Long time lurker here and basic OpenWRT user.
So far every issue I faced could be solved by reading either existing forum posts or the openwrt documentation. This time I'm looking for some inputs or guidance.
This documentation mentions possible/sensible configurations when dealing with two routers:
My current topology looks like this, which unfortunately is limited to make physical changes.
I'm getting my Internet Connection via the Modem/Router Combo received from my ISP and has the subnet of 192.168.1.1/24. A few Wired&Wireless devices are connected to it.
One LAN Port from the ISP-Router is connected with the WAN-Port of my WNDR3700 running OpenWRT v21.02.1.
The br-lan interface has a Static IP: 10.0.0.1/24. From there, one port is connected to a Powerline, which on the other end goes to an unmanaged switch.
Additionally I've created an Interface which has the "device" wlan0 attached to it with the subnet 10.20.30.40/24. This wireless connection is used for IoT devices and firewall rules have been made to isolate access to the other two subnets (192.168.1.1/24 & 10.0.0.1/24).
Now, my current configuration is a double nat configuration which I'd like to change.
The documentation above states how to proceed and what changes need to be made in order to configure DMZ.
As far as I understand this means, that the ISP-Routers functions will be disabled and from now on the OpenWRT-Router will handle the whole network? As the name suggests the ISP-Router would be now only a Bridge.
If yes, is there a way to keep my current configuration (subnets, two wireless access points, etc.) and not have double NAT on the OpenWRT router?
Sorry in advance if I misunderstood the documentation.
If you can switch the modem-router to just modem and terminate the pppoe or dhcp connection on the OpenWrt, then you can have all the networks managed from the OpenWrt. However this means that the clients connected on the ISP modem must be migrated to OpenWrt.
The scenario trendy describes would be the ideal topology, reducing the the ISP to a mere modem and letting the OpenWrt router to terminate your public IP (the PPPoE session).
If you do need to keep your ISP device in charge of the WAN connection, you'd at least need to be able to configure a static route back to your OpenWrt router, in order to disable the double NAT. Opening/ forwarding ports would have to be configured twice (ISP router and OpenWrt, to what extent the DMZ feature eases this or gets into the way remains to be seen), both devices would remain to be security sensitive.
Thank you for taking your time to reply!
I should have mentioned on my topology picture that no PPPoE is in place. A DSL Cable is hooked up to my Router and I get a Public IP (no Username or PW needed).
That is unfortunately the case.
So in order to disable double NAT, best case scenario is, I just need to set a static Route on OpenWRT (not the ISP-Router).
I know that the network setup is less than ideal but if I understood you both correctly, I can keep the current topology in place (with devices connected either to the ISP-Router and OpenWRT) set up a Static Route and ditch the DMZ idea?
In Summary, all I want is to keep the subnets, isolate the subnet 10.20.30.40/24 from the rest of the network(already done with Zones and Traffic Rules in LuCI), and being able to correctly port forward my IoT Devices.
I already did the "double" port forwarding. Here's an example:
IoT Device IP: 10.20.30.133
OpenWRT WAN Port IP: 192.168.1.200
The static route needs to be added in ISP router. You have more than one networks, so you'll need more than one static routes. For example route towards 10.20.30.0/24 via 192.168.1.200 , where 1.200 is the wan IP OpenWrt has.
Verify that your ISP modem can do that.
It is not necessary to ditch the DMZ idea if you want it.
Doesn't look right on the OpenWrt side, it should be vice versa. Source zone is wan and destination is IoT.
Thank you again for the thorough explanation
The ISP-Router is capable of doing Static Routes. So I went ahead and set the routes as you suggested:
I also updated the Port Forward configuration on the OpenWRT router (need to check for open ports later with nmap).
Are there any benefits from using DMZ instead of Static Routes if I just care about "disabling" double NAT and be able to properly forward Ports?
In the future I'd like to configure VPN and be able to access the subnet 10.0.0.0/24 - then DMZ would make sense - right?
DMZ is a simplified setup of port forwarding where all incoming ports are forwarded to one LAN device. That is all that it does. You could do exactly the same thing forwarding ports one at a time. Setting DMZ doesn't change the regular routing.
If you have setup static routes on the ISP router, then you no longer need the masquerade or port forwarding on OpenWrt.
That's correct in home router terms, but I'll take it one step further. It can be a zone full of servers where incoming packets from the internet are expected. In case of a breach, a compromised server doesn't have direct access to the lan or the router, thanks to firewall zone settings. Since the OP wanted to use it for the IoT devices, I presumed that it made more sense like this.
After tinkering with my setup, this is the method I used to forward a port to the second Router Wifi which is visibile/open through my pubilc IP:
How To Port Forward between 2 routers to Wifi on Router 2 in another Subnet:
Router 1: 192.168.1.0/24
Router 2: 10.0.0.0/24 | Setup: Router 1 LAN -> Router 2 WAN | WAN IP on Router 2: 192.168.1.20
Router 2 WIFI: 10.20.30.0/24
Create Static Route on Router 1 pointing to Subnets on Router 2: