How to I access my pc and spare router in a different subnet

Hi,

I am new to subnets and networking, please be patient with me as I am learning.

My main router configuration is as follows:

Here is the configuration of the main router:

Output of this command: cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wan'
        option masq '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'

config zone
        option name 'iot'
        option output 'ACCEPT'
        list network 'iot'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option name 'IOT-DHCP-DNS'
        option src 'iot'
        option target 'ACCEPT'
        option dest_port '53 67'
        list proto 'udp'

config forwarding
        option src 'lan'
        option dest 'iot'

output of cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'eth1'
        option macaddr 'omitted'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.1.1'
        option ipv6 'off'
        option device 'eth1'

config device
        option name 'eth0'
        option macaddr 'Omitted'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'
        option peerdns '0'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'iot'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'eth1.10'

I plugged a cable from the wan port of the second router into a switch which goes to a lan port on the main router.

I plugged my pc into the lan port of the second router.

I changed the lan interface to 192.168.2.0/24.

My goal is to be able to rdp into the pc and manage the second router from a pc on the main network (192.168.1.0/24)

Any help is greatly appreciated.

The main router config is irrelevant, you need to post the config from the 2nd router.

1 Like

Second Router

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'Omitted'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'Omitted'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.2.1/24'

config device
        option name 'eth0'
        option macaddr 'Omitted'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

@frollic

I tried to configure the route via the luci interface for the second router but that did not work.


Part of /etc/config/network

config route
	option target '192.168.2.0'
	option gateway '192.168.2.1'
	option interface 'lan'

Hi, do you have proper route also back?

You could do a simple port forward.

WAN port X on 2nd router is forwarded to 2nd LAN IP Y, port Z.

Since both routers are running OpenWrt, you can add a static route to the main router and turn off masquerading on the secondary one.

However, backing up just a bit... what is the purpose of the second router? It seems that you already have a second subnet setup on the main router... is there a particular reason you want to have another router performing routing separately as compared to having all the routing on your main router?

@frollic @psherman

Thank you for the quick reply.

I want to be able to configure the spare router as a backup and maybe test installing packages, etc as I am still a noob, by remoting into the pc from the 192.168.1.x network to the pc which has Static IP of 192.168.2.200 network. So I can access the luci management interface while connected via RDP into the pc.

@pavelgl was able to help me configure the route and turn off masquerading.

I set the following static route on the first router.



config route
        option target '192.168.2.0'
        option netmask '255.255.255.255'
        option gateway '192.168.1.xxx' #IP address of the wan interface
        option interface 'lan'

I set a static address of the second router for the wan interface:

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.xxx' # or any other free address
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '192.168.1.1

However, I am able to ping from hosts from the 192.168.1.x network to the 192.168.2.x network. But not the other way around.

I also cannot RDP from 192.168.1.x windows pc (this is a static ip address assigned to a host, not a sure if that matters) to the windows pc on 192.168.2.200.

I checked ESET Security software firewall settings for port 3389.

Any advice is greatly appreciated.

I am not sure if I still need to port forward as I tried other steps.

On the second router, you need to add a forwarding statement from wan > lan, and masquerading needs to be disabled on the wan zone (the latter sounds like it's already done).

config forwarding
        option src 'wan'
        option dest 'lan'

I have the opposite.

config forwarding
        option src 'lan'
        option dest 'wan'

I will change it tomorrow and keep you updated.

You want both. lan > wan and wan > lan.

I made those changes for the second router and still have issues.

Windows 10 RDP troubleshooter reports that the second router is still doing NAT, but I already turned off Masquerading on the second router.

