Routing issue subnet

Hi,

I hope someone would be able to assist me, networking is not my strong point.

My setup is as follows

ISP - openwrt (Device IP: 10.192.1.1) - d-link DIR-825ACG1 router (Device IP: 10.192.1.2)(switch/wifi IP range: 10.192.0.0/24)
The d-link cannot be flashed with openwrt.

The openwrt have 2 interfaces, wan and lan. The lan interface is connecting the the d-link wan interface.

All connectivity is working 100% as long as I have the NAT enabled on the d-link router.
As soon as I remove the NAT on the d-link WAN interface, the internet breaks and openwrt cannot get to the internal devices and the internal devices cannot get to openwrt.

I have added routing on openwrt to be reachable via the d-link.
DNS & DHCP are also handled by a device on the internal network.

config route
	option target '10.192.0.0/24'
	option interface 'lan'
	option gateway '10.192.1.2'

How do I remove the d-link NAT and still have internet connectivity and internal connectivity between subnets?

Regards

If you remove NAT, what creates network 10.192.0.0/24?

What is the purpose of the d-link router in this setup?

This is done by die d-link router for the internal wifi connectivity

the purpose id for the d-link to provide 2.4GHz and 5GHz wifi connectivity, but I would also like to see on the openwrt which IP is trying to talk to the public and not only see the d-link ip

if you can do this, and still have the d-link hooked up to the LAN, move the WAN cable to one of the LAN ports, and everything should keep working.

Note: you will suddenly have two DHCPs in the same network, the one in OpenWRT, and the one in the "additional internal device". One of them have to be disabled.

With NAT disabled I can see the client IP on the openwrt with tcpdump or the realtime graphs, the DHCP and DNS are handled by a different additional internal device.

DHCP for openwrt has been disabled and only 1 static IP is created for the d-link router.

uci set firewall.lan.masq_allow_invalid='1'
uci commit firewall
service firewall restart

Going from WAN to LAN didn't work, unless I did something wrong.

You'll probably need to adjust your DHCP settings as well as the OpenWRT device is currently on a different subnet.

What you should do is:

  1. Pick a subnet for your entire network (e.g. 10.192.1.0/24 or 10.192.0.0/24).
  2. Assign the OpenWRT and D-Link devices static IPs from that subnet.
  3. Set up your DHCP to assign devices with IP addresses from that subnet and use the assigned OpenWRT address as the gateway.
  4. Connect the OpenWRT and D-Link devices by their LAN ports.

if you move the LAN subnet IP of the openwrt device to the LAN IP if the d-link, you'll not have to reconfigure the DHCP.
Just change the LAN IP of the d-link, so they don't overlap.

'Thanks, I will try and check this out,

Not sure if this could provide more info.
I quickly did a tcpdump, see below.

openwrt to internal lan device

13:24:28.856775 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911448014 ecr 0,nop,wscale 6], length 0
13:24:28.857094 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810848594 ecr 911448014,nop,wscale 7], length 0
13:24:29.859735 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911449017 ecr 0,nop,wscale 6], length 0
13:24:29.859930 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810849597 ecr 911448014,nop,wscale 7], length 0
13:24:30.885635 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810850623 ecr 911448014,nop,wscale 7], length 0
13:24:31.939756 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911451097 ecr 0,nop,wscale 6], length 0
13:24:31.939989 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810851677 ecr 911448014,nop,wscale 7], length 0
13:24:33.957616 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810853695 ecr 911448014,nop,wscale 7], length 0
13:24:36.020314 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911455177 ecr 0,nop,wscale 6], length 0
13:24:36.020467 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810855757 ecr 911448014,nop,wscale 7], length 0
13:24:40.101614 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810859839 ecr 911448014,nop,wscale 7], length 0
13:24:44.499711 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911463657 ecr 0,nop,wscale 6], length 0
13:24:44.499876 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810864237 ecr 911448014,nop,wscale 7], length 0
13:24:52.645603 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810872383 ecr 911448014,nop,wscale 7], length 0
13:25:01.139648 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911480297 ecr 0,nop,wscale 6], length 0
13:25:01.139781 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810880877 ecr 911448014,nop,wscale 7], length 0
13:25:17.221559 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810896959 ecr 911448014,nop,wscale 7], length 0
13:25:33.779814 eth0  In  IP 10.192.1.1.41884 > 10.192.0.5.22: Flags [S], seq 15711014, win 64240, options [mss 1460,sackOK,TS val 911512937 ecr 0,nop,wscale 6], length 0
13:25:33.780034 eth0  Out IP 10.192.0.5.22 > 10.192.1.1.41884: Flags [S.], seq 2923662851, ack 15711015, win 65160, options [mss 1460,sackOK,TS val 3810913517 ecr 911448014,nop,wscale 7], length 0

