Having issues with setting up home network

Compact · November 21, 2021, 3:26pm

Hello good people of OpenWRT community,

I'm looking to get better at basic home networking. I'm having issues with the setup I have to work like I would like it to work.

Here is my home(shared) setup:
Internet --> ISP router with ONT built in - mandatory (almost nothing can be changed in the settings) subnet 192.168.1.0, standard firewall, NAT etc ---> Two routers connected to the ISP router through LAN ports, no direct connection between these two routers, all traffic first goes to ISP router

First LAN port of ISP router ----> LAN cable goes to LAN port of my OpenWRT device (Netgear WNDR3700 v2), LAN address 192.168.1.10 as dumb router, no DHCP, firewall running, no NAT on interfaces, same subnet as ISP router, all devices get ip address from ISP router

Second LAN port of ISP router ---> LAN cable goes to WAN port of second router(some Hewlett Packard router), subnet 10.0.1.0, has address of 192.168.1.11 on ISP router, NAT enabled, firewall enabled, pretty much default configuration so most ports blocked --> devices connected to that router with LAN ports, including file server on IP address 10.0.1.6

My goal - I would like my OpenWRT device to act as a router, but not as a gateway. I want it to also do some basic firewalling. I want to be able to access file server with address 10.0.1.6 on the HP network. I don't want secondl NAT on my OpenWRT device, which probably is the culprit for all the issues I have.

What I tried:

keeping WAN and LAN zone, allowing FORWARDING between these zones, allowing INPUT and OUTPUT as well. LAN interface with static address of 192.168.1.10, umanaged WAN interface, masqurade off, mtu clamping off. I guess it doesn't make sense.

When I connect cable from ISP router to my WAN port, no internet access. I can't access ISP router, I can still access my router. This may be better way to achieve my goal than solution nr 2 if I could get it work?

Not using WAN port at all. Pretty much doing what is in the DumbAP guide https://openwrt.org/docs/guide-user/network/wifi/dumbap, except I kept firewall on and didn't delete any interfaces.
As expected, internet connection works. But I guess in this configuration, I can no longer do routing or firewalling. I created static route to 10.0.1.0 via 192.168.1.11. I can ping 192.168.1.11, but can't ping 10.0.1.1 or 10.0.1.6.

I tried port forwarding on HP for the server and it worked, but I would prefer the file server to be only accessible when I connect from OpenWRT devices and from HP devices through LAN connection. Devices connecting to ISP router directly like through Wi-FI or connected with LAN cable shouldn't easily be able to access the file server.

What would be the way to achieve my goal? If it's at all possible, of course.

Thank you for your help

psherman · November 21, 2021, 4:24pm

Maybe you can draw your current and desired network topologies to make this more clear.

Compact · November 21, 2021, 5:17pm

Here is the topology

The current and desired topology is pretty much the same.

I hope I understood you correctly

psherman · November 21, 2021, 5:51pm

So routers are gateways, and you can't have the address ranges the same on both sides of a router. I'm not sure what you are trying to do with the firewall in the OpenWrt router, but generally speaking the traffic will never hit the firewall because of the fact that the OpenWrt router isn't actually doing any routing. There is a 'bridge firewall' that you can setup, but that's a bit different (and requires installing other packages).

Why not put everything behind the OpenWrt router. Eliminate the HP router and setup VLANs on your OpenWrt device. Ideally, if you can configure your ISP ONT to bridge mode, you can avoid double NAT.

Compact · November 21, 2021, 5:59pm

So basically, no NAT = no ability to do routing?

I can't make ISP router a bridge, it doesn't have this functionality, it's really barebones

Yea...

jc1685 · November 21, 2021, 6:17pm

Maybe your ISP can set the ONT router in bridge mode. It's worth a try.

psherman · November 21, 2021, 6:24pm

Well, there is a distinction between NAT Masquerading (as one method of routing) and other routing methods, but if your network, especially if you can't set static routes and such on the ISP router, you need NAT Masquerading for this to function properly.

You can read about the bridge firewall, but I don't think that this is the best solution for your needs.

Not all routers have the capability, so I understand that. But sometimes it goes under different names. I was just looking at a Bell (Canada) Home Hub 3000 and it calls this feature "advanced DMZ" and it is supposed to do exactly the bridge mode I am talking about, this is despite the fact that that same router doesn't have the ability to set static routes or really anything else beyond the basics.

Compact · November 21, 2021, 6:33pm

My ISP is Orange. They do not do that, sadly.

Compact · November 21, 2021, 6:39pm

What if I would restrict NAT masquarading only to connections to the 192.168.11, which is hiding the 10.0.1.0 network? Is that possible? How would that look like?

And why is masquarading required? From what've read, it modifies source address to come to look like it came from different one, in most cases to translate address like 192.168.1.x to external one.

Would that mean that I would need to translate 192.168.1.0 address to 10.0.1.0 one through masquarade?

Sorry if that is double posting

psherman · November 21, 2021, 7:43pm

Masquerading makes all the traffic behind the router look like it is coming from the wan ip of that device.

Routers perform the task of routing between two or more networks. That is why you cannot have the same (or overlapping) subnets across the router - it needs to have the ability to distinguish each network.

Now, if you setup a different subnet on your openwrt router and then turn off masquerading on the wan side, the openwrt router would be able to route between the networks without issue. The problem is that the isp router would not know where to send the return traffic (for example, from the internet headed back to your openwrt nwtwork) so connectivity would break. If you can set static routes on the isp router (doubtful from what you have said), that would allow masquerading to be disabled. Otherwise, you need to have it enabled so that all of the traffic appears to come from and return to a single address/device.

Compact · November 21, 2021, 8:16pm

Okay, thank you for clarifying that

Hmm. I have another question. Let's say I have a gaming console with address 192.168.1.20. My router knows that behind 192.168.11, the actual network is 10.0.1.0/24 through static routing. When I send traffic to 10.0.1.6, why can't I connect? Is it because there is no static route for that network at ISP router, yes? So it doesn't matter that my router knows, the ISP router doesn't get it?

psherman · November 21, 2021, 8:58pm

Do you have that static route setup? In which router do you have this set?

There is still likely nat masquerading on the hp router and probably a firewall, too. These would also prevent a connection, if enabled.

Compact · November 22, 2021, 3:06pm

Sorry for not being clear,

I have that static route setup on my OpenWRT router. Here's how it looks

config route
        option interface 'lan'
        option target '10.0.1.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.11'

But I suppose that static routing doesn't even work if there is no masquarading? And it's on LAN zone, since that's what I have, as I don't use WAN port right now.

But if more than LAN zone is required, that's okay, I just want to avoid double NAT behind OpenWRT on communication with internet for gaming.

I can probably also set static routing on HP router, but devices behind HP router can communicate with devices behind OpenWRT, since devices behind OpenWRT are on the same subnet as ISP router.

psherman · November 22, 2021, 3:27pm

Static routes do not require masquerading. But they do require routing.

In your configuration, the OpenWrt device is a dumb AP and switch - the hosts that are physically connected to the router are not using the router as a gateway. They instead use the isp router as their gateway. So when they try to access another network, the request goes to the isp router, which obviously doesn’t have the static route installed and is unaware of the network behind the hp router.

Compact · November 22, 2021, 4:02pm

Hmm, I see.

Is it possible from OpenWRT to target traffic meant for 192.168.1.11 and make the OpenWRT handle that request instead? While leaving rest of the traffic how it is? Or will ISP router do it's thing anyway, since it's in the way?

If that means my device stops being a switch and dump AP, I guess that's what I want, as long as I'm not double NATting connectivity from the internet. Which probably is not possible?

psherman · November 22, 2021, 4:29pm

Nope. The traffic is not passing through the routing and firewall engines of the OpenWrt router. So there is nothing you can do unless you make the OpenWrt device operate as a full NAT masquerade router.

Compact · November 24, 2021, 6:25pm

Okay, so even if I turned my device to a router now, but without NAT, which I couldn't get to work in any configuration, it still won't do anything, as my ISP router is not learning routes, yes? And I can't give it a static route?

Setting up DHCP on OpenWRT giving static routes to devices connected to it will also do nothing?

psherman · November 24, 2021, 6:38pm

That is correct. As long as your isp router is in the mix here and not capable of static routes, traffic will break if you use routing without masquerading.