I use a Zyxel NR7101 for its LTE modem and as far as I am aware, IP passthrough is not easily obtainable in OpenWrt, and hence I have adopted the following setup with upstream and downstream routers:
192.168.0.1 - Zyxel NR7101 (upstream router with LTE modem);
192.168.1.1 - RT3200 (downstream router); and
ethernet cable connecting the LAN port of the Zyxel to WAN port of the RT3200,
I have avoided double NAT by disabling masquerading at the downstream RT3200.
In addition, with help from @moeller0, in order to make use of the 2.4GHz access point at the Zyxel, I have set up VLANs so as to split the data carried by the wan cable into: 1) the wan data; and also 2) the 2.4GHz AP data.
So I have set up two VLANs:
lan.2 (AP data) bridged to br-lan at the RT3200
lan.3 (WAN data), with the wan interface on the RT3200 set to 'lan.3'
And my challenge now is that I don't want 'LAN data' between the Zyxel and RT3200 to go through lan.3 because then QoS on lan.3 will throttle it.
How do I achieve this? I see three possible ways:
setup 3x VLANs:
lan.2 (Zyxel<>RT3200 data)
lan.3 (AP data)
lan.4 (wan data)
(but this introduces routing complexity);
somehow have Zyxel<>RT3200 data go via lan.2 (is this possible?); or
another, better, completely different way, e.g. make the Zyxel IP passthrough or a dumb AP point even though wan is routed through to it and I am using it for its LTE modem.
The second or third options seem desirable given the complexity associated with the first.
So here is a crappy idea: bridge LAN.3 with the WiFi interfaces on the Zyxel but do not assign them to anything else, with a bit of luck connected devices might just be served from the OpenWrt DHCP server from the RT3200 over lan.3.
I think you need a proper WAN interface for your LTE connection to work, so the Zyxel will treat LTE/LAN.2 as its main network, my idea is to see what happens if the Zyxel essentially ignores WiFi and LAN.2. Whether that will work I have no idea, but it well could.
This is complementary to my set-up, where I bridged the DSL port with one ethernet port (LAN7) and did not let the BT HH5A (running OpenWrt) touch that bridge any further so it simply passes on packets from one port to the other...
I may be missing something, but I am not entirely following your proposed solution to my puzzle of how to additionally separate Zyxel<>RT3200 from wan traffic (mindful that with your help I have already separated AP data from the wan traffic).
I think I'm already doing that. The Zyxel sends AP data over lan.2 (VLAN for Zyxel AP lan data) directly to the RT3200 (where the corresponding VLAN, wan.2 is bridged with br-lan), and thus devices connected to the Zyxel AP already indeed get served an IP address from the RT3200.
My bother is that right now say if I run iperf3 between my Zyxel and RT3200, this will go over lan.3 and wan.3 (VLAN for wan data) and thus get throttled by cake. For me this is intellectually unsatisfactory even though it's a somewhat academic problem since I don't intend to make a habit of running such tests.
Earlier on @psherman helped me work out how to avoid double nat in this situation, and that works. Now you've shown me how to successfully isolate the Zyxel AP data from wan cable interconnecting the Zyxel and RT3200, but Zyxel<>RT3200 data is now also needing separating from the wan.
And either I crate another VLAN to deal with that (but then this adds complicated routing) or I'm hoping there is another way.
For example, right now I have the AP data on the Zyxel sent to a software bridge on the Zyxel that contains lan.2. That interface is 'unmanaged'. Can I not just give that interface an IP on the same subnet as my RT3200 that means I can then access my device via br-lan on my RT3200 and thus over lan.2?
I tried to do that but it resulted in loss of connectivity. I wasn't sure what to put on as the gateway IP address in this situation. I tried 192.168.1.1 (my RT3200 IP address). But that failed.
Or perhaps I can do something completely different like make the Zyxel a dumb AP point and have it feed wan data over VLAN. But again I am not sure if that's possible.
All of this makes me wonder if perhaps I'm not doing things right and there's another better, more elegant way.
