If you disable the firewall, you need to install static routes on the upstream router. Otherwise, that router (the one on the left) will not know where to send the traffic since it is not aware of the downstream network subnets.
If you use masquerading, the upstream router(s) don't need to know anything about the downstream subnets that are not "directly connected". Masquerading is a function of the firewall, so the firewall must be enabled for it to work.
On the laptop, I would just do this from now, and it would work. No firewall related stuff. Only this:
iptables -t nat -A POSTROUTING -o wlp4s0 -j MASQUERADE
wlp4s0 is where the internet comes from. This would give the internet to the LAN.
That is masquerading. And iptables is a firewall. So the laptop was running a firewall that was performing masquerading.
OpenWrt uses the new nftables kernel system. You can still poke rules directly into the kernel table, but using the abstracted firewall configuration method is much simpler.
The left side should be the wan. You can add the pppoe network into the lan zone and then there is already forwarding with masquerade from lan->wan. Or make a new zone and allow forwarding ppp->wan. Note that the masquerade option is set on the destination zone (wan). If the left side is lan now you would need to make a new zone and also set masquerade on lan.
Yes but in Debian afaik, which also uses nftables indeed. But, iptables commands get translated to nftables.
But regardless of the underlying firewall methods (nftables vs iptables), and regardless the means of configuring said firewall (direct commands vs abstracted, possibly with a GUI on top), the fact remains that you were using a firewall + masquerading on the laptop. This means that the simplest approach is to do the same with OpenWrt -- enable masquerading on the upstream network via its firewall zone. This means the firewall must be enabled.
If your upstream (ISP) router supports static routes, you can certainly explore symmetric routing (i.e. no masquerading), but many ISP provided routers do not have this option, so masquerading will be required if that router doesn't have a place to enter static routes.
Ok I think I found the nftables command that works:
nft flush ruleset
nft add table ip nat
nft add chain ip nat postrouting '{ type nat hook postrouting priority 100; }'
nft add rule ip nat postrouting oifname "br-lan" masquerade
After then it works as expected. Very slow speed though(60 mbit at best, I have P-2812). May I ask one more thing?
If I were to remove the middle router, and do it with 2 routers instead. How would it work? My main router gets internet from PPPOE vlan 35, so I change the br-lan to pppoe-wan in this nftables command? or wan.35 or wan?
Great!
Not entirely surprising...
If I'm not mistaken, the left most router is the ISP router, right? And you said that your right hand router is one that you need to connect via PPPoE. Is that correct?
I'd be very surprised if there is an option to run a PPPoE server on the ISP router, so if the above two points are true, you must have the middle router.
Single core 500 MHz MIPS chip I'm surprised it is that fast.
If you're planning to pppoe twice in the poor Zyxel it's going to get even slower.
I check it's CPU usage, this is a 500mhz but 2 thread router. But, it won't use the other thread at all.
I might change that to an Openwrt router.
If the left most router is an OpenWrt router (or any more sophisticated router that has the option of running a PPPoE server), you should theoretically be able to eliminate the middle router.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.