1'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option macaddr '????'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option macaddr '???'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 8t'

firewall config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option name 'wan'
	option network 'wan lan wan6'
	option masq '1'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	list proto 'all'
	option dest 'lan'
	option src 'wan'
	option name 'isp-to-wifi'
2

@ploppers, welcome to the community!

Yes, if it didn't by default, you could be hacked. But also, it's using Network Address Translation (NAT).

  • First, you must ensure you can place a static route in your ISP router for 192.168.1.0/24 via 192.168.0.10
  • Next, you must ensure the ISP router NATs all other traffic in addition to 192.168.0.0/24 (you won't know this until after all the settings are complete and a test)
  • Third disable masquerade-NAT on WAN on the OpenWrt :wink:

I assumed this is what you wish to fix.

  • Fourth, you must make a firewall that allows 192.168.0.11 to send an ICMP Echo-Request to LAN

(BTW, I read before all of your edits - it seems you already made an allow rule from WAN to LAN - so my specific rule for 192.168.0.11 is unnecessary.)

4 Likes
3

Thanks for the quick thorough reply!

I don't seem to be able set a static route on the ISP router. I saw a support post describing a similar issue where the solution provided was...

Now if you simply want to extend the coverage area with a second access point, what you can do is remove the WAN IP on your ASUS router (or put it in DHCP mode), assign LAN IP to something like 192.168.0.5 and connect the Hitron CGN3 to a LAN port of the ASUS router (instead of a WAN port). That way you will extend the 192.168.0.0/24 subnet over both the Hitron and ASUS WLANs.

Do you think that could work? I think I'd lose a LAN port this way. I guess I'll have to try.

4

If it is only one pc connected to the ISP router, then it might make more sense to move it in the lan of OpenWrt.
Otherwise add the static route to the pc directly.

2 Likes