Hello,
I'm trying to setup my home lan with not much success for now.
The config is :
cable modem witch act as a router and get the internet IP. Lan IP is 192.168.0.1 for the gateway.
Lede wireless device connected by wire to the router. Lan IP is 192.168.0.2.
On the Lede I have 3 wireless network. One bgn on 192.168.0.x, one ac on 192.168.0.x and one bgn on 192.168.1.x. Internal DNS and DHCP are on another lan device for the first 2 and on the Lede for the 3rd but could be relocated if needed.
My problem is for the last network, 192.168.1.x wich cant access the rest of the world. I tried various things around bridging and zone forwarding but, obviously, I cant manage to get it right. This lan must remain separated of the 192.168.0.x but should be able to access internal lan and internet based on firewall rules.
How can I configure that ?
I concur about not having different interfaces in the same network range.
Now, for the 192.168.1.x to reach internet, just enable forwarding from that network to the WAN network, and activate masquerading. However, "can't access the rest of the world" is too broad, you should specify what works and what not (DNS resolution? PING? ...?).
Posting your current config files here will also help.
As long as they are assigned to the same br (and your local IP if any is applied to the br, not a port), having different SSIDs and the wired on the same broadcast domain should be OK.
More config information is needed to tell what is going on.
What is the gateway for 192.168.1.x and on which device is it located?
I did the masquerading and forwarding and now I can access lan but not internet.
However my DNS is not propagated to client despite I configured it (badly I suppose) on dhcp server.
The gateway for 192.168.1.x is on the Lede. I will check how I configured that.
Witch config files could help ?
Wan is not configured nor connected and the Lede is connected to the lan on port 1 of the switch.
And yes I kinda try to operate 192.168.1.x as a guest network. In fact I want to force users to use the firewall on the Lede to got outside this network.
One thing to note is that the Lede is NOT the router for the lan. Maybe I should try to configure it as the main router and configure the other router as a bridge.
Did you take a look at the Guest Network documentation ? I've used it to create a wireless Guest Network, isolated from my main network, and it's working fine.
Some adaptation will be required for wired stuff (like creating a VLAN maybe), but there are some gotchas to take into account, like creating a new DHCP Pool and allow DHCP requests.
From what you have provided so far, I am inclined to believe you are going to end up with the 192.168.1.x network double-natted. This should generally be avoided, though the main impact is on uPnP/port forwarding which you may not care about.
The usual solution for this would be to turn off DHCP on the modem and put it in bridge mode then use the LEDE device as DHCP server and NAT with appropriate firewall rules. A more crafty solution might be to bridge everything through the LEDE device, with the LEDE device the only thing connected to the modem, let all hosts get 192.168.0.x addresses from the modem. and use ebtables to prohibit traffic between the "guest" SSID's bridgeport and the rest of the bridgeports. However, without control over the modem DHCP server it probably would be impossible to force "guest" clients into a range of IP addresses so that they are easy to write firewall rules for.
For the double-NAT scenario, how is the LEDE 192.168.0.2 address assigned? I'm guessing statically. Does your modem allow statically assigned clients? Have you tested this?
I'm afraid I have to setup my modem in bridge mode and use a router.
Since I have a router, powered off now, I have to manage to sort if I should use the Lede as router or use the router.
I guess I will use the Lede since it should easier to manage complexe firewall rules. I dont know if I can filter on time and/or mac on the firewall of the router (microtik).
Edit : it's iptables under the hood on microtik so I can filter on time as well. Mmm, I guess I will try Lede in first time.
So, I have to put the modem in bridge, connect on the wan port on the lede and reset both, right ?
You'll have to put the router in bridge mode, reset that, and ensure your wan port on the LEDE device is set to use a DHCP client to get its address, and define ranges for your 192.168.0.x network in the LEDE DHCP server and NAT rules.
None of those changes should require a reset on the LEDE box.