I have attached the configuration of the first router ( main router)

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.@device[0]=device
network.@device[0].name='eth1'
network.@device[0].macaddr='Omitted'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.ipaddr='192.168.1.1'
network.lan.ipv6='off'
network.lan.device='eth1'
network.@device[1]=device
network.@device[1].name='eth0'
network.@device[1].macaddr='Omitted'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='dhcp'
network.wan.ipv6='0'
network.wan.peerdns='0'
network.wan.delegate='0'
network.wan.dns='1.1.1.1' '1.0.0.1'
network.iot=interface
network.iot.proto='static'
network.iot.ipaddr='192.168.10.1'
network.iot.netmask='255.255.255.0'
network.iot.device='eth1.10'
network.@route[0]=route
network.@route[0].gateway='192.168.1.145'
network.@route[0].interface='lan'
network.@route[0].target='192.168.2.0/24'


 cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'eth1'
        option macaddr 'Omitted'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.1.1'
        option ipv6 'off'
        option device 'eth1'

config device
        option name 'eth0'
        option macaddr 'Omitted'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'
        option peerdns '0'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'iot'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option device 'eth1.10'

config route
        option gateway '192.168.1.145'
        option interface 'lan'
        option target '192.168.2.0/24'




 cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        list network 'wan'
        option masq '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        list icmp_type 'echo-request'
        option target 'DROP'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'

config zone
        option name 'iot'
        option output 'ACCEPT'
        list network 'iot'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option name 'IOT-DHCP-DNS'
        option src 'iot'
        option target 'ACCEPT'
        option dest_port '53 67'
        list proto 'udp'

config forwarding
        option src 'lan'
        option dest 'iot'

Currently the route on the first router is configured as follows:

config route
        option gateway '192.168.1.145'
        option interface 'lan'
        option target '192.168.2.0/24'

Upon looking at the luci web interface, it is saying unicast.

If I make the following changes directly to the configuration using WinSCP, below, I loose internet connectivity on the second pc that is connected to the 192.168.2.x network.

config route
        option target '192.168.2.0'
        option netmask '255.255.255.255'
        option gateway '192.168.1.145'
        option interface 'lan'

Here is the configuration of the second router:

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='Omitted'
network.@device[0]=device
network.@device[0].name='eth1'
network.@device[0].macaddr='Omitted'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ipaddr='192.168.2.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.@device[1]=device
network.@device[1].name='eth0'
network.@device[1].macaddr='Omitted'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='static'
network.wan.ipaddr='192.168.1.145'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.1.1'
network.wan.dns='192.168.1.1'


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'Omitted'

config device
        option name 'eth1'
        option macaddr 'Omitted'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'Omitted'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.145'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
		
		
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'
		
		
		
		
		
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

As always, any advice is greatly appreciated.

Not sure what I am missing here, unless I am not understanding the different route types.

I forgot to mention I am using OpenWrt 23.05 2024.07.22 build for my second router for my Nano Pi R4S per @anaelorlinski

I don't really need to use iptables or pbr so I am going to figure out how to remove those packages.

Maybe there are conflicting rules.

Where is this particular route?

This one is wrong, though.

The route only needs to be on the upstream router and I do see that already there (and it seems to be correct).

What operating systems are on the hosts you are using? If you are using Windows, the default Windows firewall will not accept connections from other subnets. Some other OS's have similar configurations (I've seen it on some NAS OS's, for example). You need to make sure that the local firewall is configured appropriately.

Let's see the results of ping tests.

Thank you for the feedback.

The following route:

config route
        option target '192.168.2.0'
        option netmask '255.255.255.255'
        option gateway '192.168.1.145'
        option interface 'lan'

Was on router 1. But as you mentioned, that is incorrect.

I set the following route on router 1 under cat /etc/config/network

config route
        option gateway '192.168.1.145'
        option interface 'lan'
        option target '192.168.2.0/24'

I was able to fix the issue by changing the firewall settings in ESET Internet Security and Windows firewall.

Windows Defender Firewall

ESET internet Security

I had to uncheck also evaluate local windows firewall rules, and add the ip set (192.168.1.0/24, 192.168.2.0/24) and disable RDP scanning in ESET. I will probably play with this setting tomorrow and try to read up on ESET firewall settings and see what I really need to turn off and leave on.

