Routing/Firewall for a network that can be VPN AND LAN

Installing and Using OpenWrt Network and Wireless Configuration
1

I have the following setup for two networks here:
Network 1 (Home) has a Linksys WRT1900ACS running OpenWrt 19.07 and is connecting to the internet using a) a DOCSIS modem and b) a VDSL modem (mwan3 dual WAN setup).
For the theory, assume network 1 has subnet 192.168.55.0/24 and DNS domain "lan".

Network 2 (Holiday/Caravan) has a Linksys WRT1900AC running OpenWrt 19.07 and is connecting to the internet through a) its WAN port (If the camp site is equipped with network sockets) b) using WiFi (If the camp site offers a suitable WiFi) c) using an LTE stick or d) (last resort) by connecting to my LTE hotspot (mwan3 setup with four WAN connections).
For the theory, assume network 2 has subnet 192.168.60.0/24 and DNS domain "holiday".

Network 1 and 2 are connected through a VPN when they are in their designated main use (Network 1 is server).
So far, nothing special. Besides some quirks thanks to the myriad of WLAN networks to handle everything works fine.

The special part is this:
Part time, the two networks are directly connected (Router 2 then uses the WiFi of Router 1 as its WiFi WAN), when the caravan is parked in front of the house.
In exactly this situation, the most traffic between network 1 and 2 is produced, because I want to fill the harddisk receiver, a NAS or whatever inside the caravan/network 2 with TV series, movies, ... for the holiday, copy the holiday snaps/videos to my home network, and so on and so on ...

What would be the best approach to have routing/networking between 192.168.55.0 and 192.168.60.0 work without the firewall disturbing?

I see these options:

  1. Dig a hole into the firewall of router 2 to allow traffic from 192.168.55.0 to pass ... doesn't really sound like a perfect idea. I would have to remember to disable this rule in case any camp site also uses 192.168.55.0 or anybody and his grandma would gain full access to my network and router ...

  2. Add yet another interface - this time in firewall zone "LAN" or "trustworthy WiFi", something like that - to router 2 and attach the home WiFi to this interface rather than "wireless WAN".

  3. Add another WiFi to router 1 using a different subnet, so that router 2 doesn't get confused by seeing 192.168.55.0 being directly connected, so that the VPN works even at home ... putting useless load on the CPU for the VPN and reducing speed.

  4. Reconfigure router 2 into an access point for network 1 when the routers are directly connected.

None of those ideas sounds brillant to me so I would like to read your suggestions on how you would achieve this goal ...

2

You can tie rules to interfaces, and wifi will do authentication for you.

1 Like