SBC Router: Subnets LAN vs WAN 2 ports

Installing and Using OpenWrt
1

Hello,

I was thinking about an ARM-SBC based setup for OpenWrt with a device with 2 ethernet ports like a NanoPi R3S.
The ideia is to retain the ISP router and use it for Wifi / Lan ports and as gateway and use the SBC to manage DHCP, DNS and everything else.

Option A: Here's the configuration:

  1. ISP Router: Disable DHCP + Set Static IP as 192.168.1.1
  2. SBC: Connect LAN port to ISP router LAN 1
  3. SBC: Connect WAN port to ISP router LAN 2
  4. SBC: Set WAN IP as static 192.168.1.2, gateway 192.168.1.1
  5. ISP Router: Set a few forwards from public WAN IP to 192.168.1.2 (this way the SBC will be the entry point for VPN etc).
  6. SBC: enable DHCP on LAN port but restrict to range 192.168.10-192.168.254.
  7. SBC: configure the DHCP to announce the ISP Router (192.168.1.1) as gateway - avoid looping the device traffic from ISP router > SBC > ISP router again.

Now the question is, will this work?

My concern is that both the Openwrt LAN and WAN are on 192.168.1.0/24 and the kernel might mix up packets from both interfaces.

Option B: If this is problematic, what about setting:

  • SBC LAN: 192.168.1.128/25 (192.168.1.129 - 192.168.1.254)
  • SBC LAN: still advertise 192.168.1.1 as gateway
  • SBC: Add an additional route on DHCP so devices can access the ISP router 192.168.1.1 on 192.168.1.0/25.

I look to me that LAN devices will be able to send traffic to the gateway 192.168.1.1 (ISP Router) but the ISP router might get confused while returning a response because it won't have an internal route to 192.168.1.128/25. What if I set the ISP router static IP with the subnet 192.168.1.0/24?

I would like some advice here and what's best and what might or might not work alongside with potential issues.

Update:

I've done a similar setup with another SBC that only has one ethernet port, and it works fine. In that case everything is LAN.

However, I also want to have a group of devices with the SBC IP as gateway so I can filter out some outgoing traffic / apply extra rules. While this would still work on a single port that also means I would be slashing the bandwidth in half.

Final setup would look a bit more like:


PC1 --- switch -----> ISP Router
PC2 -----|  |             |
            |             |
SBC LAN -----             |
SBC WAN ------------------|

Eg.

  • PC1 internet traffic will go straight through the switch and be dispatched by the ISP router.
  • PC2 internet traffic would go through the switch into the SBC LAN > CPU applies rules > whatever is allowed exists through SBC WAN (potentially NAT from PC2 IP into SBC WAN IP) into ISP router LAN 2.

Much appreciated.

2

There's no need to use the WAN connection. Just add the openwrt device to the LAN. When setting DHCP up add the relevant options to pass gateway (192.168.1.1) and DNS (192.168.1.2) to client devices

3

Thanks for the reply.

Yes, I've done that setup with another SBC that only has one ethernet port, and it works fine.

However, I also want to have a group of devices with the SBC IP as gateway so I can filter out some outgoing traffic / apply extra rules. While this would still work on a single port that also means I would be slashing the bandwidth in half.

Final setup would look a bit more like:


PC1 --- switch -----> ISP Router
PC2 -----|  |             |
            |             |
SBC LAN -----             |
SBC WAN ------------------|

Eg.

  • PC1 internet traffic will go straight through the switch and be dispatched by the ISP router.
  • PC2 internet traffic would go through the switch into the SBC LAN > CPU applies rules > whatever is allowed exists through SBC WAN (potentially NAT from PC2 IP into SBC WAN IP) into ISP router LAN 2.
4

To do that properly (and have it work as intended consistently) you're going to need VLANs.

5

I can for sure isolate PC2 (and others that go through the SBC) on a VLAN but does that solve the potential issues with the subnet being the same? I still want those machines to be able to access all the other machines on the network.

To be fair I'm not even concerned that PC2 might set the ISP router as default gateway and bypass the outgoing rules, I just wanted it, by default, to work as described without a subnetting mess or network loops.

6

No, you can't do what you want and use the same subnet for everything.

1 Like
7

But it does seem to work on the single-port SBC. The thing only has a LAN software-wise and if I set some machine to use it as default gateway I can then add a bunch of traffic rules:

image
image563×195 8.45 KB

Here the network is 172.20.1.0/24, the ISP router sits at 172.20.1.254 as static, no DHCP:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.20.1.1'
        option netmask '255.255.255.0'
        option gateway '172.20.1.254'
        option broadcast '172.20.1.255'
        option ip6assign '64'
        option delegate '0'

config device
        option name 'eth0'

(... dhcp config...)
config dhcp 'lan'
        option interface 'lan'
        option leasetime '6h'
        option dhcpv4 'server'
        option start '10'
        option limit '100'
        list dhcp_option '3,172.20.1.254'
        list dhcp_option '6,172.20.1.1'

I believe when a device wants to access the internet and has the SBC as default gateway then the SBC will NAT the traffic and it will appear on the ISP router with source IP 172.20.1.1.

I can live with that double NAT, but the ideia with an SBC with 2 ports + the switch was to avoid slashing the bandwidth in half for those more controlled wired devices.

8

What's the firewall config?

9

The default:

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'VPN'
        list network 'LANv6'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

But the point is that I can add a traffic rule like forward from local PC 172.20.1.150 to 1.1.1.1 => reject.

10

To be fair, I don't really need WAN for what I want to do. Two ports set as LAN on the same bridge could work... assuming I would be able to set Openwrt to send all outgoing traffic with a destination different than the local subnet using the second LAN port... Not sure if this is possible.

Maybe something like:

  1. Use PREROUTING to mark the traffic with destination IP outside the local subnet
  2. Create a routing table for that mark
  3. Add route that says that default of the routing table above should use the second port

Edit: found someone experimenting with something similar to what I described here.

11

You can, but does it actually do anything?

12

If that PC has the gateway set as the SBC it should. Why not? I can re-test that but I believe it does work.