Physically connecting two OpenWRT routers serving separate subnets

Installing and Using OpenWrt
1

Hello. I'm late to the party of moving from OpenWRT (very old TRUNK [~2021]) to 24.10. So, I recently rebuilt my configuration from scratch, and I'm running into an issue that doesn't seem to work no matter what I try.

I am trying to accomplish what I thought would be a rather simple configuration, but I have tried many different approaches (and understanding that some of the documentation and tutorials around were written for swconfig and they don't always fit in with DSA). Long story short, I'm unable to get it right. I feel like it's something rather simple that I'm missing. Any help in pointing me in the right direction would be highly appreciated.

SITUATION

I have two separate ISP connections, each with their own cable modem. Connected to each of them is a Belkin RT3200, both running OpenWRT 24.10. They both serve different networks, as follows:

WORK-10  - LAN_NET:10.10.0.0/16,  LAN_IP: 10.10.1.1,  WAN_IP:XXX.YYY.ZZZ.AAA
HOME-215 - LAN_NET:10.215.0.0/16, LAN_IP: 10.215.1.1, WAN_IP:AAA.BBB.CCC.DDD

My objective is to physically bridge the networks, so that internal traffic can communicate with the devices on the other LAN, using LAN4 port as the physical trunk connection to the other router, but external traffic goes through each of their WAN ports to the Internet (with their own IPs).

I've read all of the documentation, tutorials, forum posts, and Reddit posts I could find, and have tried many configurations to accomplish this, and the furthest I've gotten is with the following configuration.

CURRENT CONFIGURATION

I will describe the routers as "HOME-215" and "WORK-10". They serve the subnets listed above. The HOME-215 router assigns DHCP to devices connected by LAN/WLAN through OpenWRT/dnsmasq. The WORK-10 router also assigns DHCP addresses through OpenWRT, but serves as a relay to two Active Directory domain controllers. That is all working fine.

Now, to build the bridge, on each router, I removed LAN4 from the default br-lan, and created a new bridge device named br-trunk, that contains only LAN4.

/etc/config/network:
Identical on both WORK-10 and HOME-215:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option bridge_empty '1'

config device
        option name 'br-trunk'
        option type 'bridge'
        list ports 'lan4'
        option bridge_empty '1'

Then, on each router, I created an interface, trunk0, that is assigned to the above device, as follows:

/etc/config/network:

WORK-10:
config interface 'trunk0'
        option proto 'static'
        option device 'br-trunk'
        option ipaddr '10.10.3.215'
        option netmask '255.255.0.0'
        option gateway '10.215.1.1'

HOME-215:
config interface 'trunk0'
        option proto 'static'
        option device 'br-trunk'
        option ipaddr '10.215.3.10'
        option netmask '255.255.0.0'
        option gateway '10.10.1.1'

I then created routes to send traffic destined to these subnets to the bridge interface:

/etc/config/network

WORK-10:
config route
        option interface 'trunk0'
        option target '10.215.0.0/16'
        option gateway '10.10.3.215'

HOME-215:
config route
        option interface 'trunk0'
        option target '10.10.0.0/16'
        option gateway '10.215.3.10'

I created firewall zones on each router:

/etc/config/firewall
Identical on WORK-10 and HOME-215:

config zone
        option name 'trunk'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'trunk0'

I also created firewall rules to allow the traffic to cross between the LAN and TRUNK zones:

/etc/config/firewall

WORK-10:
config rule
        option name 'Allow-LAN-to-Trunk'
        option src 'lan'
        option dest 'trunk'
        option target 'ACCEPT'
        list src_ip '10.10.0.0/16'
        list dest_ip '10.215.0.0/16'

config rule
        option name 'Allow-Trunk-to-LAN'
        option src 'trunk'
        option dest 'lan'
        option target 'ACCEPT'
        list src_ip '10.215.0.0/16'
        list dest_ip '10.10.0.0/16'

