Double NAT in a home network

ralegex954 · August 24, 2021, 7:40pm

Greetings. I have a main router, in one of the LAN ports of which a laptop with OpenWRT is connected, it acts as a Samba server and Wi-Fi access point. This is the only port in the laptop defined by the system as eth0, and if in the interfaces to create a new interface for eth0, and in the protocol to select the DHCP-client and create a bridge, in the settings of access point interface to select this created br-wan, then everything works fine, but I do not want to create a bridge between Wi-Fi and gateway, I need the laptop to be as a NAT-router too. How do I properly configure the interfaces and firewall for this?

Gateway IP: 192.168.1.1
Laptop IP in the router's network: 192.168.1.130

I am also attaching my configs below:

network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd91:d418:f904::/48'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0'
        option type 'bridge'

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config include
        option path '/etc/firewall.user'

wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:1c.1/0000:02:00.0'
        option txpower '18'
        option channel 'auto'
        option country 'UA'
        option htmode 'HT20'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'ssid'
        option encryption 'psk2+ccmp'
        option key 'password'
        option network 'wan'

ralegex954 · August 24, 2021, 8:36pm

Okay, after that I created another interface, its settings can be seen in the new config:

network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd91:d418:f904::/48'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0'
        option type 'bridge'

config interface 'lan'
        option proto 'static'
        option ifname 'br-wan'
        option ipaddr '10.10.0.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option type 'bridge'

And also changed the settings of the wireless, changing the network there, it turned out like this:

wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:1c.1/0000:02:00.0'
        option txpower '18'
        option channel 'auto'
        option country 'UA'
        option htmode 'HT20'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'ssid'
        option encryption 'psk2+ccmp'
        option key 'password'
        option network 'lan'

Now one problem, the devices connect, but there is no internet (at the connected devices).

vgaetera · August 24, 2021, 8:40pm

ralegex954 · August 24, 2021, 9:06pm

If I'm not wrong, I already did.

vgaetera · August 24, 2021, 9:17pm

Assign the downstream and upstream interfaces to separate firewall zones.
Add forwarding from the downstream firewall zone to the upstream.
Enable masquerading on the upstream firewall zone.

ralegex954 · August 24, 2021, 9:28pm

Yes, it works, thanks!

system · September 3, 2021, 9:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.