internal lan to openwrt

13:29:03.544838 IP 10.192.0.5.42360 > 10.192.1.1.22: Flags [S], seq 466049534, win 64240, options [mss 1460,sackOK,TS val 3811123274 ecr 0,nop,wscale 7], length 0
13:29:03.544838 IP 10.192.0.5.42360 > 10.192.1.1.22: Flags [S], seq 466049534, win 64240, options [mss 1460,sackOK,TS val 3811123274 ecr 0,nop,wscale 7], length 0
13:29:03.545299 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911722694 ecr 3811123274,nop,wscale 6], length 0
13:29:03.545347 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911722694 ecr 3811123274,nop,wscale 6], length 0
13:29:04.587484 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911723737 ecr 3811123274,nop,wscale 6], length 0
13:29:04.587549 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911723737 ecr 3811123274,nop,wscale 6], length 0
13:29:06.667479 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911725817 ecr 3811123274,nop,wscale 6], length 0
13:29:06.667546 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911725817 ecr 3811123274,nop,wscale 6], length 0
13:29:10.747513 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911729897 ecr 3811123274,nop,wscale 6], length 0
13:29:10.747577 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911729897 ecr 3811123274,nop,wscale 6], length 0
13:29:19.067479 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911738217 ecr 3811123274,nop,wscale 6], length 0
13:29:19.067545 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911738217 ecr 3811123274,nop,wscale 6], length 0
13:29:35.707477 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911754857 ecr 3811123274,nop,wscale 6], length 0
13:29:35.707584 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [S.], seq 1652489149, ack 466049535, win 65160, options [mss 1460,sackOK,TS val 911754857 ecr 3811123274,nop,wscale 6], length 0
13:32:37.294518 IP 10.192.0.5.42360 > 10.192.1.1.22: Flags [P.], seq 1:41, ack 1, win 502, options [nop,nop,TS val 3811337023 ecr 911722694], length 40
13:32:37.294518 IP 10.192.0.5.42360 > 10.192.1.1.22: Flags [P.], seq 1:41, ack 1, win 502, options [nop,nop,TS val 3811337023 ecr 911722694], length 40
13:32:37.294920 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [R], seq 1652489150, win 0, length 0
13:32:37.294971 IP 10.192.1.1.22 > 10.192.0.5.42360: Flags [R], seq 1652489150, win 0, length 0`

altered last post, I think I misread the IPs of the d-link.
plainly put, you want the LAN IP of the openwrt, to replace d-links LAN IP.

Most likely it was lost among the other posts, but I'll insist that asymmetric routing results in invalid packets dropped by the firewall.

It might do. But the simpler all-round solution (and the one that removes the NAT entirely) is to connect everything as one LAN using a single subnet.

1 Like

Yes, one network. In this case you should run the D-Link as a dumb AP. Dumb APs are bridged into the network rather than routed. The only thing they do to users' packets is convert the media type from wireless to wired and forward them to the main router. The main router (OpenWrt) handles DHCP and routing.

This is possible with stock firmware as long as there is a way to turn off the DHCP server, which there usually is. The wan port and wan routing functions in the D-Link will not be used.

The D-Link needs to hold a LAN IP only so you can log in and administer it. This IP is not involved with user packets since they are handled at layer 2, the MAC address level.

Thanks all for the guidance. I would have liked to keep the 2 networks separated, but running everything as 1 network is doing exactly what I want :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.