Well, do not do this then.... the prposed/implemented vlan/bridge tickery really only aims at connecting the zyxels wlan interface(s) with the rt3200's lan side so thezyxel acts also as dumb AP for your internal network.
You could, of course, add a third VLAN interface on both sides and statically asdign suitable IP addresses on both sides and access the zyxel's lan that way. However that is quite a complication that only gains you something if you have sufficient traffic to the zyxel...
But keep in mind that all these VLANs still share the same 1000 Mbps ethernet link, so I would not recommend to run saturating traffic through this pipe.... (sharing 2.4 GHz plus LTE seems okay, as their aggregate rate is unlikely to saturate the gbps link, but adding a wired speedtest might change that a bit).
That really depends on what trickery is required on your wan side. In my dsl example I bridged the DSL port with an unmanaged ethernet vlan, and I hence can access the modem's lan via a second vlan, avoiding your situation.... except I only ever use this to get dsl sync information from the modem, or update the firmware. Initially I used a dedicated SSID on the modem for that but got tired of switching SSIDs just to get DSL data....
So what configuration do you need to run on your zyxel for the LTE to work?
I would consider this: does your solution deliver what you require and do you fully understand the why and how of its operation? If the answer is yes to all of these, your solution looks like it is well above 'good enough' already
right now I have wan.2 (well lan.2 for the Zyxel) assigned to an 'unmanaged interface' on the Zyxel, and then bridged to br-lan on the RT3200.
Can I assign a static IP address to this interface on the Zyxel in the same 192.168.1.0 lan subnet as the RT3200 such that the Zyxel and RT3200 can talk to each other? If so, what gateway address do I use?
Right now on the Zyxel I have static route 192.168.1.0 with gateway 192.168.0.2 (IP address of RT3200 on the wan interface set to wan.3).
Not sure whether adding an IP to lan.2 would help... I think that this is not ideal assuming you use your rt3200's firewall*. In that case I would simply add an additional VLAN to connect a rt3200 wan.4 in the wan firewall zone to lan.4 on the zyxel, and maybe use two adresses out of 192.168.100.0/24 on the two sides.
*) I understand that a hypothetical attacker would only need to change the bridge configuration to get behind your firewall anyway, but I assume two things here:
a) most attacks are scripted and follow simple recipes that should work on many devices, so will not be prepared for a unusual config as yours
b) if a dedicated and competent attack-team targets one's home link, one likely is "toast" one way or the other.
but these are just that assumptions.
For my intended use-case where DSL-WAN.7 were bridged it will be hard for an attacker to slip out of the bridge to get to attack the DSL-router, in your case it is the zyxel's firewall that stands in the attackers way, I would guess modulo bugs and unusual lax firewall rules the risk in both cases should be small, maybe a tad smaller for the bridge case, but as far as I understand you can not isolate the LTE-lan.2 thing in its own bridge?
P.S.: Currently trying to replace my HH5A with something less CPU-limited, so I can actually go and implement such a set-up, the "modem" is already on 24/7 so adding AP capability should cost only very little extra power so is very attractive...
So I managed to set up routing rules on the Zyxel that mean that if a packet originates from 'wan' it will go to 'br-lan', which is bridged with wan.3, and if a packet originates from 'lo' it will go to an interface that is bridged with wan.2. If I understand correctly, packets from 'lo' corresponds with packets originating from the Zyxel itself?
This now means that i can access my Zyxel from any lan client on my downstream LAN subnet and can access any LAN client from the Zyxel.
But if I understand your post above correctly I think you are warning against this on the basis that it presents a security threat. Now if an attacker gains access to the Zyxel he gains access to my LAN network without any tinkering. Whereas some tinkering would be required had I not set up these routing rules.
Yes, if you open a connection from zyxel lan to rt3200 lan you have a path around the rt3200's firewall... If you relie on the Zyxel's firewall as primay defense then this is not that important, but if you consider the rt3200 your primary line of defense/access control then this configuration seems to pose challenges...
