Network Topology - Creating Interfaces for 2 Separate Private Networks While Cascading Routers

Hi everyone,

I need help with setting up 2 networks with different SSID's, namely how to configure the interfaces in OpenWrt. I did a lot of reading and research as well as watching videos on YouTube. So far I believe to understand what generally needs to happen to make those 2 networks work and communicate with each other but I hit the wall when trying to configure OpenWrt as I am absolutely not experienced with it.

This is the idea:

Huawei Echolife HG 8145V5 is the router/ modem connected to the internet through my ISP. The ZTE MF283+ is an 4G LTE router/ modem from the same ISP that I used before switching to fibre optic. So far I have managed to install OpenWrt 21.02.4 on it and I can log into it and configure it.

So what I would like is to connect the ZTE MF283+ to the main network with HG 8145V5 router by connecting it's WAN/LAN1 (factory enabled) port with an Ethernet cable to LAN1 port of the fibre optic router. When I do that without any configuring, the ZTE MF283+ router acts as an extender to HG 8145V5 router and I can not access LuCI in the web browser.

I would like to install OpenVPN on the ZTE MF283+ router (Green Network) so that I can connect some devices through it (tablet, 2 PC's & a phone). As the devices are in a different room, they would all be connected through Wi-Fi.

The devices already connected to the main router HG 8145V5 (Pink Network) (PC-Ethernet, Phone-Wi-Fi, Printer-Wi-Fi & TV-Ethernet(YouTube)) would stay connected to the main router.

I am NOT after creating an FTP server and devices from the Green Network do NOT have to communicate with the devices from the Pink Network.

Devices in the Green Network need to be able to access internet for downloading purposes and the only game I intend playing is Clash of Clans. This all of course while using OpenVPN installed on the ZTE MF283+ router.

This is the address pool on the main HG8154V5 router:

From that I have deduced that I can keep the 192.168.1.1 address for the Green Network ZTE MF283+ router. I have tried to configure that IP address in OpenWrt interface as a static IP address. Or should I have changed it to for example a 192.168.200.1 address?

I am also confused with the fact that my initial configuration of the ZTE MF283+ router shows up in bridged mode interface.

General settings secondary ZTE MF283+ router:

What I have done is:
Turned the LAN1 port into a WAN port (which should be WAN/ LAN1 coming from the factory but now of course the stock firmware is removed)

Created a new WAN interface:


Then I changed the IP address on the WAN side into a static one (192.168.100.2):


After adding the new WAN interface and connecting to the primary router through Ethernet cable, there is no internet on the secondary ZTE MF283+ router.

So this is the Frankenstein I have created but it is not alive yet:


In the Routes section I have found this but not sure how to interpret it:

While in the Static IPv4 Routes there is nothing (not sure if there's supposed to be):

I have read the User Guide on the OpenWrt web site but did not get any wiser on how to set up a working interface in my particular situation. Also after researching on the internet and watching countless YouTube videos I do not feel like I am close to getting home.

I have checked if I am dealing with a double NAT issue on my ISP's side and after checking "whatismyipaddress.com" it seems that my IP address is the same as in my stock firmware WAN configuration on the HG 8145V5 main router:

All in all it would be most helpful to me if someone could guide me through setting up the needed interface(s) and pointing out what things I need to take into account (e.g. disabling the DHCP, configuring firewall, circumventing double NAT or anything similar) or otherwise directing me to a website/ YouTube video where I can see how it needs to be done in my case. I feel very lost and helpless at this point.

If the following two things are true:

  1. the devices on each network do not need to be able to connect to devices on the other network
  2. you plan to use a VPN to tunnel the traffic on the OpenVPN router through a VPN provider

then the solution is really very simple: run the router in a standard routing mode by taking one of the physical ports and setting it up as a wan port (on the OpenWrt router). Once that is done, the upstream network will not be able to connect to the devices behind the OpenWrt router, but those devices behind OpenWrt will be able to reach the upstream network (this can optionally be prevented by the firewall, but will be moot once the VPN is running). Of course, the devices connecting to the OpenWrt network will also have normal access to the internet.

The next step is to install and configure your VPN. Once that is done, all traffic will be encrypted as it leaves the WAN port of the OpenWrt router (until it reaches your VPN provider) and vice versa.

Thank you Peter for the swift reply.

That's what I was trying to do but somewhere along the way I failed. The steps I took are all posted in the screenshots above. I fail to turn the LAN1 port on the secondary OpenWrt router into a WAN port, well into a working WAN port.
I need someone to show me how to set it up.

Is it okay to keep the network LAN side at the static 192.168.1.1 IP address while designating a static IP address to the WAN side which is the same subnet like the primary router, e.g. 192.168.100.2?
The primary router's IP is 192.168.100.1 (also posted above in the screenshot).

Also I recon that the OpenWrt router should have the DHCP switched on for the devices or do each of the devices need a static IP address?
When I do what I did in the screenshots above I got no internet on the OpenWrt router.
So somewhere along the way. I screwed up.

I wish someone could show me what I am doing wrong.

Thank you for taking time to reply Peter.

For a start, set the WAN port to untagged.

image

Then log into the router using SSH and try to ping 192.168.100.1.
If the ping is successful, set a DNS server and assign the WAN interface to the wan firewall zone.

LuCI->Network->Interfaces->Edit(WAN)

image

image

If it still doesn't work, you'll need to post the configuration in text format.

1 Like

@pavelgl covered the things that need to be corrected (based on what we can see in the screenshots). Give it a shot and let us know what happens.

1 Like

Thank you Pavel and Peter.

Going to try the settings out after which I will post the feedback.

Your support is very much appreciated.

Thank you once more guys!!!

WAN port untagged & DNS assigned as suggested by you.
Now internet working like a charm.

However...... ahem..... cough... cough...

I have installed the OpenVPN too:

I have not checked the internet speeds on the primary Huawei Echolife HG8145V5 router nor the secondary ZTE MF283+ router prior to installing OpenVPN.

I have 2 questions remaining.

I have noticed that there is a significant difference in internet speed between the 2 routers. For testing the speed I have used a Windows 10 PC with 1 Gbps nic and Ethernet connection to LAN ports of both routers.

These are the results:

Huawei primary router with stock firmware:

ZTE MF283+ secondary OpenWrt router:

Huawei primary router with stock firmware:

ZTE MF283+ secondary OpenWrt router:

Huawei primary router with stock firmware:

ZTE MF283+ secondary OpenWrt router:

LAN ports on the secondary ZTE MF283+ router are 100 Mbps so it does not look like they are being used to their fullest potential.

So my 2 questions would be:

*1 Is it possible that using the OpenVPN is throttling and slowing down the internet
speed that these are "normal" speeds on the secondary ZTE MF283+ router?

*2 Are there maybe software add-ons in LuCI that can be installed or configurations to
be adjusted in the interface to improve/ gain some more speed?

After connecting a cell phone to the secondary ZTE MF283+ router the measured internet speed was ample 30 Mbps. That's probably because it is somewhat older phone and I have not yet been able to connect any other devices to the router to test their speeds.

And there is one more huge issue that I ran into......
I am dealing with a DNS leak :frowning:

Even though it shows that my IP address is based in Washington, name of my ISP, the servers and the flag of the land are visible. I have erased them so they can not be seen in the images below.



After doing some research I have ran into a possible fix of the problem that said:

So I have applied the suggested tweak in the OVPN configuration file like this:

Also I have tried installing the WebRTC Limiter in the "Brave" web broser:

And after trying all of the settings in the options of the extension and as well as performing the suggested tweak in the OVPN config file above the result was the same, DNS leak did not go away:

Besides the 2 suggestions I have tried without success there were 2 more listed which I have not tried:

And:

So my last question for the time being would be if the last image is the way to (assigning a static address to each device connected to the secondary ZTE MF283+ router) get rid off the DNS leak or might there also be some configuration/ software available in OpenWrt that would be successful in preventing the DNS leak?

