Home network between routers that use different Internet Entrys

kaenguruh · November 20, 2021, 11:32pm

I've set up my home network with three OpenWrt-Routers: one that connects to the Internet and provides a normal wifi access point. Connected to this router are two additional routers who each tunnel their whole traffic through wireguard - and each of them has their own wifi network:

Diagram1

Now what I'd like to set up is a home network, where I can communicate freely between those three routers and the clients at home.

But I really have no clue how to manage it. I've tried to use PBR for this, but I'm simply overstrained by it - I don't really get how to use it.

What do I need to make this happen?

psherman · November 20, 2021, 11:45pm

Are all of these routers running OpenWrt?

kaenguruh · November 20, 2021, 11:47pm

Yes, all of them are running OpenWrt

psherman · November 20, 2021, 11:48pm

Ok... how are they connected? Is the connection from router 1 to routers 2 and 3 connection from LAN > WAN, or LAN > LAN?

kaenguruh · November 20, 2021, 11:50pm

I set them up like this:
Internet >WAN Router 1 LAN>WAN Router 2/3

psherman · November 21, 2021, 12:03am

Ok... so what you have on routers 2 and 3 is double NAT... although it is irrelevant because of the VPN tunnel.

What you can do is add routes on router 1 and update the firewalls on routers 2 and 3 to allow traffic to flow.

If router 1 is 192.168.1.1
and then router 2 is 192.168.1.2 (WAN), 192.168.2.1/24 (LAN)
and finally router3 is 192.168.1.3 (WAN), 192.168.3.1/24 (LAN)

router 1 would need static routes as follows:
network 192.168.2.0/24 via 192.168.1.2
network 192.168.3.0/24 via 192.168.1.3
(optionally, you can put static routes in routers 2 and 3 to point to the other router)

Then you would turn off masquerading on routers 2 and 3 for the WAN zone. Then add zone forwarding rules from WAN > LAN for those routers, too.

Now, the wireguard tunnels allowed IPs may need to be updated to exclude (the two upstream networks), so !192.168.0.0/16 would do the trick here, or you may want to do VPN PBR.

kaenguruh · November 21, 2021, 12:24pm

Ah, great, thanks.
But how do I exclude 192.168.0.0/16 from the allowed_IPs in Wireguard?

psherman · November 21, 2021, 9:43pm

I believe you can put the "!" symbol (logical not) in the allowed IPs field:
!192.168.0.0/16

So, your allowed IPs would have two entries (assuming you're sending all traffic except for the 192.168.0.0/16 range):

!192.168.0.0/16
0.0.0.0/0`

Or in the network file, you'd see this...

	list allowed_ips '!192.168.0.0/16'
	list allowed_ips '0.0.0.0/0'

kaenguruh · November 21, 2021, 10:07pm

Sadly, this doesn't work in wireguard.
I can't add it via luci and adding it via terminal just stops the interface

psherman · November 21, 2021, 11:14pm

Just tried it myself, and it does indeed cause the entire interface to fail. Bummer. So you could list all of the ranges that exclude it (a much longer list), or just use PBR.

mk24 · November 21, 2021, 11:55pm

This should work with conventional routing.

The wireguard allowed IP list controls incoming packets. So since you're using wireguard for the whole Internet, set it to 0.0.0.0/0.

Do not set wireguard route allowed IPs. Install all routes directly:

On routers 2 and 3 you need:

Router to router 1 lan (inherent when setting up the WAN interface)
Route to the other sub router's lan via gateway of that router's IP on the router 1 lan.
Route to the wireguard peer's public IP via gateway of router 1.
Route to the wireguard tunnel IPs.
Default route to the rest of the Internet -- gateway is the server's IP in the wireguard tunnel.