ER-X Each port give own wwan access for router

I want to my ER-X (openwrt 22.3.5) router to give each port his own wwan access. On the end it should be something like a router cascade which can talk between each.
My idea is port0=wwan, port1=dns server for all, port2=for test (or one brige together with port1),port3=wwan access for 2. network (Iot,vdr,nginx,smb clients),port4=wwan access for 3. network(main computer,apache,smb).The networks should be reachable by own FQDN. My plan was to make each port a brige device with own firewall rules. But I never got it working. So I want to start from the beginning again.
Now settings are:

root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd8d:cf29:1175::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.123.1'
        option netmask '255.255.0.0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

root@OpenWrt:/etc/config# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd8d:cf29:1175::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.123.1'
        option netmask '255.255.0.0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
root@OpenWrt:/etc/config# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

So please feel free to help me getting the things running
thanks in evidence DaLonge!

The term wwan means “wireless wide area network” - basically a wireless connection to the upstream network/isp. Think of it like a cellular connection or a connection to a hotel’s wifi.

Since you device doesn’t have any wifi at all, I’m guessing you are using the wrong term.

It seems that you want each port to be a unique local area network (lan), is that correct?

Can you draw a picture of your proposed topology?


Was may mistake should be wan.
But tanks for qick reply.
This was my original idea!

Those are all overlapping subnets, so what you e drawn won’t work. In addition, those subnets are unnecessarily large, especially if there is a router connected to each port.

Why are there routers connected downstream of the er-x? You can have a single router setup multiple subnets that can be isolated from each other, so aside from wifi (as a dumb ap), no other routers are required.

I’m still quite confused as to what the goal is here. Maybe draw a new diagram?

I thought I need the subnet /16 for communicate between the networks?

No. Not at all.
I’m still trying to figure out the details since the extra routers are not necessary.

And as we see I´m no expert so I want to run them on separate hardware.
If I have a problem I´ll not break all.
DaLonge

So you think 192.168.124.4/24 with broadcast 0.0.0.225
.3/24 0:0.0.255will be right ?

Will try following settings next:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd7c:7656:d1cc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.123.1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'Port4'
        list ports 'eth4'

config interface 'port4'
        option proto 'static'
        option device 'Port4'
        option ipaddr '192.168.123.4'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'Port3'
        list ports 'eth3'

config interface 'port3'
        option proto 'static'
        option device 'Port3'
        option ipaddr '192.168.123.3'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Port4'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'port4'
        option forward 'ACCEPT'

config forwarding
        option src 'Port4'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'Port4'

config forwarding
        option src 'Port4'
        option dest 'wan'

config zone
        option name 'Port3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'port3'
        option forward 'ACCEPT'

config forwarding
        option src 'Port3'
        option dest 'lan'

config forwarding
        option src 'Port3'
        option dest 'Port4'

config forwarding
        option src 'lan'
        option dest 'Port3'

config forwarding
        option src 'Port4'
        option dest 'Port3'

config forwarding
        option src 'Port3'
        option dest 'wan'

hope it will work!

No, that config will not work. You may have already figured that out.

Is your expectation that the 4 ports will on the same network? or do you want each port to be on a different network?

It would be very helpful if you could explain what you ultimately hope to achieve with respect to each of the downstream subnets? The fact that you are using downstream routers is going to make it much harder (or maybe impossible, depending on the router firmware) for your devices to communicate with each other. It's not clear if this is something you want or if you want your devices to be isolated from each other.

If you are using the downstream routers to in-effect isolate your devices from each other, you don't need any special configuration on your ER-X - the default OpenWrt config (or with some very minor changes) will be best in that scenario.

Sorry for answer lately
The Idea is that behind each port is an own network. But behind the first router they should be communicate between each. And I want to reach each network with FQDM.
But as you write it`s not working. I think that I do have a deep mistake in my concept. It was already a hard way with a lot of try and error until now.
Greetings DaLonge

This is very easy to do. But Why have additional routers connected downstream of this? The benefit of creating multiple networks on the primary router is that you don't need any other routers... usually just switches and/or APs.

If you have additinal routers downstream, this will probably not work unless they ae running OpenWrt or another advanced firmware that allows you to disable NAT masquerading, adjust firewall rules, and potentially setup static routes.

From where? From within the network or from the internet?

Yup... what you're trying to achieve, at least in part, certainly is possible, but it would be helpful to understand why you've got those additional routers and what firmware they are running.

The first router EX-R should give each port a own network.
Each of this network should be reachable from the internet by own domain.
and some of services should be shared between my networks.
I know that this could be reached only by software on the turris omnia but I like hardware solutions and as we see I can learn and understand something.

I forgot to write.
The EX-R and turris runs openwrt in thelatest version and the FB runs FritzOS(because of the DECT funktions).

This will be difficult unless you have multiple public IPv4 addresses and/or IPv6. You can setup an nginx reverse proxy which will work for web based connections and will then enable this type of thing, but it isn't so straightforward for other services.

What services do you plan to host on the network?

I don't know what FritzOS has in terms of functionality, but I am guessing that you cannot disable NAT masquerading. That will be generally disqualifying for your needs unless the connection needs are realtively minimal.

I still don't understand why you are using multiple routers, though. The ER-X (OpenWrt, or even EdgeOS) can setup multiple networks and route between them with no need for additional downstream routers. What is the reason you feel you must have these other routers?

The first one should give a apache with nextcloud (and later mail). smb between the networks. my main computer and wlan.
The second one should be my IoT network like VDR,Kodi,...
On the third one I want to run a ngnix server with jitsi. Until now I run this things under one network for own use. But I want to help some relatives of mine in the ph. witch work as teacher and want give them a lot space on the nextcloud sever for two classes an their teachers. So the Idea is to make this construct and I have some hardware problems I can make changing the config and run further without losing all for long time.

Very simply... there is no need for the downstream routers. Downstream routers will only complicate your network and make inter-vlan connections difficult or impossible. It will also not help with fault-tolerance since the downstream routers will be connected to the main router, so a problem with the main router will still affect everything downstream.

The proper way to do this is to simply setup as many independent subnets as needed for your application on the ER-X, assign them to physical ethernet ports, and then connects switches and/or dumb APs and the downstream host devices.

So you mean a brige device with ip 192.168.4.1/16 192.168.3.1/16
on the EX-R.

No. I'm suggesting that you do something like this (just an example):

  • eth0 = wan
  • eth1 = 192.168.1.0/24
  • eth2 = 192.168.2.0/24
  • eth3 = 192.168.3.0/24
  • eth4 = 192.168.4.0/24

Each network can have a DHCP server, and then depending on your goals with respect to allowing/limiting connections, you can setup the firewall to provide the amount of inter-network connectivity that you desire.

In this model, you will not use any downstream routers, unless you are using them purely as dumb APs or switches. No routing involved downstream.