If posting these 2 issues here in the original topic is not seen as fit by the moderators, I will gladly start another topic but I was thinking of changing the title of this topic into "Network Topology - Creating Interfaces for 2 Separate Private Networks While Cascading Routers & Fixing a DNS leak".

Please advise and help me to solve these last issues I am having with creating 2 different private networks.

I forgot to mention....

I do not see what's the point of running an OpenVPN service while having a DNS leak, if I have to worry about the things stated below:

" * The servers identified above receive a request to resolve a domain name (e.g. www.eff.org) to an IP address everytime you enter a website address in your browser.

  • The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.

  • If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data."

Please help and advise.

Yes. Not just possible, but actually happening.
OpenVPN is an older and very inefficient protocol. The overhead in both the encapsulation as well as the CPU requirements are significant and will cause significant degradation in speed. Disable it and test again.

Not if you're using OpenVPN. Wireguard would be a better option for speed/efficiency.

  • See an example on how to make 9.9.9.9 route over a specific interface
  • Assign the DNS IP to clients who will use the tunnel
  • It will route over tunnel
  • No DNS leaks!

Thank you once more for the swift reply fellow OpenWrt netizens.

Are both of you telling me to switch over to Wireguard and then make the 9.9.9.9 route over specific interface?

I am ready to do so as long as it will work.

I certainly would recommend it.

If you specify your desired DNS (quad 9 or other) in your dnsmasq config, you that will go over the default route... with WG active, that will become the default route (unless you add policy based routing to change that behavior).

I have been trying some things out and I will post my findings tomorrow.

Greetings to all!!!

I have finally found some spare time and tried to tackle the still present issues that I would like getting sorted out.

I am proud and very satisfied to share that the DNS leaks belong to the past.

The reason for the DNS leak was the assigned custom DNS server in the WAN interface which is the stock IP address of the primary Huawei HG8145V5 router (192.168.100.1).
When I was instructed by Pavel on how to fix the faulty configured WAN interface he suggested to use the primary router's IP address which helped me to finally get the internet connection established between the 2 routers:

image

After that I have installed the OpenVPN and was confronted with unexpected low internet speeds and constant DNS leaks.

As Peter explained:

I was WRONGLY assuming that 50-60 Mbps was low internet speed caused by the use of OpenVPN and routing the traffic through the VPN provider's server.
In reality the above mentioned speed (I will come back to that later) was the regular internet speed circumventing the VPN tunnel as I was still using the primary router's DNS address (my ISP's one) while having the OpenVPN switched on. This also explains the constant DNS leakage.

After being disillusioned by the performance of OpenVPN I downloaded the Wireguard package as well as the configuration settings from the VPN provider.
In the configuration file I found out that 10.2.0.1 was the VPN provider's server and I used it to set it as custom DNS server in the WAN interface, just like IIeachii suggested:

So this was the culprit of the DNS leaks:

I have replaced the 192.168.100.1 custom server with the custom 10.2.0.1 DNS server.

After that I still had DNS leaks but I found out that I also needed to adjust the settings in my Brave internet browser:

In all the internet browsers the "Use secure DNS" option should be switched off.

After testing my connection on the "mullvad.net" website I discovered that I also had WebRTC leaks and so I had to take care of them in the Brave browser too:

I visited the "mullvad.net" website and a few other sites to check if my DNS & WebRTC were still leaking. These are the results:

It says that my DNS servers are still leaking:

These leaks are okay as they all belong to the VPN provider's servers and not to my ISP's servers.

A few other results:

Same here, the leaked DNS servers are not my ISP's servers and are related to my VPN IP address.

re

With that being sorted out I do have one more question regarding the custom DNS
servers. Later when making Wireguard interface I decided to add an additional custom DNS server to it as well to the WAN interface:

My question would be..... If my VPN provider's server (10.2.0.1) would shut down for some reason, would my connection automatically be routed through the 2nd custom DNS server (9.9.9.9)? Or in other words, what is the benefit of having the 2nd custom DNS server listed if the VPN provider's server shuts down and with that (I assume) the Wireguard connection to the internet?

