Internal routing - dif. subnets

neurotransmitter · April 8, 2025, 12:09pm

I can't do it again... :expressionless_face

Following situation:

openwrt (192.168.x.a ) - Client (192.168.x.b) -> Subnet:192.168.y.a && -> 192.168.z.a

Routing:
config route
option interface 'lan'
option target '192.168.y.0/24'
option gateway '0.0.0.0'

config route
option interface 'lan'
option target '192.168.z.0/24'
option gateway '0.0.0.0'

I can't connect...

frollic · April 8, 2025, 12:09pm

to what ?

neurotransmitter · April 8, 2025, 12:10pm

...to the subnet...

frollic · April 8, 2025, 12:25pm

Are you routing all traffic this way ?

neurotransmitter · April 8, 2025, 12:29pm

No, I only need access to this devices.

psherman · April 8, 2025, 1:46pm

This doesn’t look right.

Please provide a system topology diagram if the 2 subnets are not on the same router.

And let’s see the configs. There is no need to redact the rfc1918 addresses - please show them in their entirety to make it easier to understand.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

neurotransmitter · April 8, 2025, 2:01pm

The 2 subnets (192.168.0.1; 192.168.150.1) are wired connected on the openwrt (192.168.152.1)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2d:2ed7:06c9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option bridge_empty '1'
	list ports 'lan1'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '***'

config device
	option name 'lan2'
	option macaddr 

config device
	option name 'lan3'
	option macaddr 

config device
	option name 'lan4'
	option macaddr 

config device
	option name 'lan5'
	option macaddr 

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.152.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option metric '10'

config interface 'WGSERVER'
	***

config wireguard_WGSERVER
	***

config interface 'WAN2_5G'
	option proto 'dhcp'
	option device 'lan2'
	option metric '20'

config device
	option type '8021q'
	option ifname 'lan2'
	option vid '2'
	option name 'lan2.2'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '7'
	option name 'lan3.7'

config interface 'Glasfaser'
	option proto 'pppoe'
	option device 'lan3.7'
	option username '***
	option password '***'
	option ipv6 '0'
	option metric '15'

config route
	option interface 'lan'
	option target '192.168.150.0/24'
	option gateway '0.0.0.0'

config route
	option interface 'lan'
	option target '192.168.0.0/24'
	option gateway '0.0.0.0'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WGSERVER'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'WAN2_5G'
	list network 'Glasfaser'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.152.1'
	option dest_ip '192.168.152.1'
	option dest_port '53'

config nat
	option name 'Prevent hardcoded DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.152.1'
	option dest_port '53'
	option target 'MASQUERADE'

config rule
	option name 'VPN'
	***

psherman · April 8, 2025, 2:09pm

I don’t see where the other 2 subnets are in your config. Can you draw this out in a diagram?

Also, what version of OpenWrt are you using?

ubus call system board

neurotransmitter · April 8, 2025, 3:01pm

psherman · April 8, 2025, 3:04pm

Are those other routers connected to ports lan4 and lan5? Or do you want your router to provide those subnets on those ports? Currently, your router is not configured to do anything with those ports. Also, are those subnets Ethernet only or WiFi + Ethernet?

neurotransmitter · April 8, 2025, 5:52pm

Both routers are wired to lan4+5, only connected via Ethernet.
What did I miss to configure?

egc · April 8, 2025, 5:58pm

See if this fits the bill:

psherman · April 9, 2025, 3:00am

So to be clear, there are 3 routers in the network, correct?

Are the other two routers running openwrt? If not, what are they (brand+model) and what firmware is on them?