HOME-215:
config rule
        option name 'Allow-LAN-to-Trunk'
        option src 'lan'
        option dest 'trunk'
        option target 'ACCEPT'
        list src_ip '10.215.0.0/16'
        list dest_ip '10.10.0.0/16'

config rule
        option name 'Allow-Trunk-to-LAN'
        option src 'trunk'
        option dest 'lan'
        option target 'ACCEPT'
        list src_ip '10.10.0.0/16'
        list dest_ip '10.215.0.0/16'

CURRENT STATUS:

From either router, I can ping the other's remote trunk interface IP, and I can SSH from one router to the other router by using that IP address:

SSH (on WORK-10):

root@WORK-10:~# ping 10.215.3.10
PING 10.215.3.10 (10.215.3.10): 56 data bytes
64 bytes from 10.215.3.10: seq=0 ttl=64 time=0.719 ms
64 bytes from 10.215.3.10: seq=1 ttl=64 time=1.757 ms
64 bytes from 10.215.3.10: seq=2 ttl=64 time=0.664 ms
64 bytes from 10.215.3.10: seq=3 ttl=64 time=0.571 ms
64 bytes from 10.215.3.10: seq=4 ttl=64 time=0.692 ms
^C
--- 10.215.3.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.571/0.880/1.757 ms

root@WORK-10:~# ssh 10.215.3.10 -p XXXX
root@10.215.3.10's password:


BusyBox v1.36.1 (2025-03-15 11:34:29 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.0, r28427-6df0e3d02a
 -----------------------------------------------------
root@HOME-215:~# exit

and

SSH (on HOME-215):

root@HOME-215:~# ping 10.10.3.215
PING 10.10.3.215 (10.10.3.215): 56 data bytes
64 bytes from 10.10.3.215: seq=0 ttl=64 time=0.841 ms
64 bytes from 10.10.3.215: seq=1 ttl=64 time=0.618 ms
64 bytes from 10.10.3.215: seq=2 ttl=64 time=0.579 ms
64 bytes from 10.10.3.215: seq=3 ttl=64 time=0.637 ms
64 bytes from 10.10.3.215: seq=4 ttl=64 time=0.610 ms
64 bytes from 10.10.3.215: seq=5 ttl=64 time=0.604 ms
^C
--- 10.10.3.215 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 0.579/0.648/0.841 ms

root@HOME-215:~# ssh 10.10.3.215 -p XXXX
root@10.10.3.215's password:


BusyBox v1.36.1 (2025-03-30 14:57:01 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.0, r28427-6df0e3d02a
 -----------------------------------------------------
root@WORK-10:~# exit

Here's how the routing tables look (something doesn't seem right with the entries for the local lan applying to the trunk interface, but I'm not sure if that's the only error going on.):

WORK-10:
root@WORK-10:~# route -n -e
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         XXX.YYY.ZZZ.AAA 0.0.0.0         UG        0 0          0 wan
10.10.0.0       0.0.0.0         255.255.0.0     U         0 0          0 br-lan
10.10.0.0       0.0.0.0         255.255.0.0     U         0 0          0 br-trunk
10.215.0.0      10.10.3.215     255.255.0.0     UG        0 0          0 br-trunk
XXX.YYY.ZZZ.0   0.0.0.0         255.255.254.0   U         0 0          0 wan
192.168.9.0     0.0.0.0         255.255.255.0   U         0 0          0 tun1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 tun0

HOME-215:
root@HOME-215:~# route -n -e
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         AAA.BBB.CCC.DDD 0.0.0.0         UG        0 0          0 wan
10.10.0.0       10.215.3.10     255.255.0.0     UG        0 0          0 br-trunk
10.215.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-lan
10.215.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-trunk
AAA.BBB.CCC.0   0.0.0.0         255.255.254.0   U         0 0          0 wan

SUMMARY

That's the current state of these two routers.

So, I ask, what am I doing wrong and/or are there articles, posts, or other resources that cover this exact scenario that I've somehow not been able to find?

