Fritzbox (Original OS) <> TP-Link (OpenWRT) routing to guestnet

Hello everybody,

this is my first post. I hope you're all doing well. First, my english is not so good, i hope you understand me.

I have 2 routers.
One is a "Fritzbox 6591 Cable" from my Provider and the other is a "TP-Link Archer C6" with OpenWRT 19.

The Fritzbox is on LAN-Port 1 on 192.168.178.1 and on LAN-Port 4 via guest-lan on 192.168.179.1 available.
The TP-Link is on LAN-Port 1 on 192.168.178.2 and on WAN-Port via guest-lan on 192.168.179.2 available.

I have also an 8 Port Switch. Port 1 - 4 VLAN1, Port 5 -8 VLAN2.
Switch-IP: 192.168.178.3
Switch-Gateway: 192.168.178.1

From Fritzbox LAN-Port 1 is a cable connected to the Switch Port 1
From Fritzbox LAN-Port 4 is a cable connected to the Switch Port 5.

From TP-Link WAN-Port is a cable connected to the Switch Port 6.
From TP-Link LAN-Port 1 is a cable connected to the Switch Port 2.

My Laptop is connected to the Switch Port 3. IP: 192.168.178.40 Gateway: 192.168.178.1

So, i have some IoT-Devices. For Example one via WLAN (Guestnet from Fritzbox) with 192.168.179.3

So what i have to change in the OpenWRT, that i can access the IoT-Devices from the 192.168.178.0-Net to 192.168.179.0-Net and how should i configurate the interfaces (and maybe firewall - but i think the Fritzbox does this already).

I'm realy new in that stuff.

Hello Paula, welcome to the forum.

In your current configuration, the FritzBox is the default gateway for the LAN network segment;
any communication from LAN to guest network would be routed via the FritzBox.
For this reason, it also decides the firewall policy between these networks. The OpenWrt firewall currently has no effect since LAN->guest traffic does not pass through the OpenWrt device.

As far as I know (but I have not tried it), the guest network of the FritzBox is isolated from LAN, and there is no way to change this behaviour. Instead, the routes on the devices connected to your network must be reconfigured such that LAN->guest traffic passes through the OpenWrt device. I could imagine multiple ways to achieve this:

  • Configure a static route to the 192.168.179.0/24 network via 192.168.178.2 on each LAN client device (not very practical).
  • Distribute the same static route to clients with DHCP option 121: Classless Static Route. I have not tried this and I am not sure which clients support it.
  • Use the OpenWrt device as the default gateway for the LAN segment. This needs further considerations on how OpenWrt's own uplink (WAN) is connected. We can discuss this in more detail if you want to try this option.

In any case, you need to make sure there is only one DHCP server on each network segment, which could be provided either by the FritzBox or by OpenWrt. Check the guides in the OpenWrt wiki on how to set up a guest network; you would use that configuration if you want OpenWrt to be the default gateway for the guest network segment.

In case you get confused about which path the network traffic might take, I suggest to make sure there is only one such path. In particular, you could (temporarily) disconnect the guest network from FritzBox LAN4 and disable the guest WLAN in the FritzBox while you are trying to set up a guest network on OpenWrt. While this may break connectivity for wireless clients connected to the Fritzbox guest network, it makes network debugging easier.

Where are the devices located (FritzBox, Switch, Archer C6): closely together, or in separate places?
Do you want to offer the WLAN from multiple devices (FritzBox, Archer C6) for better coverage?

Does your cable provider offer IPv6 service, and a delegated prefix (DHCPv6-PD)?
Do you get a public IPv4 address, or just a private one, perhaps delivered via Dual-Stack Lite (DS-Lite)?
Cable ISPs in Germany usually provide better service via IPv6 than IPv4. If that is also the case for you, then I suggest making sure that IPv6 works well in your local networks, in addition to IPv4.

Which internet speed did you buy? I wonder if the Archer C6 is powerful enough to route at that speed.

2 Likes

Hello mpa,

thank you for your answer.

Ok thanks.

Yes, normal LAN and Guest-LAN are isolated in the FritzBox.

I want to use this option, please.

I don't want to use the OpenWRT for the Guest-Wlan as Access Point. The Access Point for the Guest-Wlan should be the Fritz-Box. I do not want to enable the Wlan on the TP-Link.

Closely

No, only Fritzbox.

IPv4 & IPv6

I don't know.

"real" Dual Stack, not DS-Lite

200Mbit/s

Thank you for your help :grinning:

create an additional interface, an additional logical Wifi and a new firewall zone on your OpenWRT router.
Then relocate your IoT devices to that new Wifi.
There you can edit custom routes and firewall rules as needed.

Best is to search the wiki for „guest network“and guest Wi-fi, there are several examples, both command line and for LUCI.

I do not want to use the WLAN-Option via OpenWRT.