And, is there a reason you want to have 3 routers instead of having all of the routing happening on the main openwrt device?

neurotransmitter · April 9, 2025, 7:17am

GM Peter,
yes, as you can see in my network.conf I use mwan3 Failover with 192.168.0.1 5G_Modem, Fiber and a Fritzbox using DECT Phones. I use the access for all devices for managing...

config interface 'WAN2_5G'
	option proto 'dhcp'
	option device 'lan2'
	option metric '20'

config device
	option type '8021q'
	option ifname 'lan2'
	option vid '2'
	option name 'lan2.2'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '7'
	option name 'lan3.7'

config interface 'Glasfaser'
	option proto 'pppoe'
	option device 'lan3.7'
	option username '***
	option password '***'
	option ipv6 '0'
	option metric '15'

Neuro

Update:
After several hours I can access my first router WAN_5G - 192.168.0.1 connected via lan!!
So my idea is, to break out this lan interface which is connected to Fritzbox DECT Phones similar to WAN_5G router...@egc shows above/ @mk24 in his description

On the other hand I have Glasfaser/Fiber connected same as WAN_5G and I can't connect to 192.168.100.1...but it's PPPoE - do I need a routing or a NAT port forwarding?

psherman · April 9, 2025, 7:13pm

There are still lots of things you have not yet answered… It would be helpful if you could be more descriptive/explicit in your responses so that we can reduce the ambiguity.

I think the answer to the above is “yes,” but I’m still not entirely certain.

If there are 3 routers in the network, it’s important for us to understand what we’re working with. This has not yet been answered.

This is also really important… there are many circumstances where one router can do the same job as 2 or 3 and the network topology can be simplified. But obviously there may be specific reasons that you want or need multiple routers in your environment. Can you address this question?

neurotransmitter · April 10, 2025, 7:33am

I am sorry that I have expressed myself too vaguely here.

Perhaps better as a diagram:

mk24 · April 10, 2025, 9:20am

When OpenWrt acquires a DHCP address from the LTE modem/router, it sets up an IP in 192.168.0.0/24 for itself and also a route to it. This is why you can reach the LTE router admin interface without any special configuration.

That does not work for the fiber modem since it is not looking for its own IP inside the pppoe tunnel. You need to place an address directly on the port, outside the VLAN, outside the pppoe tunnel, and using regular ipoe instead.

config interface 'glasfaser_a'
   option proto 'static'
   option device 'lan3'
   option ipaddr '192.168.150.2/24'

Place this interface in the wan firewall zone. Note that since this necessarily involves tagged and untagged packets on the same port, it may not work on all hardware.

The Fritzbox in its default configuration expects its wan port to be connected to the Internet, so it intentionally blocks attempts to log in from that network. There are two ways around this:

Open the firewall in the Fritzbox, if possible
Configure Fritzbox as a lan device / bridged AP, if possible. The lan network is trusted so it will allow logins.

How to actually implement either of those options is outside the scope of this forum since the Fritzbox is not running OpenWrt.

neurotransmitter · April 10, 2025, 9:46am

Totally agree with you - dependes on your experience

I have implemented it in the same way

I think this should be the root cause

neurotransmitter · April 10, 2025, 1:21pm

Update:

Glasfasermodem access:
Did not get access to 192.168.100.1

Solution in OPNsense:
Firewall-> NAT-> Outbound

Interface: connected lan interface to Glasfasermodem(192.168.100.1)
Protocol: TCP
Source: Router-IP (192.168.152.1)
Destination: Glasfasermodem(192.168.100.1/32)
Translation: Interface address

Fritzbox:
I can't completly deaktivate the FW.
Solution: Setup Fritzbox as a stupid client - then I lost my IoT-/Test- WLan network

Conclusion for me:
Fritzbox I can connect Fritzbox via WLan for managing the box.
Glasfasermodem I try to setup an outbound rule similar to OPNsense.

mk24 · April 10, 2025, 1:26pm

If you put the glasfaser_a interface into the wan zone, it will be NATd.
Also you should always be able to ping the fiber modem from inside OpenWrt. The pings will go out from 192.168.100.2 directly. If you use a lan device ping / http it will be SNAT from a LAN IP to 192.168.100.2 in the process of being forwarded because everything in the wan zone gets NAT.
Make sure the modem subnet is 100 as earlier you said 150 and I wrote the configuration for that.