My way was not working so I will try in your way tomorrow.
Thanks for the the mean time
DaLonge
feel free to post your config when you're ready -- happy to review it.
Fritz!OS has very little (no) means of more advanced configurations regarding VLANs or similar features, but it can be configured for IPoE mode (DHCP-client), basically their equivalent of a dumb-AP setup. This allows you to use its phone features (SIP pbx, SIP ATA, DECT) and its wireless as simple AP, but you lose the modem functionality (as Fritz!OS won't provide any means to split that out to a different bridged VLAN, to be used by your router).
Disclaimer: I'm using an older Fritz!Box with Fritz!OS in a locked down VLAN behind my OpenWrt router myself, wireless disabled (as it's useless, 2.4 GHz-only, 802.11n), just for its phone features, as the OS is maintained/ updated relatively well (better than most VoIP specific gear - and the hardware is relatively cheap to replace/ update) and as it gives me one analogue FXS port for a fax machine, allows connecting up to 6 DECT (cat iq-2.0) handsets and provides up to 10 internal SIP accounts for SIP based desk phones (and routing up to 10 external phone numbers). The phone features are pretty good, the routing/ firewall features much less so.
1 Like
Thanks for the right hints. My turris router have now access to the internet on port4. The sever is known from the internet side but he canĀ“t receive any packet (5 packets transmitted, 0 received, 100% packet loss, time 4148ms
). The firewall should be open to all sides.
My config now
/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdb0:a489:b7d1::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
option acceptlocal '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option ipaddr '192.168.123.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config device
option type 'bridge'
option name 'port4'
list ports 'eth4'
config interface 'Port4'
option proto 'static'
option device 'port4'
option ipaddr '192.168.123.4'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'port3'
list ports 'eth3'
config interface 'port3'
option proto 'static'
option device 'port3'
option ipaddr '192.168.123.3'
option netmask '255.255.255.0'
/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'P4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Port4'
config forwarding
option src 'P4'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'P4'
config forwarding
option src 'P4'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'P4'
config zone
option name 'P3'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'port3'
option forward 'ACCEPT'
config forwarding
option src 'P3'
option dest 'lan'
config forwarding
option src 'P3'
option dest 'P4'
config forwarding
option src 'P3'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'P3'
config forwarding
option src 'P4'
option dest 'P3'
config forwarding
option src 'wan'
option dest 'P3'
/etc/config# cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Port4'
option interface 'Port4'
option leasetime '12h'
option start '40'
option limit '45'
option dynamicdhcp '0'
config dhcp 'port3'
option interface 'port3'
option leasetime '12h'
option start '30'
option limit '35'
option force '1'
config host
option mac 'D8:58:D7:01:05:69'
option ip '192.168.123.41'
If I put the turris direct to the internet all is working fine. So after a coffee IĀ“ll look further. I was not as close as we are now.
ThankĀ“s
DaLonge
This overlaps the main lan and thus it won't work...
on a /24 network (255.255.255.0 subnet mask), a simple way of ensuring that they don't overlap is to use a different number on the third octet. For example:
- 192.168.123.1/24 on lan
- 192.168.124.1/24 on port 4
- 192.168.125.1/24 on port 3
These are just examples, but it is mandatory that they are different, non-overlapping subnets.
If it helps, read up on how subnets work:
and a calculator might be useful, too.... (there are tons of different free sites and apps with subnet calculators, here's just one):
1 Like
After a lot of trying I think it will not be possible to split the network into 2 or 3 separate networks. But what I still donĀ“t understand, even if I forward the ports from the first to the second router itĀ“ll not work.
