Get device from WAN into new network

Following situation:

I've got the 192.168.1.x network with HA in there. Now, I've got an OpenWrt router container with the IP 192.168.1.190 creating 2 new networks: 192.168.100.x. I now want to get the HA into the 192.168.100.x network, but I can't connect it physically, as both the OpenWrt and HomeAssistant run in containers/VMs on proxmox. I tried experimenting with IP routes, but no success.

Here's a quick diagram:

My goal

I want Home Assistant to talk to the devices in both the IoT (111.x) and the private (100.x) network.

Current setup

Firewall config (/etc/config/firewall)

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'home'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'br-wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT'
        list network 'iot'

config forwarding
        option src 'lan'
        option dest 'iot'

config rule
        option name 'Allow iot'
        option src 'iot'
        option target 'ACCEPT'
        list proto 'all'

config rule
        option name 'Allow all from this to iot'
        list proto 'all'
        option dest 'iot'
        option target 'ACCEPT'

config rule
        option src 'iot'
        option dest 'wan'
        list dest_ip '192.168.1.1'
        option target 'ACCEPT'
        option name 'Zugriff auf FB'
        list proto 'all'

config rule
        option src 'iot'
        option dest 'wan'
        option target 'REJECT'
        list dest_ip '192.168.1.0/24'
        option name 'iot auf privat verbieten'
        list proto 'all'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option name 'Allow mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config nat
        option name 'Allow HomeAssistant'
        list proto 'all'
        option src 'lan'
        option src_ip '192.168.1.190'
        option target 'SNAT'
        option snat_ip '192.168.100.1'
        option enabled '0'

config rule
        option name 'Allow HA und x to get into other network'
        option src 'wan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.100.10'
        list dest_ip '192.168.100.11'
        list dest_ip '192.168.100.12'
        list dest_ip '192.168.100.22'
        list dest_ip '192.168.100.1'
        list proto 'all'
        list src_ip '192.168.1.180'
        list src_ip '192.168.1.188'
        list src_ip '192.168.1.190'

Network config (/etc/config/network)

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.190'
        option device 'br-wan'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth0'

config interface 'home'
        option proto 'static'
        option device 'enp5s0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'iot'
        option proto 'static'
        option device 'enp5s0.111'
        option ipaddr '192.168.111.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

config route
        option interface 'home'
        option target '192.168.100.0/24'
        option gateway '192.168.1.190'
        option disabled '1'

This actually doesn't have anything to do with OpenWrt.

In the hypervisor (outside OpenWrt), you'd add another bridge which handles the LAN side of OpenWrt and also presents a port to the Home Assistant VM.

Rather than tagging virtual ports as you've done, it is more conventional to instantiate a separate virtual port and hypervisor bridge for each network. The "switch" in the hypervisor can combine and tag these to form a trunked connection on a hardware physical port.

That was the solution! So simple, yet effective! Thank you for pointing me into this direction!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.