I made those changes for the second router and still have issues.
Windows 10 RDP troubleshooter reports that the second router is still doing NAT, but I already turned off Masquerading on the second router.
I have attached the configuration of the first router ( main router)
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='eth1'
network.@device[0].macaddr='Omitted'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.ipaddr='192.168.1.1'
network.lan.ipv6='off'
network.lan.device='eth1'
network.@device[1]=device
network.@device[1].name='eth0'
network.@device[1].macaddr='Omitted'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='dhcp'
network.wan.ipv6='0'
network.wan.peerdns='0'
network.wan.delegate='0'
network.wan.dns='1.1.1.1' '1.0.0.1'
network.iot=interface
network.iot.proto='static'
network.iot.ipaddr='192.168.10.1'
network.iot.netmask='255.255.255.0'
network.iot.device='eth1.10'
network.@route[0]=route
network.@route[0].gateway='192.168.1.145'
network.@route[0].interface='lan'
network.@route[0].target='192.168.2.0/24'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
config device
option name 'eth1'
option macaddr 'Omitted'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.1.1'
option ipv6 'off'
option device 'eth1'
config device
option name 'eth0'
option macaddr 'Omitted'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option ipv6 '0'
option peerdns '0'
option delegate '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'iot'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option device 'eth1.10'
config route
option gateway '192.168.1.145'
option interface 'lan'
option target '192.168.2.0/24'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'wan'
option masq '1'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config zone
option name 'iot'
option output 'ACCEPT'
list network 'iot'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option name 'IOT-DHCP-DNS'
option src 'iot'
option target 'ACCEPT'
option dest_port '53 67'
list proto 'udp'
config forwarding
option src 'lan'
option dest 'iot'
Currently the route on the first router is configured as follows:
config route
option gateway '192.168.1.145'
option interface 'lan'
option target '192.168.2.0/24'
Upon looking at the luci web interface, it is saying unicast.
If I make the following changes directly to the configuration using WinSCP, below, I loose internet connectivity on the second pc that is connected to the 192.168.2.x network.
config route
option target '192.168.2.0'
option netmask '255.255.255.255'
option gateway '192.168.1.145'
option interface 'lan'
Here is the configuration of the second router:
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='Omitted'
network.@device[0]=device
network.@device[0].name='eth1'
network.@device[0].macaddr='Omitted'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ipaddr='192.168.2.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.@device[1]=device
network.@device[1].name='eth0'
network.@device[1].macaddr='Omitted'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='static'
network.wan.ipaddr='192.168.1.145'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.1.1'
network.wan.dns='192.168.1.1'
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'Omitted'
config device
option name 'eth1'
option macaddr 'Omitted'
config interface 'lan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0'
option macaddr 'Omitted'
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.1.145'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
option target 'ACCEPT'
list icmp_type 'echo-request'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
As always, any advice is greatly appreciated.
Not sure what I am missing here, unless I am not understanding the different route types.
I forgot to mention I am using OpenWrt 23.05 2024.07.22 build for my second router for my Nano Pi R4S per @anaelorlinski
I don't really need to use iptables or pbr so I am going to figure out how to remove those packages.
Maybe there are conflicting rules.