Hello. I have a TP-Link A7v5 that I was able to get OpenWRT to install on pretty easily. I’d like to use it as a router, connecting to the WiFi network at home for outbound/internet traffic (192.168.0.0/24 networ. The LAN ports (split between 192.68.1.0/24 and 192.168.2.0/24 networks), will connect to homelab machines, like a Proxmox server. Currently have it doing that kind of, but the NAT/firewall gets in the way of using it as I’d like to - such has being able to allow access from 192.168.0.0 network clients without firewall stuff to worry about.
Could really use some help with what commands to run to 1. backup current config before making changes. and 2. how to reconfigure OpenWRT to make it just a router as described earlier.
192.168.1.0/24 via 192.168.0.x
192.168.2.0/24 via 192.168.0.x
Where x is the address that the A7v5 takes on the main network.
Once that is done, you can turn of masquerading on the upstream firewall zone (I'm guessing the wan) within OpenWrt, and optionally set firewall forwards or other rules to allow access from the upstream to the downstream networks.
You probably don't want to use a bridged AP configuration since that's not going to perform the routing for you.
Well I was thinking about doing bridging initially, but routing seemed more fun. Did not think it could be as easy as just turning off masquerading. Will check that out. Thanks.
Well I was thinking about doing bridging initially, but routing seemed more fun. Did not think it could be as easy as just turning off masquerading. Will check that out. Thanks.
Edit: Well removed masquerading and looking like it’ll take more than that. Getting odd results. From a client on 192.168.1.1 network, I can only kind of get to 192.168.0.1 router via icmp. Can almost bring up the router web interface, but it stops after trying for a bit. Tried to ssh to a linux server on 192.168.0.0 network and that failed. Http also.
From 192.168.0.0 network having very strange results. When I tried to bring up the openwrt web interface on 192.168.1.1, it for some reason brought me to 192.168.1.1. Got the static route in place that you mentioned, the first one anyway.
Been a long time since I’ve touched a “real” router. lol. Actually took a CCNA class back in the day, but after changing roles never got a chance to use those skills much.
Let's review the config of the OpenWrt router. If the upstream router is also OpenWrt, please post that config, too, otherwise please post a screenshot of the static route config.
Importantly, how is the OpenWrt router connected to the upstream network? Is it via the wan port?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
The upstream router is a TP Link AX21 with stock firmware.
On my router with openwrt, things unfortunately got worse when I tried f-ing with the firewall config. I decided to just remove what was there and then save that. Got a strange error message and then it became unreachable on the network. Seems to be “bricked” as the kids like to say these days. After rebooting, it will respond to 4 pings and then stop.
Damn, wish this thing had a serial console now lol. Would be a lot easier to recover. Is it possible to reset to defaults or something?
Hmm… never actually used ipv6 that much. Hate to say this, but how do you do that? Feeling really old rn lmao. Not sure how to find the ipv6 link local address of my router.
The upstream router is a TP Link AX21 with stock firmware.
On my router with openwrt, things unfortunately got worse when I tried f-ing with the firewall config. I decided to just remove what was there and then save that. Got a strange error message and then it became unreachable on the network. Seems to be “bricked” as the kids like to say these days. After rebooting, it will respond to 4 pings and then stop.
Damn, wish this thing had a serial console now lol. Would be a lot easier to recover. Is it possible to reset to defaults or something?
Edit: Ok got a plan to recover from this now after some sleep. Been retired from IT for a few years now and its taking a little bit to get back into a decent troubleshooting mindset. Will report back later.
While the statement is correct, it does not apply to the OP's situation. They are routing on the deivce -- they have an upstream/main network (192.168.0.0/24) and two downstream networks (192.168.1.0/24 and 192.168.2.0/24). They are not looking for a basic bridged AP, but rather an actual routed solution. So the firewall is relevant.
By default there is access from downstream to upstream but not the other way around.
For that I use two firewall rules, one to have access to the router (INPUT) and one for access to the LAN (FORWARD):
config rule
option src 'wan'
option name 'Allow-router-access'
list proto 'all'
list src_ip '192.168.0.0/16'
list src_ip '10.0.0.0/8'
list src_ip '172.16.0.0/12'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option name 'Allow-lan-access'
option target 'ACCEPT'
list proto 'all'
list src_ip '192.168.0.0/16'
list src_ip '10.0.0.0/8'
list src_ip '172.16.0.0/12'
To guard a bit against accidentally connecting this router to the internet I restrict the sources to Private RFC 1918 IP addresses