OK, so IPv4 service should be of acceptable quality.

FritzBox web interface: Internet -> Online-Monitor -> IPv6-Präfix

The Archer C6 v2 comes with a QCA9563 SoC and should be able to route at this speed as long as you are not using SQM.

On the Archer C6, enable the DHCP server for the LAN interface and disable it for the WAN interface (which is connected to the guest VLAN). These are the OpenWrt defaults.

On the Fritzbox, disable the DHCP server for the LAN interface. Keep the DHCP server enabled for the guest network, which is the default. The guest network also serves as the WAN uplink of the Archer C6 and thereby as a transit network for the masqueraded LAN traffic.

The disadvantage is that any restrictions set up in the FritzBox now apply equally to guest and LAN traffic, but only for IPv4. I suggest to remove such restrictions where necessary and acceptable. Offering services to the outside world (port forwarding) now does not work anymore with IPv4, neither for the guest nor for the LAN network.

To deal with the firewall restrictions, you could route Internet traffic via the LAN interface of the FritzBox instead (swap cables between LAN1 and LAN4 ports, swap lan and guest SSIDs), and renumber your networks accordingly. Not recommended, because anybody looking at this network topology will become confused, perhaps including yourself in the future.

Two WLAN SSIDs are bridged by the Fritzbox onto their respective networks (LAN or guest). Packets to the Internet from wireless clients in the LAN segment pass the FritzBox twice:
LAN(wireless) -> Fritzbox -> LAN (wired) -> Archer C6 -> WAN=guest (wired) -> Fritzbox -> Cable
and I cannot guarantee the FritzBox will handle that well.

On the whole, I consider this solution rather untidy.

Why?

It would allow for a better solution:
Set up LAN and guest networks on the Archer C6 (both wired and wireless) with DHCP service.
Connect WAN of the Archer C6 to LAN on the Fritzbox. Disable WLAN on the Fritzbox.

Hi mpa,

Yes

The goal is, to access the IoT-Devices, without change the network.
So i think, i need something like, a virtual IP-Address for the IoT Devices.
And the virtual IP-Address must be in the same network like my Laptop.
So for Example 192.168.178.200.
And now, i have to configurate the OpenWRT-Router, so that if i want to access the 192.168.178.200, it internal route to 192.168.179.3 for example.
So for example 20 IoT-Devices, i need 20 virtual IP-Addresses:
192.168.178.200 => 192.168.179.3
192.168.178.201 => 192.168.179.4
192.168.178.202 = 192.168.179.5 etc.
So i think, i have to create for every virtual IP-Address a new interface. But how exactly? Bridge? LAN? WAN?

My Firewall Custom Rules looks like this:

## To destination LANIP ##
iptables -t nat -I PREROUTING -p all -d 192.168.178.200 -j DNAT --to-destination 192.168.179.3
## From source LANIP ##
iptables -t nat -I POSTROUTING -p all -s 192.168.179.3 -j SNAT --to-source 192.168.178.200
## Accept all tcp/udp ports ##
iptables -I FORWARD -d 192.168.179.3 -j ACCEPT

So i should have access to the IoT-Devices, but the IoT-Devices not to the Internet and not to the other Devices outside of the guest-net.

Yes, this can be done with proxy ARP and NAT:
The OpenWrt router pretends to own a "virtual" (proxied) IP address by answering ARP requests for it, but when it receives a packet for this address, the router translates destination and source IPs and sends the packet via its WAN interface to the guest network.

How to set it up:
Start with the network configuration from your first post, and change the OpenWrt configuration as follows.

  • /etc/sysctl.d/local.conf
net.ipv4.conf.br-lan.proxy_arp=1
  • /etc/config/network
config route 'host_200'
        option interface 'wan'
        option target '192.168.178.200'
  • /etc/config/firewall
config redirect
        option name 'proxy_arp DNAT 200'
        option src 'lan'
        option dest 'wan'
        option src_dip '192.168.178.200'
        option dest_ip '192.168.179.3'
        option proto 'all'
        option target 'DNAT'
  • also in /etc/config/firewall, check that masquerading is enabled on WAN (the default):
config zone
        option name  'wan'
        ...
        option masq  '1'
  • disable the DHCP server on LAN because both lan and guest networks are served by the Fritzbox:
config dhcp 'lan'
        option interface 'lan'
        ...
        option ignore '1'

For each host, add another instance of the route section in /etc/config/network, and of the redirect section in /etc/config/firewall.
The proxied IP address is not assigned to an OpenWrt interface.

Remove these; I will explain the reasons below.

Replaced by the redirect section in /etc/config/firewall.

Covered by masquerading on the WAN interface, and automatic NAT reversal in the other direction.

Already allowed by the default firewall configuration:

config forwarding
        option src    lan
        option dest   wan