Routing from VLAN to Internet, WAN via LAN Port

Hi everybody,

i want to configure the following:
Internet -> Fritzbox (ISP Router) -> Openwrt -> LAN and multiple VLAN
The Openwrt ist not connected via the WAN port to the ISP Router.
It is connected via an LAN port on which an untagged VLAN is configured. The Interface gets its IP via DHCP from the ISP router. Thats working fine.
The Openwrt Router has Internetaccess and can download packets. Its also possible to ping and wget with ssh on the wrt.

What is not working is the Internetaccess from LAN and the other VLANS.
It works, if i turn on masquerading, but i dont want to use that.

Connected to LAN the clients get IP Address (10.10.10.x) and Gateway ( from the OpenwrtDHCP.

What do i have to do to achive that i can access the internet from the openwrtlan.
It schould route LAN -> openwrt -> LAN (ISP Router) -> ISP Router -> Internet.

Thanks for any ideas

Best regards

By different VLANs I assume that you mean you want to set up guest or IoT networks that are strictly firewalled. You have to route such networks, not bridge them, for the firewall to work.

If you don't masquerade, you have to install return routes in the main router. It would be a good idea to also make a DHCP reservation in the main router so the OpenWrt router has a known constant IP address to use as the gateway in the return routes.

1 Like

Yes, some iot stuff which is not allowed to access anything outside its subnet. The main LAN should be able to access all inside the blocked Subnets.
But thats the second step.

Firstly i want to habe access to the internet without masquerading. The openwrt has internetaccess. But it does not work in its LAN.

Simple said:
the WAN is connected to a LAN port.
The real LAN is connected to another LAN port.
Openwrt has Internet Access. But the the devices in LAN only can access the internet when the WAN(LAN) is configured as masquerade.

Dont know how to configure the wrt to route to the Internet.

Does your upstream router have support for user defined static routes? If so, you can add appropriate routes and you can use openwrt without masquerading. Otherwise you will need to have masquerading enabled.

Yes, can you give me a hint what to define?
I already told the upstream router that he can reach the openwrt internal lan via the openwrt ip.

Let’s see your openwrt config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Also, what is the effective wan ip of your openwrt router? And can you show us a screengrab of your upstream router’s static route page?