Help with a simple static route between two routers

cleanerbungus · April 24, 2021, 1:31pm

Hi, I am struggling to get a single static LAN ONLY route between two routers. I only want effectively a single route to and from a single device, see details below.

I've reviewed the other topics but still can't make heads of this.

Here's my topology below.
The reason they are split connections to each have their own WAN is because the cable internet is not as stable as the DSL yet, they are fixing the wiring outside. I don't want interruptions, so the DSL is rock solid.

I DO NOT WANT the devices to share WAN Internet connections. They each have their own.

Router 1 - TL1043ND running OpenWRT 19.07
Network: 192.168.6.0/24
Gateway: 192.168.6.1
DHCP: YES
Client 1: Pi4 - 192.168.6.42 (DNS and Wireguard)
Client 2: Desktop - 192.168.6.18 (Main)
WAN: DSL PPPoE - Bridged mode to DSL modem TPLink 99-something
/etc/Firewall config:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wan'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '12345'
	option src 'wan'
	option name 'Wireguard'
	option src_dport '12345'
	option target 'DNAT'
	option dest_ip '192.168.6.42'
	option dest 'lan'

config rule
	option src '*'
	option name 'Allow-PING-locally'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest '*'
	list proto 'icmp'

config nat
	option target 'MASQUERADE'
	option name 'external-server'
	option dest_ip '192.168.2.43'
	list proto 'all'
	option src '*'

/etc/Network config:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ''

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.6.1'
	option delegate '0'
	option broadcast '192.168.6.255'
	list dns '192.168.6.42'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option password ''
	option ipv6 '0'
	list dns '192.168.6.42'
	option delegate '0'
	option peerdns '0'
	option username ''

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config route
	option gateway '192.168.2.1'
	option netmask '255.255.255.0'
	option target '192.168.2.43'
	option interface 'lan'

////

Router 2 - Archer C7 running Stock Firmware (for hardware NAT)
Network: 192.168.2.0/24
Gateway: 192.168.2.1
DHCP: NO
Client 1: NAS - 192.168.2.43
WAN: 1gbit/30mbit Cable internet, DHCP to cable modem
static route:

ID 	Destination Network 	Subnet Mask 	Default Gateway
1	192.168.6.0	           255.255.255.0	192.168.6.1

I have set a static route on both routers, but packets never come through. I've read a sizeable amount of the documentation and can't make proper heads about it, even the examples.

Maybe this is due to something Firewall is doing to masquerading traffic, but I don't necessarily want WAN traffic to have free reign.

Maybe I misunderstand "WAN" to just mean Internet but it means my other router?
Any help appreciated.
thanks abound.

faser · April 24, 2021, 2:04pm

How are the two routers connected?
What are the static routes you have set?

trendy · April 24, 2021, 5:23pm

The routes you have configured are wrong. Start by deleting them.
Then it is not obvious from the configuration snippet how have you connected the 2 routers. Ideally there should be a dedicated link and vlan for the cross-connection. Then you'd need one static route on each router:

config route
	option gateway '192.168.100.2'
	option netmask '255.255.255.0'
	option target '192.168.6.0'
	option interface 'crosslink'

This means that the first router has a route for the lan of the second router, via the interface crosslink and .100.2 is the IP of Router2 on interface crosslink.

cleanerbungus · April 28, 2021, 10:54pm

Hi trendy, thank you for your helpful reply!

My connection between the routers is just a single ethernet cable, one in each LAN port.

Yes, I probably should setup a VLAN but that's another part I'm slightly confused by. if the VLAN is setup as untagged, would data still flow between the other ports on each router (the devices themselves)?

I will take a look at your config route option to set this up.
I'm wondering if the stock Archer C7 v2 config supports this properly even.

Thanks!

mk24 · April 29, 2021, 1:43am

You have two routers which I will call Router 1 and Router 2. Router 1 has a LAN IP of 192.168.1.1/24 and Router 2 has a LAN IP of 192.168.2.1/24. They each have independent connections to the Internet.

On Router 1:

Segregate one of the Ethernet ports from the others. This port will connect to Router 2.
** If it's an x86 or other machine with ports directly connected to the CPU, you have eth0, eth1, eth2 etc so just remove one of them from all the existing networks.
** If it's a swconfig system with integral switch, go to the switch and create a new VLAN (3). Remove the port from the LAN VLAN (1) by setting it to off, then set it to untagged in VLAN 3. Set a CPU port to tagged in VLAN 3.
** If it's a DSA system, these are logically like the x86 case above with the ports named lan1, lan2, lan3, etc. Remove one of them from the LAN network.
Create a new network of proto static. Configure it with an IP in Router 2's LAN. 192.168.2.2/24 would be a good choice. The network's physical interface is the isolated Ethernet, either eth3, eth0.3, or lan3 for the three cases above.
The new network's firewall zone is lan, since you trust all devices on both LANs. Forwarding must be set to ACCEPT on the lan zone.
It is not necessary to install routes on Router 1 since creating the new network automatically sets up a route to it: 192.168.2.0 via eth0.3. This can be confirmed with the route command.

On Router 2, no special configuration is required other than installing a static route back to Router 1: 192.168.1.0/24 via 192.168.2.2.

Connect the special port of Router 1 to one of the LAN ports of Router 2.

cleanerbungus · May 21, 2021, 10:35am

Hi there and sorry for my time to reply!
I tried your recommendation and indeed it worked... but only on the router itself. My devices connected to the router couldn't see the other network devices; could not connect to them I mean.

Am I now missing a forwarding rule, or perhaps do I need to set manual static routes in my individual devices? I am not sure how to do that with an Android phone.

Also, on occasion, some of my devices on the TL1043 would get assigned a WAN IP from the Archer, which I prefer to avoid since the service is still unstable. Is there a way to deny this from happening? Not sure what protocol it would be considered if I were to block in the firewall.

Many many thanks!