Router config for connect two local networks

my net topology

old

My previous network structure:

new

Everything worked well in principle. I had Internet from both LAN and GAST.
But because the modem does not support a bridge mode, i had double NAT. To avoid this I rebuilt the network as follows:
net-now

Now the gateway to the Internet inside LAN is the modem itself. The router is still responsible for DHCP and also distributes the local DNS server to all clients.

the problem

However, the problem now exists with the GAST network. I simply do not manage to reach the modem (or the Internet) or the DNS server from this network.
Actually, no problem I thought - I had gotten it to work before.
But this time I fail miserably so far.
I tried to open everything in the firewall between LAN-GAST but still I can't even ping any client in LAN from GAST.
I can get to the router itself from the GAST clients. Can also send a nslookup, because the router also forwarded them correctly.

So at some point I have quite a thinking error already in the basic principle and hope that someone can help me here.

openwrt configuration

network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc2:098c:e40d::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.2'
	option broadcast '192.168.0.255'
	list dns 'fe80::dea6:32ff:X::X'
	list dns '192.168.0.9'
	option ip6assign '64'
	option force_link '0'
	option ip6ifaceid '::2'
	option igmp_v3 '1'
	option igmp_snooping '1'
	option stp '1'
	option multicast_querier '0'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'ec:41:18:XX:XX:XX'

config interface 'gast'
	option proto 'static'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'
	option ifname 'eth0.3'
	option type 'bridge'
	option igmp_snooping '1'
	option ip6ifaceid '::3:2'
	list ip6class 'wan6'
	option force_link '0'
	list dns '192.168.0.9'
	list dns 'fe80::dea6:32ff:X::X'
	option ip6assign '64'
	option stp '1'
	option gateway '192.168.0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 3 2'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '6t 2t'
firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option network 'gast'
	option name 'gast'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	option masq '1'

config rule
	option dest '*'
	option src 'gast'
	option name 'gast-all-accept'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	option src 'lan'

config rule
	option dest_port '67-68'
	option src 'gast'
	option name 'allow-gast-dhcp-router'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'allow-gast-dhcp-dns'
	option target 'ACCEPT'

config rule
	option src 'gast'
	option name 'allow-gast-input-icmp-router'
	option target 'ACCEPT'
	list proto 'icmp'
	option family 'ipv6'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'Allow-PiHole-from-gast'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	list dest_ip '192.168.0.9'
	list dest_ip 'fe80::dea6:32ff:X::X'

config rule
	option src 'gast'
	option name 'allow-gast-icmp-requests'
	option family 'ipv6'
	option target 'ACCEPT'
	list proto 'icmp'
	option dest 'lan'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'lan'
	option src 'gast'

config forwarding
	option dest 'gast'
	option src 'lan'
dhcp
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	list server 'fe80::dea6:32ff:X::X'
	list server '192.168.0.9'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '4h'
	option start '150'
	option limit '100'
	option force '1'
	option ndp 'relay'
	option ra_management '1'
	list dhcp_option_force '3,192.168.0.254'
	list dhcp_option_force '6,192.168.0.9'
	option dhcpv6 'server'
	list dns 'fe80::dea6:32ff:X::X'
	option ra 'hybrid'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'gast'
	option start '100'
	option limit '150'
	option interface 'gast'
	option leasetime '1h'
	option ra_management '1'
	option force '1'
	option dhcpv6 'server'
	option ndp 'relay'
	option ra 'hybrid'
	list dhcp_option '6,192.168.3.2'

I'm really bad at reading those config dumps, but the DHCP configuration for gast doesn't have a default gateway.

1 Like

To NAT, masquerade is turned on on the destination zone. So for gast->lan, set it on lan not gast.

but the DHCP configuration for gast doesn't have a default gateway

It should be taken implicitly the DHCP-Server.
This is how it actually happens. The client takes 192.168.3.2 as gateway for me (checked with ipconfig /all on windows).
Anyway - I added a list dhcp_option_force '3,192.168.3.2' - better safe than sorry.

To NAT, masquerade is turned on on the destination zone. So for gast->lan, set it on lan not gast.

Ah yes - stupid mistake.
Now I can get into the LAN!
However, since I have not yet come further into the Internet I noticed that there was no route for 0.0.0.0 in the router. I have therefore added the following in /etc/config/network:

config route
        option target '0.0.0.0'
        option gateway '192.168.0.254'
        option netmask '0.0.0.0'
        option interface 'lan'

Now I can get to the Internet from gast-network!
Thank you very much first of all for this.
This is a good basis for further fine work.

Just cheekily asked: Do you see in a hurry why I do not get IPv6 in GAST? The RS is sent and also the router responds with a RA. However, I don't get an RA from the modem itself which would contain the global prefix.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.