Creating a testing network in an existing router (LAN and WAN)

Hello,

I have an openwrt with the interfaces wan and lan. I need to configure two more networks that can coexist with the existing ones and be separated as well from the current config.

new lan (lan2), let's call it dummy_lan. It will work as a dumb access point (no dhcp), so a new wifi network must be created and linked to that port. It only serves to connect a wifi network to the network that comes to the lan port 2, no internet access will be provided. The network that will use this switch is 192.168.140.0/24. This network is supposed to act as a dumb AP just to connect wireless clients to the lan.

new lan (lan1), let's call it dummy_wan. It will act as a router providing internet to the client and it's supposed to provide ip of 10.0.0.0/8 range by dhcp and have an static ip assigned to itself (10.0.0.1). It should be nat routed to the current wan, therefore it will provide internet access. This network will act as my ISP router.

I tried to prevent any interations between the new created networks with the existing networks, they should be transparent.

The configuration below is applied, however there's no internet for clients in dummy_wan and when dummy_lan is enabled, all networks stops to work.

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7e:ca7e:f583::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.120.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option proto '6to4'

config interface 'dummy_lan'
	option type 'bridge'
	option proto 'dhcp'
	option auto '0'
	option hostname '*'
	option device 'br_dummylan'

config interface 'dummy_wan'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.0.0.0'
	option device 'br_dummywan'

config device
	option type 'bridge'
	option name 'br_dummylan'
	list ports 'lan2'
	option stp '1'

config device
	option type 'bridge'
	option name 'br_dummywan'
	list ports 'lan1'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'
	option flow_offloading '1'

config zone 'lan'
	option name 'lan'
	list device 'vpns+'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	list network 'vpns'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'opnsense'
	option src '*'
	list dest_ip '192.168.130.116'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '1234'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Xbox'
	option src 'wan'
	option dest 'lan'
	option src_dport '49621'

config rule 'oc'
	option src 'wan'
	option dest_port '4443'
	option proto 'tcp udp'
	option target 'ACCEPT'
	option name 'Allow OpenConnect'

config rule
	option name 'Block DNS'
	option src '*'
	option dest_port '53'
	option target 'DROP'
	option dest '*'
	option enabled '0'

config nat
	option target 'MASQUERADE'
	option device 'br-lan'
	option src_ip '192.168.121.0/24'
	option src 'lan'
	option name 'Allow local LAN on VPN'
	list proto 'all'

config forwarding
	option src 'vpn'
	option dest 'lan'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'vpns'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config firewall
	option name 'dummy_lanf'
	list network 'dummy_lan'

config zone
	option name 'dummy_lanz'
	option forward 'REJECT'
	list network 'dummy_lanf'
	list network 'dummy_lan'

config firewall
	option name 'dummy_wanf'
	list network 'dummy_wan'

config zone
	option name 'dummy_wanz'
	option masq '1'
	list network 'dummy_wanf'
	list network 'dummy_wan'

config forwarding
	option src 'dummy_wanz'
	option dest 'wan'

wireless

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'dummy_lan'
	option encryption 'psk2'
	option key 'secret'
	option network 'dummy_lan'
	option disabled '1'

dhcp

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'dummy_wan'
	option interface 'dummy_wan'
	option start '100'
	option limit '150'
	option leasetime '12h'
uci set firewall.@zone[3].forward="ACCEPT"
uci commit firewall
service firewall restart
uci -q delete network.dummy_lan.auto
uci -q delete network.dummy_lan.type
uci set network.dummy_lan.defaultroute="0"
uci set network.dummy_lan.peerdns="0"
uci commit network
service network restart
uci set wireless.wifinet2.disabled="0"
uci commit wireless
wifi reload

Remove the "option type bridge" it does not belong to interface.

1 Like