Routing/Firewall for a network that can be VPN AND LAN

I have the following setup for two networks here:
Network 1 (Home) has a Linksys WRT1900ACS running OpenWrt 19.07 and is connecting to the internet using a) a DOCSIS modem and b) a VDSL modem (mwan3 dual WAN setup).
For the theory, assume network 1 has subnet and DNS domain "lan".

Network 2 (Holiday/Caravan) has a Linksys WRT1900AC running OpenWrt 19.07 and is connecting to the internet through a) its WAN port (If the camp site is equipped with network sockets) b) using WiFi (If the camp site offers a suitable WiFi) c) using an LTE stick or d) (last resort) by connecting to my LTE hotspot (mwan3 setup with four WAN connections).
For the theory, assume network 2 has subnet and DNS domain "holiday".

Network 1 and 2 are connected through a VPN when they are in their designated main use (Network 1 is server).
So far, nothing special. Besides some quirks thanks to the myriad of WLAN networks to handle everything works fine.

The special part is this:
Part time, the two networks are directly connected (Router 2 then uses the WiFi of Router 1 as its WiFi WAN), when the caravan is parked in front of the house.
In exactly this situation, the most traffic between network 1 and 2 is produced, because I want to fill the harddisk receiver, a NAS or whatever inside the caravan/network 2 with TV series, movies, ... for the holiday, copy the holiday snaps/videos to my home network, and so on and so on ...

What would be the best approach to have routing/networking between and work without the firewall disturbing?

I see these options:

  1. Dig a hole into the firewall of router 2 to allow traffic from to pass ... doesn't really sound like a perfect idea. I would have to remember to disable this rule in case any camp site also uses or anybody and his grandma would gain full access to my network and router ...

  2. Add yet another interface - this time in firewall zone "LAN" or "trustworthy WiFi", something like that - to router 2 and attach the home WiFi to this interface rather than "wireless WAN".

  3. Add another WiFi to router 1 using a different subnet, so that router 2 doesn't get confused by seeing being directly connected, so that the VPN works even at home ... putting useless load on the CPU for the VPN and reducing speed.

  4. Reconfigure router 2 into an access point for network 1 when the routers are directly connected.

None of those ideas sounds brillant to me so I would like to read your suggestions on how you would achieve this goal ...

You can tie rules to interfaces, and wifi will do authentication for you.

1 Like