Hello to all,
I have this network situation that I don't know how to fix.
The OpenWrt router is connected via its Internet port to the LAN port of the modem / router of the Internet provider.
The OpenWrt Route has an IP address of 192.168.2.1/24
The modem / router has an IP address of 192.168.1.1/24 - no firewall active
If I connect my laptop to the wifi network 192.168.1.0/24 I don't see the OpenWrt router (I can't connect to the console 192.168.2.1)
If I connect my laptop to the wifi network 192.168.2.0/24 I don't see/navigate the network 192.168.1.0/24
Could the problem be the Netmask 255.255.255.0?
Is there any firewall enabling/accept on the OpenWrt router that needs to be done?
openwrt device should be on the same subnet as the modem, unless you want to use it's firewall, then it should be connected using the WAN port to the modems LAN port.
if you want to keep the current IP configuration, connect WAN-LAN.
What @frollic said, you probably want a dumb AP configuration if you are connecting directly to the main router network and the OpenWrt router and want all devices on either connection to have full access to each other.
If you do want two separate networks you need to leave the firewall enabled to facilitate routing between them. The default configuration will NAT (masquerade) access to the wan network (192.168.1.0 and the Internet) to appear to come from the 192.168.1.X IP address that the wan side of OpenWrt holds. This is good for many cases since the main 192.168.1.1 router does not need to know that there is a 192.168.2.0 network. If you want to log into OpenWrt from a .1.X machine you will need to use OpenWrt's .1 address and also have the firewall open for that port.
The alternative is to turn off NAT and have full symmetric routing. This requires installing a route to 192.168.2.0/24 via 192.168.1.X (X being OpenWrt's wan) in the main 192.168.1.1 router. Also change the OpenWrt firewall to forward from wan to lan in addition to the existing lan to wan.
No, the wan and lan must have separate IP subnets such as .1.0/24 and .2.0/24 like you were doing. Other than changing the LAN to 192.168.2.1/24 so it won't conflict with the wan at 192.168.1.0/24, it is a default configuration.
You probably want to make the wan a static IP or make a DHCP reservation in the main router so the OpenWrt router gets a consistent known 192.168.1.X IP. If you want to log into the OpenWrt router from the main router (.1) network, you will need to use that IP and also open http, https, and/or ssh ports on the OpenWrt WAN.
With this network it is possible to contact 192.168.1.0 hosts from the 192.168.2.0 network, but not the other way, since OpenWrt is NATing all 192.168.2.0 devices to its single 192.168.1.X IP. If there are only a few situations where you want to contact 192.168.2.0 from 192.168.1.0, such as a single printer, you can forward ports to it (the 192.168.1.0 machines would use the OpenWrt router's IP as if it were the printer). Otherwise don't do NAT, either bridge all devices (dumb AP) or set up symmetric routing like I said in the last paragraph.
I try to explain what I want to do ... now my OpenWrt router is a vpn client. I want it to become a VPN server as well so that I can connect from the outside. From the outside I have to reach my modem/router and with a port forwarding send the call of the VPN client to the VPN server that is active on the OpenWrt router. Once connected, my entire network which is 192.168.1.x / 24 must be able to reach it. Is it possible to do this by keeping the wan and lan on two separate networks as they are now?
...sorry but I don't understand much about networks...
To run a VPN server like this the main router needs several things:
It must have a public IP on its WAN side.
The service provider's network must allow incoming traffic through.
You need access to the main router administration, and it needs to allow you to install static routes and forward ports.
Then you can start by seting up an OpenWrt machine as a LAN device (dumb AP). So far the only network it has is the main router's LAN, which is also its LAN. You will be adding another network of a VPN tunnel and forwarding traffic to / from VPN clients that are out on the Internet.
Today I already have a VPN where the server is a Raspberry. I would like to replace the Raspberry VPN server with OpenWrt. The architecture is already there and working, I just have to configure OpenWrt as a VPN server and make sure to see my network 192.168.1.x / 24
There are several ways you can approach this. Since you already have a working VPN configuration on the Pi, I think most of the requirements have been met. The only remaining question is this one:
Does your router expose this functionality? This impacts some of the implementation details.
Also...
What is "it" in this case. I am assuming the remote client(s)? Do you need to be able to initiate a connection from your LAN > remote VPN client, or is it simply an issue of the LAN being reachable (and able to respond) to the connections initiated from the remote VPN client?
Yes, I can access to my router administration and the forward ports work properly. The static routes I think yes…my vpn works correctly for me.
Yes, the remote client(s)
I quickly looked at the configuration of the VPN server on LuCE and it seems to me that it is enough to create the necessary files and start the service.
But before I get to setting up the VPN server I need someone to explain to me how I can do it:
OpenWrt network router 192.168.2.0/24
port OpenWrt WAN internet port 192.168.1.2 masquerade connected to the modem / router on the network 192.168.1.0/24
I need that when I am connected to OpenWrt with example my laptop which will have ip 192.168.2.100/24 can see the whole network 192.168.1.0/24
The way you appear to have your network setup actually negates the need for static routes. However, what you seem to be trying to achieve does require that you can setup static routes on the main router. Please look at the configuration interface of the main router to see if static routes can be set.
It is not clear to me what it means to be able to do static route.... could you give me an example?
looking on the web for my modem I found this info:
TIM routers do not manage VLANs in the LAN network, they can only do untagged traffic in VLANs.
The router does not allow the addition of static gateways for complex LANs, it is recommended that you install a firewall or a router that supports VLANs between the LAN and the TIM router and do all the VLAN switching and routing configurations on the external router
Assuming the above comes from the manual or other official information, this indicates that static routes are not possible on your main router. The result here is that your VPN can work in one direction, but not both. By this, I mean to say that the remote VPN clients can connect to your main network (and the devices on the main network can respond, forming a functional connection), but the devices on the main network cannot initiate connections to those VPN clients. I believe that this is the current state of operation based on the description you have provided, and this is the only way that you will be able to use your VPN unless you make some other changes to your network (i.e. replacing the existing main router or putting all devices behind the OpenVPN router).
So looking at my drawing all the devices that connect to the "wifi router" (OpenWrt) [which I call A] on the 192.168.2.x / 24 network (wifi, lan, VPN) cannot see the network behind the "modem / Tim router "[which I call B] network 192.168.1.x / 24.
If I have not misunderstood I would have two solutions:
change B
put A behind B.
Did I get it right?
In solution 2 which IP should I assign to A?
Would 192.168.1.x / 24 be okay? And does A's 'internet' port have a separate network?
Can I connect A's 'internet' port to the switch?
Sorry for the many questions but I would like to understand how I have to change.
Based on your drawing, I would expect the following:
Connections cannot be initiated from hosts on 192.168.1.0/24 to 192.168.2.0/24.
all devices on the 192.168.2.0/24 network (on router A) should be able to communicate with devices on 192.168.1.0/24 (router B's network), unless router A has a firewall rule that blocks it.
If you want to make it possible for hosts on both networks to initiate connections to any other host on either network, your main router (router B) needs to have the ability to set static routes (which it does not). The means that you have two options:
replace router B with a model that supports static routes (and make corresponding changes to the OpenWrt configuration, too).
connect the switch to router A and use only the wifi on router A, thus making all devices part of the same network.
-- Ideally, you'd be able to put the modem/router into bridge mode so that it passes the ISP provided IP address directly to your OpenWrt router's WAN port.. this avoids double-NAT which can cause problems in certain circumstances.
