Joining two subnets

Hi,

I am having difficulty setting my network to operate as I want with two separate subnets talking freely to each other and am looking for help.

My ISP router does not allow static routing so although I can route from one router to the ISP router, I cannot go the other way.

What am I trying to achieve?

Part of the problem is that I have built a smart home and IP addresses are getting scarce. More importantly one router runs my VPN connection to my London based virtual server and I want some of the devices to connect over the VPN. So, one router connects to the French internet direct while the second connects to my UK VPN server over the French internet. I want any device to be allocated to either of the subnets and be able to talk to all other devices no matter which subnet they are on with some communicating with French, cloud-based smart hub controls and some connecting to VPN based controls.

I have two separate openwrt routers in addition to my ISP router so my idea is to treat the ISP router as a simple internet modem feeding an internet connection to each of the routers’ WAN interfaces on a static lease, say 192.168.1 24 and 192.168.1.25. Each router would run its own DHCP requests using ethernet or wifi connections though the majority of devices will have a fixed IP connected to one or other of the subnets. One subnet will be 10.0.0.0/24 and the other 10.0.1.0/24. I will also want to be able to connect to the ISP modem on 192.168.1.254 to manage its interface as well.

Is this solution feasible and how do I set up the static routing to enable it to happen please?

Assume I am technically (networking at least) challenged.

Thank in advance for any responses.

Geoff

Example Router1

WAN1 address 192.168.1.24
LAN1 subnet 10.0.0.0/24

Create a static route for the LAN2 subnet via Router2 wan IP.

#/etc/config/network

config route
        option target '10.0.1.0/24'
        option gateway '192.168.1.25'
        option interface 'wan'

Exclude LAN2 from masquerading.

#/etc/config/firewall

config zone
        option name 'wan'
        option masq '1'
        list masq_dest '!10.0.1.0/24'
	    ...

Create a traffic rule that allows incoming requests to the wan zone originating from LAN2

#/etc/config/firewall

config rule
        option name 'Allow-From-LAN2'
	    option src 'wan'
        option dest 'lan'
        list proto 'all'
        list src_ip '10.0.1.0/24'
        option target 'ACCEPT'

Create the same rules on Router2, reversing the IP addresses.

You may also need to modify the LAN clients firewalls to allow incoming requests originating outside their local subnets.

Why not simply setup both networks on a single OpenWrt router. You can achieve this with multiple subnets/VLANs on the router along with policy based routing to steer the outbound connections as needed (I.e. one subnet egresses via the standard wan, the other via the VPN)?

Thanks for the responses.

Sherman, I used to have that setup and remember how difficult it was to set up and even then, I seem to remember that two networks did not talk to each other. Lost all my notes on how I did it so thought this method would be cleaner for separation between the sub nets.

Pavelgl, thanks for the clear instructions. I will try it tomorrow and report back.

Have a great evening.

Geoff

It’s actually easier and more straightforward to use a single router for mashing the whole network, but it does require a bit more knowledge to configure it.

Either way is valid, though, just different approaches.

Hi Pavel

I have followed your instructions but am still not quite there. Here are the networks and the config file outputs. I have included the entire file in case there is anything clashing that you can identify.

1 VPN Router to UK

WAN1 address 192.168.1.24
LAN1 subnet 10.0.0.0/24

1.1 root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd33:1ec6:00a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.0.1/24'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
	option mtu '1500'
	option mtu6 '1500'

config interface 'ovpn_wan_free'
	option proto 'none'
	option metric '20'
	option device 'tun0'
	option defaultroute '0'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '1'
	option name 'lan3.1'
	option mtu '1500'

config interface 'wan_fbx
	option proto 'static'
	option metric '10'
	option device 'wan'
	option gateway '192.168.1.254'
	option dns_metric '10'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '10.0.0.1'
	list dns '1.1.1.1'
	option broadcast '192.168.1.255'
	list ipaddr '192.168.1.24/24'

config device
	option name 'eth0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'WS_Biscuits'
	option proto 'wireguard'
	option private_key 'm**************************************='
	list addresses '100.70.36.218/32'
	list dns '10.255.255.3'
	option listen_port '51820'
	option auto '0'

config wireguard_WS_Biscuits
	option description 'Windscribe-London-Biscuits-WG.conf'
	option public_key 'q**************************************='
	option private_key 'm************************************='
	option preshared_key 'w********************************='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host 'lhr-335-wg.whiskergalaxy.com'
	option endpoint_port '443'
	option persistent_keepalive '25'

config route
	option interface 'wan_fbx'
	option target '10.0.1.0/24'
	option gateway '192.168.1.25'

1.2 root@OpenWrt:/etc/config# cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	list network 'wan_fbx'
	list network 'WS_Biscuits'
	list device 'tun0'
	list device 'wan'
	option family 'ipv4'
	list masq_dest '10.0.1.0/24'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'London_Crumpets'
	list network 'ovpn_wan_free'

config forwarding
	option src 'lan'
	option dest 'VPN'

config rule
	option name 'Allow from LAN 10.0.1.0'
	list src_ip '10.0.1.0/24'
	option dest 'lan'
	option target 'ACCEPT'
	option src 'wan'

2 Direct Router to France
WAN2 adress 192.168.1.25
LAN2 subnet 10.0.1.0/24

2.1 root@OpenWrt:/etc/config# cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdce:b829:eed4::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.1.1'
	option broadcast '10.0.1.255'
	option gateway '192.168.1.254'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.1.25'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	option broadcast '192.168.1.255'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config route
	option target '10.0.0.0/24'
	option interface 'wan'
	option gateway '192.168.1.24'

2.2 root@OpenWrt:/etc/config# cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list masq_dest '10.0.0.0/24'
	option input 'REJECT'
	option forward 'REJECT'
	list device 'wan'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'`
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule

	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow from LAN 10.0.0.0'
	option src 'wan'
	list src_ip '10.0.0.0/24'
	option dest 'lan'
	option target 'ACCEPT'

config forwarding
	option src 'wan'
	option dest 'lan'

COMMENTS
A). When my Mac (firewall disabled) is connected to 10.0.0.1:(UK Router)

I can ping 10.0.0.1, 10.0.1.1, 192.168.1.24 and 192.168.1.25 successfully.
I can ping within 10.0.0.0/24 but not outside it.
I cannot ping 10.0.1.0/24 or 192.168.1.0/24 except for the items listed above.
So I can only browse the 10.0.0.0/24 subnet using safari.

B). When my Mac (firewall disabled) is connected to 10.0.1.1: (France Router)

I can ping 10.0.0.1, 10.0.1.1, 192.168.1.24 and 192.168.1.25 successfully.
I can ping within 10.0.1.0/24 but not outside it.
I cannot ping 10.0.0.0/24 or 192.168.1.0/24 except for the items listed above.
So I can only browse the 10.0.1.0/24 subnet using safari.

C). When my Mac (firewall disabled) is connected to 192.168.1.254: (ISP Router)

I can only ping within 192.168.1.0/24 but not outside it.
So I can only browse the 192.168.1.0/24 network using safari.

What have I done wrong?

You missed the exclamation mark (!), which is crucial.
Instead of excluding the subnet from masquearding, only requests to that subnet will be masqueraded.

I have not closely followed it but I think you have to exclude the masquing so put an exclamation mark before it , probably also for the other router and masquing

OK thanks. I did not edit the config file but used the GUI and it is not clear (even now) how to set it up as you suggest. I will edit the files manually and report back.

Hi again,

Well I have written the config files as suggested but it is still not working.

Connecting to 10.0.1.1 allows me to see 10.0.1.0/24 and 192.168.1.0/24 (except 192,168.1.24) but not 10.0.0.0/24. It also lets me access the internet.

Connecting to 10.0.0.1 allows me to see 10.0.0.0/24 and 192.168.1.0/24 (except 192,168.1.25) but not 10.0.1.0/24. It also lets me access the internet.

Should I repost the latest config files? Is the fact that the 10.0.0.1 router is running a VPN causing an issue? The forwarding configurations are different for the two routers. 10.0.1.1 forwards Wan to Lan and then Lan to Wan. !0.0.0.1 forwards Wan to Lan and then Lan to VPN but does not forward Lan to Wan. Is this correct?

It is getting late so I will look for responses tomorrow. Thanks for the help so far.

G

Duplicated post in error

Hi again.

I am really frustrated with this issue. Everyone tells me it should work but no matter what I try, it simply does not work consistently.

I have read as much as I can on it and tried all sorts of variants but I cannot get the two networks to talk to each other. They can ping each other but I cannot browse from one to the other. I have loaded the DNS fields with every possible access point but it still will not work.

IN SUMMARY I can ping everywhere from each subnet but cannot browse to all adresses (which is shown in the tables below). I cannot ping or browse to either subnet from the main (ISP) network, 192.168.0.0/24. I accept there may be issues with the server I am trying to connect to (Home Assistant, Sonos, etc.) but I should at least be able to connect to the openwrt routers controlling each subnet, each of which is connected to the main network (via .24 and .25).

Additionally the access appears intermittent. Sometimes it does connect (say, to Home Assistant server), other times there is no response and sometimes it recognises the server as it shows an address it is trying to reach (in a private browser so no cache involved) but cannot show the full connection.

This is how I would like my network to operate:

Home Network1920×2717 202 KB

Currently, these are the results of pinging and browsing:

Ping

	From >	192.168.1.0/24	10.0.0.0/24  10.0.1.0/24		Notes
To						
V						
						
192.168.1.24		1	          1	          0		    Gateway 10.0.0.0/24
192.168.1.25		1	          0	          1		    Gateway 10.0.1.0/24
192.168.1.40		X	          X	          X		    iMac
192.168.1.65		1	          1           1		    IP Phones Server
192.168.1.200		1	          1	          0		    Home Assistant Server
192.168.1.254		1	          1	          1		    Gateway 192.168.1.0/24
						
10.0.0.1	    	0	          1	          1		    Gateway 10.0.0.0/24
10.0.0.40		    X	          1	          X		    iMac
10.0.0.140	    	0	          1	          1		    Satellite Box
						
10.0.1.1	     	0	          1	          1		    Gateway 10.0.1.0/24
10.0.1.175	    	X	          X	          1		    iMac
						
						
1	Yes					
0	No					
X	Not Applicable									
						

Browse

	From >	192.168.1.0/24	10.0.0.0/24	 10.0.1.0/24		    Notes
To						
V						
						
192.168.1.24		0	          1	          0		    Gateway 10.0.0.0/24
192.168.1.25		0	          0	          1		    Gateway 10.0.1.0/24
192.168.1.40		1	          X	          X		    iMac
192.168.1.65		1	          1	          1		    IP Phones
192.168.1.200		1	          1	          1		    Home Assistant
192.168.1.254		1	          1	          1		    Gateway 192.168.1.0/24
						
10.0.0.1	    	0	          1	          0		    Gateway 10.0.0.0/24
10.0.0.40	    	X	          1	          X		    iMac
10.0.0.140   		0	          1	          0		    Satellite Box
						
10.0.1.1	    	0	          0	          1		    Gateway 10.0.1.0/24
10.0.1.175	    	X	          X	          1		    iMac
						
						
1	Yes					
0	No					
X	Not Applicable					
						
						

Here are the relevant network and firewall files as currently configured:

10.0.0.1

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd33:1ec6:00a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.1'
	option broadcast '10.0.0.255'
	option gateway '192.168.1.24'
	list ipaddr '10.0.0.1/24'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '10.0.0.1'
	list dns '10.0.1.1'
	list dns '192.168.1.24'
	list dns '192.168.1.25'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
	option mtu '1500'
	option mtu6 '1500'

config interface 'ovpn_wan_free'
	option proto 'none'
	option metric '20'
	option device 'tun0'
	option defaultroute '0'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '1'
	option name 'lan3.1'
	option mtu '1500'

config interface 'wan_fbx'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.1.24'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	option broadcast '192.168.1.255'
	list ipaddr '192.168.1.24/24'
	option metric '10'
	option dns_metric '10'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '10.0.0.1'
	list dns '10.0.1.1'
	list dns '1.1.1.1'

config device
	option name 'eth0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'WS_Biscuits'
	option proto 'wireguard'
	option private_key 'mK44X9eeidbC/mfYnsIjoeXlVMNTo2BPNZJwCSDxcmw='
	list addresses '100.70.36.218/32'
	list dns '10.255.255.3'
	option listen_port '51820'
	option auto '0'

config wireguard_WS_Biscuits
	option description 'Windscribe-London-Biscuits-WG.conf'
	option public_key 'qWSr7Tf40kvS+0kv4TbpSb6EevhSvn3kuXsjn2eWbA4='
	option private_key 'mK44X9eeidbC/mfYnsIjoeXlVMNTo2BPNZJwCSDxcmw='
	option preshared_key 'wm4wayzPVgphDKnvI3yZns4YiA8my9GE199RT+wxD4Q='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host 'lhr-335-wg.whiskergalaxy.com'
	option endpoint_port '443'
	option persistent_keepalive '25'

config route
	option interface 'wan_fbx'
	option target '10.0.1.0/24'
	option gateway '192.168.1.25'

