This is the first time I am learning to connect two routers to route with each other. To keep everything simple, I want the same setup on the two routers, such that:
- To resolve IP by hostnames, like iphone.lan1, desktop.lan2, etc.
- Allow all local clients to ping all device, local or remote.
- Allow some local clients to access Luci on the remote router
- Allow some local clients ssh to some remote clients
When Firewall is not running on both router, I can do 1 & 2, and ssh are open to all also.
Please help me on how to setup the Firewalls to make this work.
Thanks a lot!
I am trying this simple setup as a start, ultimately is build a proper tunnel over Interernet between two routers (ddns with dynamic IP, etc.)
So at this moment, I will make it as simple as possible:
- I trust the ISP switch - such that I do not need traffic encryption between the two routers.
- No other clients on the ISP switch. The switch is physically inside my apartment.
- I consider no one (except myself) will connect to that switch
- Not at this moment. I want to focus on Firewall Zones/Rules in this setup.
Next stage, I will try to use what I learnt with this setup and move to wireguard tunnel over proper Internet.
For dnsmasq you can configure forward zone with :
Then local resolution will happen...
In that line, should I use the macvlan address i.e. 10.1.0.1 or LAN address 192.168.101.1 ?
the one your clients will access.
the two are possible if routeur need them also.
in preference order.
you can also specify in dhcp advanced options of LAN1 these dns configs :
then clients will get forced on these parameters.
same for LAN2.
Edit : reading your draft, I mean VLAN IPs
This should be applied to the R1 starting from factory defaults:
uci -q delete network.lan_lan
uci set network.lan_lan="route"
uci set network.lan_lan.interface="wan"
uci set network.lan_lan.target="192.168.102.0/24"
uci set network.lan_lan.gateway="10.1.0.2"
uci commit network
uci set dhcp.@dnsmasq.localservice="0"
uci add_list dhcp.@dnsmasq.server="/lan2/10.1.0.2"
uci commit dhcp
uci add_list firewall.@zone.masq_dest="!10.1.0.2/32"
uci add_list firewall.@zone.masq_dest="!192.168.102.0/24"
uci -q delete firewall.wan_dns
uci set firewall.wan_dns="rule"
uci set firewall.wan_dns.name="Allow-DNS-WAN"
uci set firewall.wan_dns.src="wan"
uci add_list firewall.wan_dns.src_ip="10.1.0.2/32"
uci add_list firewall.wan_dns.src_ip="192.168.102.0/24"
uci set firewall.wan_dns.dest_port="53"
uci set firewall.wan_dns.proto="tcp udp"
uci set firewall.wan_dns.target="ACCEPT"
uci -q delete firewall.wan_admin
uci set firewall.wan_admin="rule"
uci set firewall.wan_admin.name="Allow-Admin-WAN"
uci set firewall.wan_admin.src="wan"
uci set firewall.wan_admin.src_ip="192.168.102.0/24"
uci set firewall.wan_admin.dest_port="22 80 443"
uci set firewall.wan_admin.proto="tcp"
uci set firewall.wan_admin.target="ACCEPT"
uci -q delete firewall.l2l_icmp
uci set firewall.l2l_icmp="rule"
uci set firewall.l2l_icmp.name="Allow-ICMP-Forward"
uci set firewall.l2l_icmp.src="wan"
uci set firewall.l2l_icmp.src_ip="192.168.102.0/24"
uci set firewall.l2l_icmp.dest="lan"
uci set firewall.l2l_icmp.proto="icmp"
uci set firewall.l2l_icmp.icmp_type="echo-request"
uci set firewall.l2l_icmp.family="ipv4"
uci set firewall.l2l_icmp.target="ACCEPT"
uci -q delete firewall.l2l_ssh
uci set firewall.l2l_ssh="rule"
uci set firewall.l2l_ssh.name="Allow-SSH-Forward"
uci set firewall.l2l_ssh.src="wan"
uci set firewall.l2l_ssh.src_ip="192.168.102.0/24"
uci set firewall.l2l_ssh.dest="lan"
uci set firewall.l2l_ssh.dest_port="22"
uci set firewall.l2l_ssh.proto="tcp"
uci set firewall.l2l_ssh.target="ACCEPT"
uci commit firewall
The R2 should be configured symmetrically.
Please correct me if I am wrong here:
I can have two options for the hostname resolving to work:
- Use DHCP options to tell each client which DNS to use for the corresponding domain, lan1/lan2, etc.
- Local Client will only talk to the local DNS, and the local DNS will find out the correct IP and reply back. In this case, I can have a Firewall Rule restrict DNS query to local DNS only.
I want to use option 2 at the moment.
The local DNS will cache resolution, but will need to talk with the other DNS.
The clients may also need to talk to a "slave" DNS (as secondary) if the primary do not answer.
DHCP options (in advanced options of DHCP of the LAN) is just a "forced" method to push parameters to clients.
These forced options may not be necessary with the firewall rules given by @vgaetera
That is quick - let me try it out and update back.
This is my starting interfaces, FW zone of macvlan is undefined. 10.1.0.1 and 10.1.0.2 can ping and ssh with each other.
Should I put
macvlan into the wan zone first?
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdce:d06a:10bd::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.101.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0.101'
config device 'macvlan'
option name 'macvlan'
option type 'macvlan'
option ifname 'eth0.2'
config interface 'p2p'
option ifname 'macvlan'
option proto 'static'
option ipaddr '10.1.0.1'
option netmask '255.255.255.250'
The relevant interface name is
p2p and you can attach it to the
Or create a separate zone with disabled masquerading.
But then you need to adjust the firewall rules.
Thank you very much! Your setup works, now the two LAN segments can communicate with each other subject to firewall rules of the routers.
I am very happy to have a working setup as my reference so that I can keep learning using OpenWrt for site-2-site connections.
I changed one setting for remote hostname lookup to work:
In R1, I added lan2 to the RF1918 Domain whitelist.
uci set dhcp.@dnsmasq.rebind_domain='lan2'
uci commit dhcp
And similarly for R2.
Now I need to learn the firewall rules one by one.
One side question:
why uci show for dhcp return "@dnsmasq" (Is that an array?) while when showing network, it is just plain text?
Some config sections are named, while others are unnamed/anonymous:
You can name/rename it for convenience:
uci rename dhcp.@dnsmasq="dnsmasq"
uci commit dhcp
Thank you for your kind support and guidance!
I replicated the settings, via Luci, to the two routers that connected the the ISP switch. And they work flawlessly with your config.
When reading Internet posts / articles, I know it is needed to disable NAT for routed destinations, but never sure where to put it and the correct syntax. Now I know I can use '!' in front of a subnet to exclude it.
Once again, thank you for all your helps!
In theory, you may not even need
macvlan if you already have the
Then you can use
masq_dest="!p2p" with the
p2p interface configured as an alias:
Thanks for the pointer.
I will look it up and see if I can get it working.
I have been working quite some time to setup a similar connection as you are, and I had a lot of similar issues. @vgaetera & @krazeh have been a tremendous help.
If this can help here is a link to my installation
Actually as I already planned to install this between 2 sites in different countries, I did setup all the encryption from the right beginning. WireGuard on top of OpenWrt has been the solution.
As when it will be installed I will not be able to easily access both sites at the same time, I did also setup another access through my iPhone form anywhere in the internet. So in case something goes wrong in my Site-2-Site I can still access both routers.
Have fun & it is very educational project. I'll keep a look on your DNS aspect as this is a point I haven't solved yet...
Thanks for the link.
It will help a lot when I am trying to setup a Wireguard Tunnel version of this site-2-site setup.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.