Route problem between 2 subnets on same router

hi

have a next problem

mycomp(192.168.1.10) <===>openwrtx86( 192.168.1.1=lan (br-lan device); 192.168.10.1=10dot1(br-lan device) )<===>anothercomp(192.168.10.2)

how to route traffic between .10.x subnet and .1.x subnet?

im already created .10.x interface as you can read with name 10dot1

if i add another ip on mycomp like 192.168.10.3 i can reach .10.2. Can i reach without additional IP on mycomp?

etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd15:2980:cf5b::/48'
        option packet_steering '2'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '89.--.--.--'
        option delegate '0'
        option gateway '89.--.--.--'
        option netmask '255.255.255.240'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'docker0'


config interface '10dot1'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.10.2'
        option netmask '255.255.255.0'

config route
        option interface '10dot1'
        option target '192.168.10.0/24'
        option gateway '192.168.10.2'
        option disabled '1'

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network '10dot1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'


config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'


config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'

Your config is inherently invalid because both of your subnets attach to the same bridge.

This can be resolved with VLANs and/or separate bridges.

Are these networks using wifi, ethernet, or both? Do you have a managed switch connected to eth0?

yes i have managed switch on eth0- cisco

but dont want to use it.

i hope in can be solved within one router , isn it?

You need to use a managed switch to "break out" the VLANs.

The routing can be handled on the router -- that's where it should be done.

The very first thing you need to do is setup an 802.1q VLAN for the 10dot1 interface. That would look like this:

config interface '10dot1'
        option proto 'static'
        option device 'eht0.10'
        option ipaddr '192.168.10.2'
        option netmask '255.255.255.0'

This will result in the 192.168.1.0/24 network being untagged on eth0, and 192.168.10.0/24 tagged with VLAN ID 10.

You can delete this:

Then, on your managed switch, you need to setup the uplink port (the one that connects to the router) as a trunk with the same tagging configuration (VLAN 1 untagged, VLAN 10 tagged). From there, you'll setup access ports for VLANs 1 and 10 -- these are ports that directly connect to computers or other equipment and they carry just one VLAN, untagged.

To achieve the managed switch configuration, look at the documentation of your switch to learn how this is done.

Once that is properly configured, the router will perform the routing as intended.

Can it be done without switchL3 ?

i really dont want to use it.

This is using the switch in its L2 capacity. Simply a VLAN aware managed switch operating at L2. The router is handling all the L3.

But yes, a managed (L2 VLAN aware) switch is required. You don't need to use the L3 features of the switch.

yeah L2 .

hm i thought it can be done on linux network stack .

but why i can not create this just on linux network stack?

It is in the linux network stack (802.1q as I showed you earlier with the modification to one of your network interfaces).

The issue is the L2 topology... you must use a managed switch to properly separate and direct the flows (at L2).

I just saw this post and wondered if I might be of some help as I run 10 class, 192 and 172 class from the one system with restricted communications between on 4 NICs.

One thing I'm wondering is what is being attempted here on what hardware?
How many NICs are being used in what way?

I don't know what hardware the OP is using, but it appears that there are only 2 ethernet ports total (one is allocated to the wan, the other to the lans).

@AlexeiK - what is the output of ubus call system board?

looks sad:)

my openwrt hardware is x86 pc with two NICs. One for LAN , one for WAN

i have SG 300-28 28-Port for LAN clients.

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.93",
        "hostname": "OpenWrt",
        "system": "Intel(R) Atom(TM) CPU D525   @ 1.80GHz",
        "model": "Intel Corporation D525MWV",
        "board_name": "intel-corporation-d525mwv",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "x86/64",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}

I'm not making this up. This is the whole purpose of a managed switch is to be able to handle the VLANs. Otherwise, you have no ability to set port-VLAN assignments and keep the traffic for each VLAN separated.

one moment : i dont need to keep this subnets separated. It is ok to walk between them.

Then why are you setting up multiple subnets in the first place?

Ahh, okay, 2 ports only does make it a bit harder.
VLAN would be the only way to go for some semblance of separation.

If the 2 bridges are set up for things on the ETH1, then that can also allow for the connection between the IPs using one simple forwarding ability. I actually did that at first before I got my 4 port adaptor installed.
The forwarding could then also be restricted to only that one machine.

Can the VLANs be assigned to the bridges?

I never used VLANs in OpenWRT at that time.

i have some devices with static ip-adresses different from .1.x subne and i connect them to my LAN though switch.

and want to route between them.

So change the addresses, or change the rest of your network to match the secondary one instead.

Or...

if you want to route between two subnets, you need to use VLANs to achieve this with your current hardware topology.

Why are you so resistant to using the switch as a proper VLAN aware manage switch?

i need a cause why it cannot be done. Knowledge or Explanation. Where i can read or can it be answer?

Read up on how 802.1q VLANs work.

Fundamentally, each subnet needs to be connected to its own physical (or virtual) interface/port. You are only permitted to have a single untagged network on a physical port. Using VLANs allows you to have one or more tagged networks on the port so that the 2 or more total networks don't conflict. The managed switch then allows you to set port-VLAN assignments such that devices are connected to the desired subnet.

If you want me to send you the books I could probably do that.
It's a good 8 months worth of reading.

Or you could just do the VLAN separation setup.

I can give you the knowledge.