Hi I just flashed OpenWRT 18.06 on my new Netgear R6220-100PES. I'm using it to create a network that is separated from my main home network. The situation is as follows:
router/modem from my ISP creates main home network 192.168.1.0 and has IP 192.168.1.1
modem has static route to 192.168.2.0 with netmask 255.255.255.0 via gateway fixed IP 192.168.1.149
R6220 creates separate network 192.168.2.0 and has IP 192.168.2.1 and fixed IP 192.168.1.149 on WAN
The problem is that clients connected to the R6220 via Lan and W-Lan can't reach the internet. They can't ping or traceroute openwrt.org nor 1.1.1.1 however they can ping the modem at 192.168.1.1 and devices connected to it. Interestingly though on the diagnostic page the R6220 can reach both the internet and devices in the other network. To make sure the cause is not the R6220's firewall I disabled it via ssh. I haven't touched the VLANs so they're default (see the attached image). I've also worked through https://openwrt.org/docs/guide-quick-start/ts-internetconnectivity
I think you still have NAT working
2 things to try
temporary make them the same firewall group "lan"
could have something to do with forwarding in the firewall setting not setup for the differing zones
failing that change the name on the wan inter face from wan to something else
When you static IP the WAN you also have to configure the wan gateway and DNS server under the OpenWrt wan section. These should be 192.168.1.1.
You do not have to enter any routes into the upstream router unless you want devices on the 192.168.1 LAN to be able to reach the 192.168.2 LAN. In that case you also need to open the OpenWrt firewall.
Do not remove all the firewall rules or shut down the service entirely because that will break NAT.
I would try a default configuration, change the LAN to 192.168.2.1 and let the WAN DHCP (which is the default). Once that works you can get fancier. I prefer to make a reservation (static lease) in the DHCP server rather than static IP any clients.
I have left WAN on dhcp as it was by default. I've added the route on the ISP modem so devices have access to the 192.168.2.0 network. Ofc an incoming firewall rule would then be needed.
Even with the default firewall settings the behaviour was the same like written in the first post. The question is why the R6220 itself has full access but his clients don't?
Edit: The ISP modem/router has DHCP enabled but has set a static IP for the R6220 which is 192.168.1.149
The packets should be forwarded according to the routing table. The standard route dictates that packets whose destination is not in the router's own network will typically be forwarded to the router connected at the WAN port. That shouldn't be different here because R6220's clients are able to ping devices in the 192.168.1.0 network
in your main router
setup dhcp to give the mac address of you R6220 a ip of 192.168.1.149
setup static route to forward 192.168.2.x/24 to 192.168.1.149
in R6220
Factory reset
change Network>interfaces>LAN>Edit>General Setup>"IPV4 address" to 192.168.2.1
change Network>interfaces>WAN>Edit>Firewall Settings>"Create / Assign firewall-zone" to LAN
should now be able to access R6220 on 192.168.1.149 & 192.168.2.1
you should now be able to ping a device from 192.168.1.x to 192.168.2.x & back
now if you router allows 192.168.2.x to use it's NAT you will have internet access as well on 192.168.2.x
it's up to you now to sort out you firewall / isolation on how you want it to end up
there seem to be some confusion on this thread
I'm thinking you are trying to add a 2nd sub net & only your main router is doing NAT
other seem fine with double NAT witch I can't think of why you would want to do this ?
@Lucky1 Yes but I'm not sure if the R6220 doesn't do NAT aswell? I've read that double NAT is ugly but works well most of the times. The thing is that all internal communication is working fine, all devices in the 192.168.1.0 net can access the internet including the R6220, but all devices connected to the R6220 in the 192.168.2.0 net cannot. But I have no idea why...
The setup is the way you wrote @Lucky1 except that for testing purposes I've disabled the firewall completely. But it also didn't work before with it properly configured. That's why I don't think resetting to factory defaults and setting the firewall up the way you wrote (which is how it was before and which was not working) will solve the issue. Also there is no setting for NAT on the ISP modem/router. Enabling DMZ in the modem's settings for the R6220 on 192.168.1.149 has not solved it either (and I don't want to use this setting anyway).
Any traceroute to the internet from a device in the 192.168.2.0 net stops after reaching the modem at 192.168.1.1 for no apparent reason
MK24 you have to understand the firewall is what forwards form 192.168.2.x to 192.168.1.x so if you disable it you will get what you have no communications between
the easy way to get it to work & see if you router will let 192.168.2.x on the internet
is to turn on your firewall & add both lan & wan to the default LAN firewall group
if you look on your firewall page & see the settings under zone that's the forward you want
if you make them the same zone for now it will forward
the IPv4 and IPv6 packet forwarding sysctrl setting enables routing
the firewall handles masquerade (NAT) rules
So if the user adds static routes to the non-OpenWrt with firewall disabled, then the device should forward normally. Major Internet and core routers forward with no NAT or firewalls all the time. If the OP also routes on the APs (has subnets on them), routes would be added to OpenWrt as well.
So @lleachii what could be the issue then? How can I find out why any traceroute to the internet from a device in the 192.168.2.0 net stops after reaching the modem at 192.168.1.1 ? It stops with both traceroute and ping to 1.1.1.1 and openwrt.org.
Also in the ISP modem/router there's no option for firewall and NAT
I didn't inquire; but that information was quite useful!
Please confirm if the ISP device is a router - what's its make/model?
If this is the case, then your setup is working. I'd blame the ISP device. It's code may only create a masquerade rule for the prefix assigned to its LAN (i.e. 192.168.1.0/24).
Can you show a screenshot of this route configured in the ISP device?
You already did:
Your 192.168.2.0/24 devices can ping devices at 192.168.1.0/24
This means their gateway (i.e. 192.168.1.1) has a route properly configured
If you can ping vice versa, then the only device left to troubleshoot is the ISP device
it seem the ISP device isn't accepting the 192.168.2.x/24 range
is the ISP's Router needed for Fiber,VDSL,VOIP ?
if so is there a way to put it in Bridge mode ?
I know Netgear adsl/vdsl modes have a hidden page for enabling Bridge Mode
if it can making the R6220 do NAT & have 2 networks would be the best option
@Lucky1 Yes the device is needed for Fiber (or FTTH I think it's called). There is no bridge mode, I have checked this seeing others that are missing this feature as well.
I also think the problem has to be the ISP router. But I don't want to buy a replacement device for it.
Wow I can't believe I randomly solved the problem!
I did a OpenWRT reset and changed the IP for the LAN interface to 192.168.4.1 instead of 192.168.2.1 and everything is working as expected! Maybe the ISP router messed something up with it using ...2.1...
Anyway thank you guys for helping me, really glad it's working now
if you want to isolate the networks you can play with the firewall & make a new zone etc
you can use it's wifi to extend the old subnet & add the new one at the same time
just add a new SSID same security & password as your modem & add it to the uplink/wan interface
as well a different SSID for the new subnet
