OpenWrt router behind ISP router

Hello,

I'm trying to install the following configuration:

  • ISP router (192.168.1.1) - DHCP activate - Wifi activate
  • My OpenWrt router (192.168.2.1) - DHCP activate - Wifi activate - NAT activate
  • IP Cam using NAT and linked to the OpenWrt Router
  • SSH tunnel from the OpenWrt

When I try to connect (using a 4G modem integrated to the OpenWrt router), it works like a charm
When I try to connect the OpenWrt Router to the lan 1 of the ISP router it does not work (impossible to see the IP Cam neither to see connection from SSH Tunnel).

Both router are not using the same plan of adresses:

  • 192.168.1.x (ISP router )
  • 192.168.2.x (my openwrt router)

Do you know what wrong ? Any idea ?
Thank you

Did you activate NAT on the ISP router?

https://openwrt.org/docs/guide-user/network/integrating-openwrt-introduction

1 Like

Thank you for the anwser.
No I did not. I will try

Hi,

I'm back. I don't have access on the ZTE ISP router as admin but only as user
Anyway, on the status interface I can see on the WAN connection the NAT is enabled

What do you mean about "SSH tunnel"? OpenWRT router works as ssh-client or ssh-server?

SSH tunnel means my openwrt router is a client of my SSH server somewhere else (on another network), and I used it because of double NAT of the previous ISP (Telecom).
I've changed of ISP for fiber, but as you can see the WAN IP is also a internal IP (10.x.x.x), so I still have double NAT (as previously). Conclusion I still need to use the SSH Tunnel.

The issue is not on the SSH tunnel which works fine (with modem) til now
My issue happens when I try to connect the LAN from ISP router to WAN openwrt router

Does your SSH tunnel work connecting via ISP, not via 4G-modem?

No exactly the opposite :slight_smile: it works with the 4G modem and not connecting via ISP

I'm not sure to understand your answer ?

If your ISP-router uses
192.168.1.1
OpenWrt should have
192.168.1.2
Why using extra Network?

2 Likes

It is very strange behaviour.

  1. Connect PC to ISP router and try to run SSH-connection from PC.
  2. Connect PC to OpenWRT-router, OpenWRT-router to ISP router, and try to run SSH-connection from PC.

It is just double NAT, WAN of OpenWRT router is connected with LAN of ISP-router

I tried with some other devices on another network (I built for testing)
This works,
ISP: 192.168.0.1
OpenWrt: 192.168.2.1 (lan) & 192.168.3.1 (wifi)
A pc can connect from ISP lan, and the PC can connect from openwrt lan (any tcp protocol used)
But on the live configuration it does not work...

I will post the etc/configuration files

I don't understand your issue, it is very strange. I don't understand your answer, the question was to check existing networks, not to build new one. Can you connect by SSH from command line of OpenWRT-router via ISP-router?

First question: what's your net mask? If it's 255.255.0.0 then see my next question.
Second question: why do you have two DHCP servers? Turn one off.

This is assuming you want everything to see everything else - I may be wrong.

So you have a fiber ISP.
Are you sure that the fiber is directly connected to the ISP's modem/router, or is the fiber (safely) terminated at a Fiber Termination Unit (FTU) to which then the ISP's router connects with a plain ethernet CAT cable.

If the latter is true (with a FTU) then you probable could very well connect your own router to the FTU. Likely you still need to know any connection parameters like VLAN setting and, possibly, PPPOE config. In the whole of the EU the IPS is required by law to supply these connection parameters on request (although some ISP are truly a PITA). That would give your own OpenWrt router direct WAN access.

When you're not that lucky, then lets assume that NAT on the IPS's modem/router is something you have to live with. Then you could still choose from different options:

  • Run your own OpenWrt equipment as an access point (a LAN bridge, no routing) behind the ISP modem. Access to services running on your own stuff from the outside Internet requires setting forwards (or set "DMZ host" in the modem/router of the IPS. All services like routing, NAT, DHCP, firewalling is handled the the router of the ISP.
  • A little bit more evolved, your own router as an downstream router on your LAN. This allows creating subnets, VLANs, etc behind yours. This setup requires that downstream routes for any subnets behind your own non-masquerading router can be set on the modem/router of the ISP. Nice thing about this setup is that you will likely enjoy the full speed of the hardware NAT engine that it deploys. Breaker is when the NAT facility is "hard wired" to the subnet of the IPS modem.

BTW, when your ISP deploys GCNAT (part of DS-Lite), then:

  • the second option will be impossible because you cannot set routes upstream.
  • you will need some tunnel via some proxy to be reachable from the outside over IPv4.

Hope this helps.

1 Like