How static route and device broadcast between two subnets openWRT and Zyxel

Installing and Using OpenWrt
1

As a result of the events in America, I have started to worry about my privacy. Because of this, I am trying to distance myself from Google as much as possible and block as much telemetry data as I can.

Currently, I am setting up a subnet in OpenWRT. I want to connect all my IoT devices through this network and ensure that AdGuard in OpenWRT blocks all this telemetry. So far, I have managed to set up the subnet and route all data through this subnet via AdGuard.

However, I am having trouble getting devices on different subnets to communicate with each other. I believe I need to use 'static routes' and 'DNAT' to make devices recognize each other.

Could someone help me with how to set this up?

I have been working with Linux for 15 years and run my own server. I also have a Home Assistant server. However, this 'networking' aspect is new to me. Setting up this question is difficult for me because there is little information available about the Zyxel router I have from Odido.

My network is set up as follows:

home system2
home system2811×1500 130 KB

...
Odido (ISP) Zyxel VMG8825-T50
gateway: 192.168.2.254
LAN connection with OpenWRT on port 192.168.2.237 (static DHCP)

GL.iNet GL-MT6000 (Flint 2) with OpenWRT
gateway: 192.168.1.1
WAN connection with Zyxel

When I log into the OpenWRT WiFi, I can access the internet.
However, when I am on my Zyxel router, I cannot reach my OpenWRT router...

I have delved into the theory and had many conversations with Mistral Le Chat to visualize this. I have also visited many websites. According to those examples, I have tried setting up a static route and worked on firewall rules, but nothing seems to work. I have not only followed processes and explanations from the AI but also asked for definitions and explanations of concepts. I think it's difficult for AI to help me well because Zyxel is such an unknown router. For this reason, there are also few guides available online....

Could someone please help me?

Thank you very much for your time and effort!

2

On the zyxel you need to setup a static route to route 192.168.1.0/24 via the WAN address of the flint (should be something of 192.168.2.x better set a static lease on the zyxel for the flint to know this address stays the same.

On the flint open up the firewall to let traffic from 192.168.2.0/24 pass:

config rule
	option name 'allow_forward'
	option src 'wan'
	option dest '*'
	option target 'ACCEPT'
	list src_ip '192.168.2.0/24
	option enabled '1'

Furthermore your local LAN clients on the flint must also accept traffic from the 192.168.2.0/24 subnet so it might be necessary to tweak the firewall of that local lan clients.

I hope not to anger someone but if tweaking the firewall of the local lan clients is not feasible you can MASQUERADE traffic from 192.168.2.0/24 coming out of the lan interface
etc/config/firewall:

config nat
	option name 'SNAT-traffic'
	option src 'lan'
	option src_ip '192.168.2.0/24' 
	option target 'MASQUERADE'
	list proto 'all'
	option enabled '1'

With Masquerading traffic you loose logging and access control, so i am not a fan of it, but in a typical SoHo setup, where you trust your users, that is not a big deal.

3

Thank you for the reply!

I did some research, and my ISP is blocking the option for static routes in the zyxel router.....

Now there are two options i can take, I cam either replace the current modem with an 'open' one, or maybe create an extra bridge network with a second router.

If I replace my ISP router i need one with the followning options:
Modulatie
PTM over ADSL, G.dmt, G.Lite, TI.413, ADSL2, Annex L, ADSL2+, Annex M, VDSL2

VDSL Profielen
8a, 8b, 8c, 8d, 12a, 12b, 17a, 35b, US0

VDSL2_POTS = (Vectored VDSL2)

  • ITU-T G.993.2 Annex A (up to 17 Mhz profiles)
  • ITU-T G.993.5 (VVDSL2)
  • ITU-T G.998.4 G.INP, (interleaved Forward Error Control)
  • SRA, (Seamless Rate Adaption)
  • ETSI TR 101 830-1 V1.5.2.
  • UPBO ITU-T G.993.2 amendment x (Upstream Power Back-Off)
  • ITU-T G.997.1 Physical layer management
  • ITU-T G.994.1 Handshake protocol
  • Long Reach VDSL2: ITU-T G.993.5/Annex B & G.993.2/Annex D

VDSL2_POTS = (VDSL2)

  • ITU-T G.993.2 Annex A (up to 17 Mhz profiles)
  • ITU-T- G.998.4 G.INP, (interleaved Forward Error Control)
  • ETSI TR 101 830-1 V1.5.2.
  • UPBO ITU-T G993.2 amendment x (Upstream Power Back-Off)
  • ITU-T G.997.1 Physical layer management
  • ITU-T G994.1 Handshake protocol

ADSL2+_POTS = (ADSL2+)

  • ITU-T G.992.5 Annex A & Annex M
  • DLM (Dynamic Line Managementen) en (interleaved Forward Error Control)

WHat are your experts opinions ?

4

Does your ISP device supports so called bridge mode where it acts just as a modem? In this case the openwrt device can simply use pppoe on the wan interface

1 Like
5

If bridge mode is not possible consider setting up your openwrt router as BridgedAP
Then everything is on one seamless subnet

6

Thanx all for the replies!

I actually had an old Fritzbox 7583 laying around from my old proper provider (xs4all). Internet freedom has always been a big thing for them. And yes! They did not lock their modem up!

I'm now doing a factory reset and see if I can make the original suggestions work.

2 Likes