This brings me to another feature that I am interested in activating which is the "kill switch" function.

I have a free VPN account at "protonvpn.com" and they claim to have the "kill switch" and even a "permanent kill switch" function (which I prefer over the first one) but they are features built in their apps which need to be installed depending on what kind of OS one is running. The main reason I wanted the VPN on the router instead of on each device separately is the assurance that any device routed through the VPN tunnel would be behind the VPN network. No headache and no constant adjustment of settings when wanting to go private or accidentally forgetting to turn on the VPN.

This is from the protonvpn website:

Basically I would like the connection to "drop dead" as soon as the connection with the VPN server fails and would like to have the connection re-established ONLY when the VPN server is up and running again. So under no circumstances would I want any device connected to this secondary ZTE MF283+ OpenWrt router to accidentally access the internet without a VPN.
I reckon that's what they mean by a "permanent kill switch".

I have found this website which has a script that can be implemented in the Wireguard configuration file, like the one that I have downloaded from my VPN provider:

The linux command is outlined:

My question would be......

Is this the way to secure the "permanent kill switch" I am looking for?
Unlike with OpenVPN configuration file that needs to be uploaded the VPN provider's Wireguard configuration file just serves to copy/ paste things like public keys, IP address, DNS server, endpoint IP address, port and such. As this is all done manually I fail to see how adding these commands in the Wireguard configuration file would activate the kill switch. I believe that this might work on a machine with Linux OS but not on the OpenWrt router even though it is running on Linux. Someone please correct me if I am wrong.

Let me elaborate on how I've set up my Wireguard Interface so it is clear for everyone and also it might serve as a tutorial some day for anyone reading this thread:

I went to "Network" tab and Clicked on "Interfaces" where I clicked on "Add new interface".
I named the Wireguard interface "WG0" and as Protocol I selected "Wireguard VPN"

Then I clicked on "Create Interface" which brought me to the next screen:
From the Wireguard configuration file that I've obtained from my VPN provider I filled in the "Private Key" & "IP Addresses" fields.

*NOTE - When copy/ pasting the public key leave out the first "=" sign
"=" GvTwYlaHjneUjksnKbMeSr/Ty345kl/abGus/=
Copy/ paste only the part in bold letters style.

After that I moved on to the "Advanced Settings" tab:
Here I have uncheked the "Use DNS advertised by peer" check box and added 2 custom DNS server adressess "10.2.0.1" (from my Wireguard configuration file" & "9.9.9.9" as a back-up server.

From here I moved on to the "Firewall Settings" tab:
Here I created a new firewall zone called "vpn".

Then I went to the last tab which is the "Peers" tab.
Here I clicked on "Add peer"

Once opened, I performed the next steps:

  • In the "Description" field, I entered "Juppiter" (can be any random name)
  • In the "Public Key"field I copy/ pasted the public key under the peer section from my VPN provider's configuration file
  • In the Allowed IPs I copy/ pasted the allowed IPs also from the peer section of my VPN provider's configuration file (0.0.0.0/0)
  • Next I checked off the "Route Allowed IPs" check box
  • After that I once more copy/ pasted the details provided by my VPN provider to the "Endpoint Host" field
  • And the same I did for the "Endpoint port" (51820)
  • Finally I tapped on the "Save" button

*NOTE - When copy/ pasting the public key leave out the first "=" sign
"=" GvTwYlaHjneUjksnKbMeSr/Ty345kl/abGus/=
Copy/ paste only the part in bold letters style.

In the interfaces section I clicked on the "edit" button of the WAN interface so that the WAN interface also uses the DNS server provided by my VPN provider in order to prevent DNS leaking.

Here I entered the "10.2.0.1" (provided in the Wireguard configuration file by my VPN provider and "9.9.9.9" (provided by IIeachii :slight_smile: ) custom DNS servers:
After that I clicked on "Save"

From there on I went to configure the VPN zone that I have just added.
I clicked on "Network" tab and then selected the "Firewall" which brought me to "Firewall - Zone Settings".

