I am brand new to OpenWrt with honestly not much knowledge but the attempt to learn a lot. I recently figured out that my AVM FritzBox 7320 does not get updates any more, so I gave it a shot and was able to already flash the device and install OpenWrt. Now I at the configuration stage but I think I need a little help to get where I want with my device.
I tried to read in the docs and searched through the web, but I cannot get my head around things like NAT and WAN, ... and how i should configure the interfaces.
But first let me tell you wich dream scenario I have: Till now I used my FritzBox as the access point for all my devices and I always thought, that I capsule my own little network from other devices in the network (correct me if I am wrong). I always plugged the FritzBox into another router via a ethernet cable. I had to do this, cause I am often not the owner of the first router or the internet contract (I have to move every few years). But I wanted to get easy access to my RaspberryPi, TV Stick, Phone, Pc and capsule it from other people who use the first router (which is conneted to the provider).
As I said I already tried a few things, but till now I was not able to configure my FritzBox with OpenWrt to create a subnetwork where my devices wont be seen from the first router.
I would be very greatful if anybody could help me or give some advices, further readings, etc.
Hey, thanks for your super fast reply. So am I understanding it right that I want a set up with the OpenWrt as cascaded router behind another router (double NAT) ?
When I follow the instructions on the „OpenWrt as router device“ page, it seems that the OpenWrt router acts like an wifi access point. I can get into the internet and that works fine, but the first router sets up up adresses for all the devices which are connected to the OpenWrt router and I cannot get access to the OpenWrt router. With the IP address i can only get into the first white page of LuCi but it fails to load the login page
It is not clear from the device page https://openwrt.org/toh/avm/avm_fritz_box_7320 whether both Ethernet ports are usable with OpenWrt. For your use case you definitely want something with at least two ports, so this may not be the best hardware.
After flashing (or doing a reset to default settings), with the router connected to no other network, log in by Ethernet to 192.168.1.1 then start up a wifi AP on the lan network. Disconnect ethernet cable and log in by wifi.
You'll need to create a new network on an Ethernet port, so you have two networks to route between. The new one will be a "wan" network connected to your source of Internet, and it will only be used for that purpose. Under Network Interfaces create a new one of type DHCP client, name it exactly 'wan' and attach it to (one of, if you have a choice) the Ethernet ports. This is on the Physical Settings tab. Remember you need to be logged in via the lan side on wifi this whole time.
Then you can plug an Ethernet cable from the router into your "upstream" network. Go to the main status page and note that there is now a box showing "IPv4 Upstream." If the IP address there is 192.168.1.X, you'll need to change your LAN to a different range. If it is some other address you're OK to go. Now there should be Internet access for your PC, but its firewalled against others on the house network accessing your stuff.
Thanks for you instructions. I tried to do exactly what you said but a few things didn‘t worked that way.
In the beginning I couldn‘t connect my pc to the router via LAN. I don‘t know why. I could work around that by pressing the wifi button on the router so i could connect directly via wifi. I also directly changed the ip to "192.168.2.1".
Next I tried to create the "wan" interface but I had to delete the old "wan" interface first (it was set with a PPPoE protocol). As the connection I used "eth0". With that I was able to connect the router with the one that brings the internet to my home (I think you mean that one when you say upstream network) and get an internet connection.
So far so good, but then I got to the firewall settings of my new created wan interface, I can leave it empty, use the lan (green) or wan6 (red) zone. Before deleting the old "wan" interface I had one option more. It was also called wan (red). Regardless of what I choose for this Interface, I have the same problem as before. I can get an internet connection but I cannot reach the OpenWrt router, only the upstream router where all my devices are listed.
Next I changed the settings of the "LAN" interface. At "Physical Settings" I excluded "eth0". Now I have a working internet connection, and I can access my OpenWrt router and see there that the devices all have 192.168.2.x adresses. Also my devices tell me that they have those adresses.
But when I login to the upstream router (192.168.0.1), I can still see all my devices with 192.168.0.x adresses. So I still wanted to ask if now everything is set correctly and I am capsulated from the upstream network regardless of what I see in the upstream network.
I should have mentioned that you have to take the Ethernet port out of lan to use it as wan. If you're only seeing eth0 and not an eth1, that means that there's no hardware driver for the other port, so your lan has to be all wifi.
Unless you deleted it, there is a firewall zone named 'wan', and also a network named 'wan'. This is a bit confusing because they are completely separate things, but they will usually be joined in the firewall configuration. The wan network should be in the wan zone. This will appear red on the LuCI network page.
If you're looking at the DHCP lease table or the ARP table of the upstream router, that won't tell you what is presently connected-- only that a lease was obtained in the past. So you need to wait for those to expire out of the cache, or restart that router (if the other people using it won't mind) to see the true situation. If you connect a device to the upstream network, it should fail to ping or otherwise access any of your .2 addresses.
You can still access the .1 addresses from your .2 network. That is a potential problem for them but not for you. There is a way to block it in the firewall if you want to.
Yes you are right, I restarted everything and now it’s like you said and what I wanted in the first place. Don’t feel bad about not writing about the lan settings. A little bit of try and error keeps the fun in this
That i cannot use the 2nd lan port is a pity but since i wanted to think about the environment and don’t throw away a working piece of tech i can live with that.
Since now everything is working the right way I will close this topic. Again thank you so much for your help. I am really grateful for that! People like you and projects like this make me believe in humanity again
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.