You'll note that I didn't implement VLAN tagging, as it sounds as if I isolate the LAN4 port, that the tagging is unnecessary. Is that not correct? If that's incorrect, and I should put in place VLAN tagging, how would I do so for this type of isolated port trunk/bridge?

For me, it's been hard to tell what is and is not relevant/applicable from the available resources online, as there has been so much change to OpenWRT over the years. Things that were required or best practices a few years ago now are unnecessary or not ideal.

I have also looked at PBR, and am not sure if the answer lies in there?

If anyone could offer their expertise, or point me in the right direction, it would be most appreciated. For now, I'm getting by, using an OpenVPN tunnel to access the other LAN. That is not ideal for the times I'm at home, but is working for the interim. However, I'd much rather keep traffic between internal hosts from leaving the LANs, both because it will be much faster and also more secure.

Once I do get this working properly, I'm thinking about creating an article in the OpenWRT wiki to document this scenario, so that it could help others in the future.

Thanks for any help and/or relevant links that you're able to provide.

2

Frankly I didn't read all of that. Hitting a few high points, I call this the "connect two apartments" use case. Two neighbors want to maintain separate ISP services, but have a fast private link between each other for gaming, file sharing, etc.

The first mistake I see here is that both ends of the link must hold IPs in the same subnet. This can be one of the LANs, or a separate small subnet that doesn't overlap anything else in either site. There are advantages and disadvantages to both approaches.

Using one of the lans means that one of the routers does not need any special configuration other than installing a static route to the other LAN. Most routers with stock firmware and ISP-provided gateway boxes can do that, so only one router needs OpenWrt. If linking with wifi instead of Ethernet, it is not necessary to set up an additional SSID, the SSID that is one apartment's LAN can be received at the other one. On the other hand, it is not possible to firewall anything about the link on that router since the other apartment is directly on its LAN.

Using a separate subnet is the more general case. It is easily extended to being a VPN if the two sites are too far apart to connect directly. And it is possible to have sophisticated firewall rules on both ends. It is a little more complicated to set up, so for the rest of this I'm going to describe using one of the LANs on the link cable. The router that puts its LAN on the cable will be site A (its LAN is 192.168.1.0/24) and the other router will be site B (192.168.2.0/24).

So most of the setup is in router B. First you need to break out one of the Ethernet ports and give it an IP on Site A's LAN.
router B

config interface 'link_a'
    option device 'lan4'
    option proto 'static'
    option ipaddr '192.168.1.2/24'

It is currently possible to break out one of the DSA ports (remove lan4 from br-lan) and apply an IP address directly to it, but it is more flexible to use bridge-vlans:
router B

config bridge-vlan
    option device 'br-lan'
    option vlan '1'
    list ports 'lan1:u'
    list ports 'lan2:u'
    list ports 'lan3:u'

config bridge-vlan
    option device 'br-lan'
    option vlan '3'
    list ports 'lan4:u'

# (Change interface lan device from br-lan to br-lan.1, or the lan will stop working)

config interface 'link_a'
    option device 'br-lan.3'
    option proto 'static'
    option ipaddr '192.168.1.2/24'

Note that with the /24 address specification matching LAN A, router B now knows how to reach lan A via the link_a interface; that route is automatically installed in its routing table. But router A does not yet know how to return packets to B. This is the reason for the static route on A. If A is running OpenWrt it would be installed as below, if some other firmware you'd need to find how to do the same concept in that firmware.
router A

config route 
    option interface 'lan'
    option target '192.168.2.0/24'
    option gateway '192.168.1.2'

Finally, on B the link_a interface needs to be in a firewall zone. For initial testing you can use the lan zone. If you use a separate zone you can set up conditions on accepting SSH etc from A and forwarding to and from the lan zone. None of that is necessary to see it work initially.

This is the simplest implementation of Connect Two Apartments, which will demonstrate that it works, with unrestricted traffic between the apartments

1 Like
3

Thank you very much for your thorough response. It's very much appreciated. I'm going to try to put it in place today. I'll let you know how it goes.