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'wan_fbx'
	list network 'WS_Biscuits'
	list device 'tun0'
	list device 'wan'
	list masq_dest '!10.0.1.0/24'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'London_Crumpets'
	list network 'ovpn_wan_free'

config forwarding
	option src 'lan'
	option dest 'VPN'

config rule
	option name 'Allow from LAN 10.0.1.0'
	list proto 'all'
	option src 'wan'
	list src_ip '10.0.1.0/24'
	option dest 'lan'
	option target 'ACCEPT'

10.0.1.1

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdce:b829:eed4::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.1.1'
	option broadcast '10.0.1.255'
	option gateway '192.168.1.25'
	list ipaddr '10.0.1.1/24'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '10.0.0.1'
	list dns '10.0.1.1'
	list dns '192.168.1.24'
	list dns '192.168.1.25'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.1.25'
	option netmask '255.255.255.0'
	option gateway '192.168.1.254'
	option broadcast '192.168.1.255'
	list ipaddr '192.168.1.25/24'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '10.0.0.1'
	list dns '10.0.1.1'
	list dns '1.1.1.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config route
	option interface 'wan'
	option target '10.0.0.0/24'
	option gateway '192.168.1.24'

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'wan'
	list network 'wan6'
	list device 'wan'
	list masq_dest '!10.0.0.0/24'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'wan'
	option dest 'lan'

config rule
	option name 'Allow from LAN 10.0.0.0'
	list proto 'all'
	option src 'wan'
	list src_ip '10.0.0.0/24'
	option dest 'lan'
	option target 'ACCEPT'

An area I do not understand is forwarding from LAN to WAN etc. Could someone check these for me please?

Is the fact that 10.0.0.1 is on a VPN prevent the subnets seeing each other? DO I need some sort of push command in the VPN config file?

I hope someone can find the time to help me resolve this as I cannot move forward without it working.

Thanks if you read this far!

Geoff

If you want to access LAN1 and LAN2 from the ISP network:

1. You must have access to your ISP router and you need to add static routes (if supported). The hard way would be to add static routes on each individual host on the ISP network.

10.0.0.0/24 via 192.168.1.24
10.0.1.0/24 via 192.168.1.25

2. You need to add the ISP network to the rule allowing wan=>lan communication.

config rule
	    option name 'Allow-WAN-LAN'
	    list proto 'all'
	    option src 'wan'
	    list src_ip '10.0.0.0/24'
	    list src_ip '192.168.1.0/24
	    option dest 'lan'
	    option target 'ACCEPT'

3. Also exclude the ISP network from masquerading.

config zone
	    option name 'wan'
	    list masq_dest '!10.0.1.0/24'
        list masq_dest '!192.168.1.0/24'
	    ...

If you want to manage the OpenWrt devices from the ISP network, you need to create a specific traffic rule that allows that:

config rule
        option name 'Allow-Mgmt-from-ISP-Net'
	    option src 'wan'
        list proto 'tcp'
        list src_ip '192.168.1.0/24'
        option dest_port '22 80 443'
        option target 'ACCEPT'

LAN1<=>LAN2 interconnection should work.
If it does not, check if the hosts' local firewalls accept connections originating outside their subnets, as already stated above.

You're getting very good advice from @pavelgl, but the setup is obviously becoming a bit more complex.

Returning to this:

And your response to that was:

Are you sure you still want to continue down this parallel router setup? I honestly believe that it will an easier/simpler config if you do this all on one router. Your goal is actually fairly common and there are quite a few threads on the topic in this forum as it is a pretty straightforward configuration when done on a single router.

Hello both,

I wrote to you each by replying to the email (which should have worked?) but they were both rejected. So here, a bit late, is what I said.

*******

Thanks Pavel,

I will look tonight to see what I can do. I did start this process by declaring that my ISP router does not allow static routes.

I can limit the number of hosts on the ISP network to make life as easy as possible.

***************

Hi Sherman,

You may well be right! However I am like a terrier when I get my teeth into something so I want to continue learning on this option first then look at VLans later.

As it happens (you can see from the configuration files) I already have LAN 3 and LAN 4 set up for VLans so a move in that direction would not be too difficult.

Appreciate your continuing interest and advice.

*******

Was going to work on it today but apparently it is Valentine’s Day so I have been commandeered for other duties!

Sunday looks a good alternative.

Geoff

Well, after a load more tries on Sunday, I managed to lose DHCP! Then in trying to recover it, ignored the rollback protection and ……. well I guess you know the rest.

So I am now in the process of rebuilding the router from a backup but also reconsidering the best solution for what I am trying to achieve. I don’t need any help for that bit but I will be back!

Geoff