Router cascade and network access

zeropage · March 12, 2024, 12:51pm

I have a Fritz!Box 4040 with OpenWRT behind the ISP's router. The ISP router's network can be used by guests and the like (DMZ). In the network behind OpenWRT there is a layer-3 switch, an AP and various clients. The two networks are therefore physically separated.

In future, however, I would like to enable access to both networks in the network behind OpenWRT without duplicating cabling. I am thinking of VLANs. In contrast to OPNsense, I am not yet very familiar with OpenWRT. Can this scenario be achieved with OpenWRT and VLANs? Or is there another way?

Explanation:

eduperez · March 12, 2024, 2:25pm

Yes, the OpenWrt router can be configured like that; however, you must also known:

The "green" network will be in a double-NAT configutation.
Both the switch and the AP must be VLAN-aware.

psherman · March 12, 2024, 4:48pm

Many people confuse L3 switches and smart/managed switches. You don't need a layer 3 switch for this functionality (although it's fine, it's usually overkill for the application). A configurable VLAN aware (i.e. a "smart" or "managed") switch is all that is necessary... many of these are just L2, some are L2+, and others are full L3.

If your ISP router has the ability to define static routes, you can actually avoid the double-NAT situation. However, as @eduperez points out, it will most likely be double-NAT since many ISP supplied routers are limited and/or provide 'simplified' user configuration pages.

What is the brand+model of the AP? What firmware is on there?

zeropage · March 12, 2024, 6:08pm

I confuse L3 switches and smart/managed switches too. Thanks for the hint.

The ISP router is a Fritz!Box 5590 with full administration access. The switch will be a Zyxel GS1200. Unless someone has a more suitable device for my situation,

Would you like to recommend a how-to or tutorial with instructions to configure OpenWRT for my needs?

psherman · March 12, 2024, 6:13pm

Since you want to have the ISP router's network available downstream, I'd recommend that you start with a dumb AP configuration. Then, once there, we can add the new subnet -- basically mirroring the guest wifi on a dumb AP process. With the guest wifi running, we'll then make few small modifications to setup ethernet access for that guest wifi and the VLAN trunk to the switch.

A key question is if your 5590 has support for static routes. If it does, we can avoid double NAT (if not, though, no big deal).

We also need to know what your goals are in terms of the communication/isolation between the two networks so we can help you setup the firewall accordingly.

zeropage · March 13, 2024, 7:10am

Yes, it does. At this point, I would like to mention that we are assigned a dynamic IP address by the ISP. Not sure if this is a problem.

My goal is to deny devices that I distrust access to the private network and its devices. They should only be allowed to communicate with the internet. Devices from the private network are allowed to reach all other devices. A complete separation, i.e. in both directions, would also be okay.

zeropage · March 15, 2024, 5:29pm

No further comment? Doesn't that work if you have a dynamic IP in public?

psherman · March 16, 2024, 2:20am

Sorry - this fell though the cracks.

Static routes are great. We will add that setting when we have the secondary network configuration completed.

This has no impact and does not present any issues.

Great. This is easy to do. You simply have to decide which network is the trusted one vs the untrusted one.

Easy to do however you device. And we can make this global or have very granular control - whatever you want.

Have you setup the device as a dumb ap and then added the guest network as the linked tutorials describe?

zeropage · March 18, 2024, 12:44pm

I have tried that. Unfortunately, I hadn't considered that I had installed stubby and adblock on OpenWRT to use my own resolver. Anyway, at some point my router was no longer accessible via LAN, I had to go into failsafe mode and reset everything.

Apart from that, I have 2 questions/comments about the second tutorial " Guest Wi-Fi on a dumb wireless AP":

In "Firewall Part 1" it says: "After you have enabled masquerading for lan, your screen should look like the screenshot above." But this statement contradicts the screenshot. Which one is correct?
In "Firewall Part 2 - Firewall traffic rules" a screenshot of the rules is missing.

zeropage · March 24, 2024, 12:38pm

Hello again!

I have started all over again. I have flashed the current OpenWRT. Then I ran the two tutorials . I noticed that I made two mistakes during my first attempt a week ago. Now the Dumb AP works as it should. However, two questions have arisen again:

How do I have to configure the recommended static routes?
The WAN port on the Fritzbox 4040 is now free. Can it be used as LAN port number 5? That would be important to me for the physical cabling.

Thanks in advance!

psherman · March 24, 2024, 4:08pm

Let's see your network config file, then I can explain the static route that you'll enter into the ISP router.

Probably, we'll see based on your network config file.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

zeropage · March 24, 2024, 4:44pm

In the meantime, I have reconfigured the wan port myself:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

The wan port works as expected.

Here the output auf commands and files you requested:

 ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 4040",
        "board_name": "avm,fritzbox-4040",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

#/etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd8:136e:5186::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.178.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.178.1'
        option gateway '192.168.178.1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'
        option ipv6 '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.179.1'
        option netmask '255.255.255.0'

#/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guest_WiFi'
        option encryption 'psk2'
        option network 'guest'

# /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Guest_DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Guest_DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Block_Guest_from_Lan'
        option src 'guest'
        option dest 'lan'
        list dest_ip '192.168.178.0/24'
        option target 'REJECT'

psherman · March 24, 2024, 4:49pm

In your main router, you'll create a static route that looks like this:

192.168.179.0/24 via 192.168.178.2

Then, you can disable the masquerading in the lan zone and it should work.

zeropage · March 24, 2024, 6:45pm

This also works now. Thank you very much!

I would like to further subdivide the "guest" network logically. Ideally with VLANs. Is that possible?

psherman · March 24, 2024, 6:54pm

Great!

I assume you mean you want to create additional networks, rather than 'subdividing' one network. Can you be more specific about what you want to happen?

zeropage · March 24, 2024, 7:39pm

In my original question at the very beginning of this thread, I provided a picture of the desired network and a graphic.

psherman · March 24, 2024, 7:49pm

It looks like we have both of the desired networks created now, right?
Next:

Make a trunk on the OpenWrt router to connect to the switch
Configure the switch
Configure the AP (Is the AP (on the right) running OpenWrt?)

What physical port will you use to connect the OpenWrt router to the switch?

zeropage · March 24, 2024, 7:55pm

Any of Port LAN1 to LAN4. Maybe LAN1?

psherman · March 24, 2024, 8:09pm

Ok... so now we will make the VLANs:

VLAN 1 is the upstream/lan
VLAN 2 is the new guest network

First we need to make bridge VLANs. Here, I will configure it as:

WAN: VLAN 1 untagged
LAN 1: Trunk, VLAN 1 untagged, VLAN 2 tagged
LAN 2: VLAN 1 untagged
LAN 3: VLAN 2 untagged
LAN 4: VLAN 2 untagged

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

Now, we'll edit the lan to use br-lan.1 insted of br-lan:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.178.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.178.1'
        option gateway '192.168.178.1'

We'll delete br-guest:

And edit the guest network to use br-lan.2:

config interface 'guest'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '192.168.179.1'
        option netmask '255.255.255.0'

Then reboot and test the ports. They should work as expected, and then LAN 1 is the trunk... from there, you need to configure your switch.

zeropage · April 1, 2024, 3:07pm

That now works the way I wanted it to. Thank you so much.