Here I made sure that the "vpn"zone would be the same as the "wan" zone.
I did that by changing the "input" from "accept" to "reject" and then checking off the "Masquerading" check box. After that I tapped on the "Save" button.

After that I went ahead to edit the zone forwarding from "lan"to "wan":

Here I have checked off the "vpn" check box under the "Allow forward to destination zones" field and then clicked on "Save'.

After that I went back to the "Firewall - Zone Settings" and clicked on "Save & Apply"

Finally I had my WG0 (Wireguard 0) inteface working:

My question would still be......

How do I create a permanent kill switch that does not allow any internet connections unless it is routed through the Wireguard interface?

While surfing on the net for possible solutions I ran into this thread on the OpenWrt forum: Luci-app-openvpn kill switch - #7 by nlx6

Although the topic here is creating a kill switch in OpenVPN, I believe that the same principle would apply for the Wireguard as the kill switch rule is created in the "Firewall - Zone Settings". @psherman

I believe my firewall configuration is the same as described above by Peter.
I am having problems with understanding the last part: "Now, you can remove the LAN > WAN forwarding......."
Where do I exactly remove that forwarding?

My firewall configuration:

lan>wan zone:

wan zone:

vpn zone:

When I turn off the WG0 (Wireguard) interface and try to access any website on the internet I get a "DNS address could not be found" error but I believe that is because of the custom DNS servers in the WAN interface. In the network center in Windows it says that I have the internet connectivity all the time.
I really need to implement that kill switch.

This is from the system log file and I do not see anywhere that the internet goes down when switching off the Wireguard interfaces:

And when turning one of them back on:

There's one more issue that I am struggling with.
As I mentioned I have a free VPN service at ProtonVPN and I can use servers from 3 different countries. So what I did is create 3 separate Wireguard interfaces (WG0, WG1 & WG2). I have created the 2 extra interfaces the same way I did the first one on which I've elaborated above.

After I had created them, I switched them off except for the first Interface which is WG0 and everything was working fine. I created them so in case the 1st server goes down or I need a server in a different country to be able to switch to any other server desired at a given time. When I had OpenVPN I could also upload different servers and switch between them just by checking off the check box and starting or stopping the service with the selected server. That's where my idea came from to make 3 different Wireguard interfaces.
The problem I am facing is that when I turn on the router next time, all 3 of the servers become active and it slows down the internet or it breaks the connection totally.
This means that I have to log into the router each time when I turn it on and switch off all of the Wireguard interfaces and restart the one I would like to use at that time.

Not sure why the Lease time remaining for the NIC of my PC says "expired".

So my question would be........

Is there a way to prevent all 3 Wireguard interfaces (connections) to start at the same time? Like have only one of the servers start? Maybe with Policy Based Routing (just wild guessing here)? I would like to have a main server (WG0) start each time when I turn on the router and if possible, in case that the main server is down for some reason to automatically switch to the next server in queue (WG1) and if that one is offline to switch to the next one (WG2). It is kind of cumbersome having to log into OpenWrt each time and to switch all of them off and then to restart one of them in order to be able to use the internet.
Or is the only solution to delete the 2 other routers and when I wish to use another server to edit/ update the Wireguard configuration data in the WG0 interface?
I really like the ease of uploading multiple OpenVPN configuration files and being able to switch between them.

And now the last but not least.....
The internet speed issue which was already kind of discussed previously in this thread... The speed is horrendously low...
With OpenVPN protocol it is 40 times slower then the internet speed on the primary Huawei Echolife HG8145V5 router with fibre optic, and with Wireguard ONLY 20 times slower.

Wailing

I will post several tests done on various sites:

No VPN:

OpenVPN:

Wireguard:

No VPN:

OpenVPN:

Wireguard:

No VPN:

OpenVPN:

Wireguard:

No VPN:

OpenVPN:

Wireguard:

No VPN:

OpenVPN:

Wireguard:

So we can say that the internet speed on the secondary ZTE MF283+ router is around 50 Mbps without VPN, around 5 Mbps with OpenVPN and around 10 Mbps with Wireguard (twice as much as the OpenVPN).

Wireguard ended up with the........

Tears Rolling Down The Cheeks

.... eye watering 10 Mbps. Very dissapointing actually......
to go from 200 Mbps on the primary Huawei Echolife HG8145V5 router to ample 10 Mbps on the secondary ZTE MF283+ router.

Huawei HG8145V5 primary router speeds:

I understand that having a free VPN plan comes at a cost of speed but 10 Mbps is on the very bottom side of the speed scale.
What confuses me is that the secondary ZTE MF+ router has a theoretical speed of 100-150 Mbps and the Lan ports are all 100 Mbps, but still the speed is ample 1/4 of the speed of the primary router. I believe that if the throughput was 100 Mbps that the internet speed with Wireguard would at least be some 20 Mbps. That would be much more satisfying.

I have tried to connect to the primary router's interface through the secondary router and I have succeeded but it was a very laggy experience and when clicking on a tab it took forever to open. After a while I noticed that the secondary router was sharing the 192.168.100.2 IP address with a D-link range extender:

So I changed the static address of the WAN interface to 192.168.100.253 instead.

What happened next is that the primary router's web interface became much more snappier and much more responsive so it made me secretly hope that the internet speed would change for better too but that was a false hope as the internet speed remained the same (10 Mbps).

My last question would be.........

Is there a way to gain those 100 Mbps on the secondary router to improve the speed a little bit? Maybe through load balancing or such?

Is there any other way to get closer to those 100 Mbps throughput?

Just to be clear, I was connected to the secondary router through an Ethernet cable and the PC's NIC is a 1Gbps one, so no wi-fi connection was involved when doing the speed tests.

Any as all help would be much appreciated in answering my questions and helping me sort out these few last issues so that I can close off this topic as "Solved".

Guys... I could really use some help/ directives to wrap this topic up....

You second to last post above me is quite verbose (you may recall that's why I shy away from responding). The only things I've been able to glean and tell you was this:

The DNS servers on the WG interface are not used (especially not by the clients) - hence my threads about properly assigning DNS servers to clients. I'm not sure how you accidentally got back to improperly configuring your DNSes.

Just configure a second DNS IP address in the same manner the instructions provide for the first (i.e. to use the tunnel). As a reminder, he instructions are linked in my post.

https://forum.openwrt.org/search?q=kill%20switch%20wireguard%20order%3Alatest

(There should be no first equal sign.)

Again, that was just an example, you can any 2 DNS IPs and configure them to use WG.

(You proceed on to make a lot of config changes on your device, I'm not sure why.)

If they were properly configured or configured with a kill switch, yes this would work as you desire.

This is expected (something has to process the encryption, the CPU is used):

  • Have you tried enabling Packet Steering?

Wow...yea, perhaps you should make a separate thread for all your separate issues. At least for me, your posts is very difficult to follow (and e.g. sorting thru the pictures that a sentence explains, especially).

I'm certain I didn't see everything, so apologies in advance.

^^^ this.

Post #14 in particular is so long that I can't really read it and keep tabs on everything that is happening. I will say kudos for providing lots of info, but the problem is that it is actually overload in this case. Specifically, you can remove more than half of those screenshots just by providing the config files in text form. They can even be put into 'hide details' blocks (gear icon > hide details; if it's a configuration, don't forget to also use the </> code block inside that)... this makes the whole thing much more compact.

Further, we don't need screengrabs of your speed tests... you can do it like this below:

a "hide details" block -- good for your speedtest results

This text will be hidden until the triangle is clicked...

Here you can explain I ran the following speedtests:

here is code inside a code block within the hide details block

speedtest.net no VPN = xxx mbps
google speedtest no vpn = yyy mbps

speedtest.net with VPN = zzz mbps
google speedtest with vpn = www mbps

So consider explaining the top level issue(s) and providing the supporting evidence in a more compact form.

1 Like