Valid point, but can't explain that one Fritz responds and the other doesn't.
How I can do this?
If you're using LuCI:
Network > Firewall > scroll down to the firewall zones and locate the WAN zone > use the checkbox (checked) to enable Masquerading > Save & Apply
If you're using UCI / CLI:
uci set firewall.@zone[1].masq='1'
uci commit firewall
/etc/init.d/firewall restart
After this intervention, the network now works!
But, are now still the bneiden networks to each other shielded?
Can you describe what you mean by this?
Also, what is your goal here? You have 3 routers, each with their own LAN and guest networks. The default configuration of the topology you have drawn will basically make it possible for the to happen:
- These networks can communicate with each other (only if initiated by the network on the left side):
-- 192.168.189.0/24 > 192.168.200.0/24
-- 192.168.203.0/24 > 192.168.200.0/24
-- 192.168.201.0/24 > 192.168.200.0/24
-- 192.168.202.0/24 > 192.168.200.0/24
All other communication will be blocked by firewalls (in the default configuration), that means, for example, 192.168.200.0/24 cannot initiate a connection to 192.168.203.0/24.
1 Like
There are smart home devices in the 192.168.203.XXX network. They should not be accessible from the network 192.168.201.XXX. Of course, they should also not be accessible from the WLANs of this router.
It should also not be possible to reach them the other way round.
In addition, both networks should be additionally secured against attacks from the Internet.
Yes if you are running default firewalls on the sub routers, the main router (Fritzbox) LAN at 192.168.200 is their WAN, which means it is considered like the Internet and not to be trusted. So no one in the .200 network or any of the other networks can make a connection over to the 201, 203, etc networks. This is also an inherent feature of using NAT.
That is if the firewalls are default, they have not been changed to open up any paths.
I understand that. It is just not clear to me, because I am not a network engineer, what the masquerade does.
In simple terms, masquerading hides all of the individual device addresses on one network. In a default home network environment, the ISP typically provides a single IP address to the customer. The router uses NAT / Masquerading to share the single address with multiple devices on the customer's private network. An analogy would be a physical office with a single street address -- all employees share that address and everyone can send/receive mail. It is the mailroom's responsibility to know where each employee is within the building and to manage the sharing of the single street address. The mailroom is the equivalent of the consumer router in this case, translating a single external address to multiple internal addresses. Masquerading is the name of the technique that is used to handle this activity.
This would mean that it could never have worked without enabling the masquerading checkbox in the firewall?
I assumed that since there was no change in OpenWRT, it must work without intervention in OpenWRT - as before.
Auf alle FĂ€lle möchte ich mich recht herzlich bedanken fĂŒr die schnelle und sehr starke Hilfe.OpenWRT ist eine feine Sache und das Forum ist unschlagbar!
In any case, I would like to thank you very much for the quick and very strong help.OpenWRT is a fine thing and the forum is unbeatable!
1 Like
With the current topology, and without static routes added to one or more of the routers, no, it would never have worked without masquerading.
Masquerading should be enabled on the WAN interface for all default installations of OpenWrt, so it must have been disabled (either intentionally or by accident) at some point during your configuration and experimentation.
It will work without masquerading if you install static routes in the main router (7490)
192.168.189.0/24 via 192.168.200.97
192.168.201.0/24 via 192.168.200.98
etc. The main router needs to know how to reach each sub LAN by the IP of that LAN's router on its .200 network.
I suspect the network was originally working this way, then it broke when you replaced the main router but did not install those routes into it.
When masquerading is not in use, the packets reaching the main router have an origination address (to return the reply packet to) of the original machine on its sub LAN (.189.100 etc). When masquerading is in use, the sub routers modify the packets so the origination address is always the .200 address of the sub router. The main router then doesn't need to know that there are other LANs to return the packet.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.