Here are the ping results from windows pc on 192.168.1.x network to Router 2, Router 1 and windows pc on 192.168.2.x network.

ping-from-192_168_1_x_windows_pc_to_router2
ping-from-192_168_1_x_windows_pc_to_router1
ping-from-192_168_1_x_windows_pc_to192_168_2_x_windows_pc

Here are the ping results from windows pc on 192.168.2.x network to Router 1, Router 2.

Screenshot 2024-08-24 214354
Screenshot 2024-08-24 214332

For some reason, I cannot ping my S22 mobile phone connected to wifi from the 192.168.2.x pc. S22 device is connected to the 192.168.1.x network.
Any idea on this question?

image

Lastly, how do I make router 2 more secure ? Where do I put the drop, reject, in the wan, lan and default zones without affecting internet access on router 2 and RDP access.

This may be a function of the way android is setup. I don't have an answer for this, but it is veering off topic since we know that the symmetric routing is working in general (based on the results of your windows machine tests).

That entirely depends on your security needs. Right now, router 2 allows all traffic from the upstream network to connect to the downstream network. And it will also accept any traffic directed to it from the upstream. Because the upstream network is behind another router (i.e. router 2 is not directly connected to the internet), the network under router 1 isn't necessarily entirely untrusted -- but we don't know what your security goals are and/or how you view the devices (and/or people) on each of the networks. For example, guests and iot devices are typically untrusted, but that depends on your perspective. Your regular computers and phone may be considered trusted, or maybe not.

Therefore, please define your security goals and we can help you secure accordingly.

Thank you for the detailed explanation.

I am looking for help in reviewing the firewall zones on router 1 amd router 2 and current rules if applicable.

I do not trust any of the IOT devices. IOT only needs internet access.

If i need to talk to any of the IOT devices from lan network on router 1, that is fine.

One of the current firewall zones on router 1 is good because it allows traffic from the lan to the wan and IOT

Lan -> wan, IOT

I trust both pc on both networks and the rest of the devices.

I only want ping , RDP and internet access to be allowed on router 2 and its 192.168.2.x network.

I want to reduce the risk that a hacker can attack my computer and phone on the 192.168.1.x network from WAN side, and IOT network.

Open to any other suggestions you may have.

If your intent is to separate the IoT and trusted devices, you should have a distinct IoT network that has those restrictions.

Since your main router is running OpenWrt, you can do this all on one router (this is the recommended approach). Is there a reason you're using two routers for this purpose instead of doing it on one?

Thank you for the quick reply.

So the second router is temporary. It is only connected to 1 pc via lan port.

The only reason why I have the second router is to configure the latest version of OpenWrt on the SD card and then restore the backup from my main router. I plan to keep it as a spare. I ran into issues with PBR on my main router last year. I dont use PBR and legacy iptables. Just came installed with what I flashed.

Basically I plan to make the 1st router the same.

Are you able to review the rules and zones for router 1 and 2 just to make sure it is secure ?

Sorry, i am getting really anxious about the firewall.

You should only restore backups to the same exact device that it came from. Doing anything otherwise (even if it is the same model) can cause problems.

A standard OpenWrt installation does not include these things. I assume you're using a proper default OpenWrt stable release image?

Aside from my above statement, the way things are being configured means that, by definition, the two router have different configurations that make it impossible for them to be "the same."

I think that it would be better to do this all on a single router. The structure of the rules will be a bit different, and it is inefficient to work on this 2 router topology (both from the perspective of effort -- why do things twice, and from the additional complexities of dealing with 2 routers performing routing functions.

Had you stated your real goal earlier (i.e. security based segmentation of your network to accommodate IoT devices), I would have suggested a single router approach at the outset. Really, all the work we have done was to answer the question you posted in the title and first post.