My now settings are
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd3b:7901:e243::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'port4'
list ports 'eth4'
config device
option type 'bridge'
option name 'port3'
list ports 'eth3'
config interface 'P4'
option device 'port4'
option proto 'static'
option ipaddr '192.168.4.0'
option netmask '255.255.255.0'
config interface 'P3'
option device 'port3'
option proto 'static'
option ipaddr '192.168.3.0'
option netmask '255.255.255.0'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'p4'
option input 'ACCEPT'
option output 'ACCEPT'
option family 'ipv4'
list network 'P4'
option forward 'ACCEPT'
list device 'port3'
list device 'port4'
config forwarding
option src 'p4'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'p4'
config forwarding
option src 'p4'
option dest 'wan'
config zone
option name 'p3'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'P3'
option forward 'ACCEPT'
config forwarding
option src 'p3'
option dest 'lan'
config forwarding
option src 'p3'
option dest 'p4'
config forwarding
option src 'p3'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'p3'
config forwarding
option src 'p4'
option dest 'p3'
config redirect
option dest 'p4'
option target 'DNAT'
option name '80'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.4.1'
option dest_port '80'
config redirect
option dest 'p4'
option target 'DNAT'
option name '22'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.4.1'
option dest_port '22'
config redirect
option dest 'p4'
option target 'DNAT'
option name '443'
list proto 'udp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.4.1'
option dest_port '443'
config redirect
option dest 'p4'
option target 'DNAT'
option name '10000'
option src 'wan'
option src_dport '10000'
option dest_ip '192.168.4.1'
option dest_port '10000'
config redirect
option dest 'p4'
option target 'DNAT'
option name '4443'
option src 'wan'
option src_dport '4443'
option dest_ip '192.168.4.1'
option dest_port '4443'
config redirect
option dest 'p4'
option target 'DNAT'
option name '5347'
option src 'wan'
option src_dport '5347'
option dest_ip '192.168.4.1'
option dest_port '5347'
config redirect
option dest 'p4'
option target 'DNAT'
option name '5222'
option src 'wan'
option dest_ip '192.168.4.1'
option src_dport '5222'
option dest_port '5222'
config redirect
option dest 'p4'
option target 'DNAT'
option name '8080'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.4.1'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name '3478'
option src 'wan'
option src_dport '3478'
option dest_ip '192.168.4.1'
option dest_port '3478'
config redirect
option dest 'p4'
option target 'DNAT'
option name '5349'
option src 'wan'
option src_dport '5349'
option dest_ip '192.168.4.1'
option dest_port '5349'
config forwarding
option src 'wan'
option dest 'p4'
config forwarding
option src 'wan'
option dest 'p3'
So right now each router have nat on his wan port and the firewall is set like above.
My there is someone who can explain why I canĀ“t forward the ports.
And may somebody has an better idea than me.
Greetings DaLonge
There are a few things going on. Not all are essential, but will clean things up.
Delete these bridges since they are not necessary:
Then assign the Ethernet ports (eth4 and eth3, respectively) in the device files instead of port4, port3:
Next, add networks P3 and P4 to the lan zone:
And then delete all of this:
And also this:
Now, create one port forward from wan zone to the lan zone (with a specific port and ip address) and test it.
The problem with your existing port forwards is that they were pointing to the er-x itself, not the downstream devices that host the relevant services. Make sure you use the address of the device hosting the service.
Post these two files again when you have edited accordingly.
1 Like
First thankĀ“s for try to help me.
As I figured out my solution will not work. It was a complete wrong way of thinking.I think I have to install a reverse proxy severer witch handles the network traffic to the different domains for me, on one of the openwrt routers.
Right know IĀ“m not sure if I should close this thread or not, because itĀ“would change the theme of it.
I am still looking witch server will be right for me. I will Install it on my turris router. The Fritz will be used for one network and the ER-X will get a config where I can run a plug and play changing of the hardware if I get an problem with it.
Greetings DaLonge
I forgot, I also still will try the settings of psherman just to know if it will work.
But will be on the tomorrow or on the weekend.
DaLonge
Just noticed this. The .0 address is invalid on a /24 network. Change this to .1, as well as all the other networks.
After long time I had time to look for my problem.
The last solution of psherman is working. I can forward the ports to my routers.
network settins
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fda9:7feb:732e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.11.1'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option name 'eth4'
config device
option name 'eth3'
config interface 'port4'
option device 'eth4'
option proto 'static'
option ipaddr '192.168.14.1'
option netmask '255.255.255.0'
config interface 'port3'
option proto 'static'
option device 'eth3'
option ipaddr '192.168.13.1'
option netmask '255.255.255.0'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'port4'
list network 'port3'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.14.100'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.13.100'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.14.100'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jvb'
option src 'wan'
option src_dport '10000'
option dest_ip '192.168.14.100'
option dest_port '10000'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'JVB'
option src 'wan'
option src_dport '4443'
option dest_ip '192.168.14.1'
option dest_port '4443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'prosody'
option src 'wan'
option src_dport '5347'
option dest_ip '192.168.14.100'
option dest_port '5347'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Prosody'
option src 'wan'
option src_dport '5222'
option dest_ip '192.168.14.100'
option dest_port '5222'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'fallback'
option src 'wan'
option src_dport '8080'
option dest_ip '192.168.14.100'
option dest_port '8080'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jisiu'
option src 'wan'
option src_dport '3478'
option dest_ip '192.168.14.100'
option dest_port '3478'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jitsiub'
option src 'wan'
option src_dport '5349'
option dest_ip '192.168.14.100'
option dest_port '5349'
So, IĀ“m not sure if it is possible, but I hope I can configure nginx to direct the ports to the routers.
First I have to look how to config a reverse-proxy.
IĀ“ll be happy for every idea.
Greetings
DaLonge
Glad I could help!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
Thanks Dalonge
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.