Separated subnets with two routers

Hello, I have the following network configuration: a Fritzbox modem/router that connects to my ISP and now I've added an old Netgear DGN3500, that I had hanging around and flashed with OpenWRT, that I'd like to use as a "guest network" router to connect the IoT devices.
I've managed to ALMOST do this using the Fritzbox "guest network on LAN 4" function that treats devices connected to that port as guests and plugging the DGN3500 to that one. Problem is the FB doesn't let any configuration on that subnetwork and I can't set static IPs that I need for stable connection to the security cameras. Even if I set static leases in OpenWRT, seems like the FB main router just overrides them and sets random ones.
I'm considering getting rid of the "guest LAN4" FB option and just set different subnets. But is that possible or do I need to add a managed switch and have different VLANs?

I do not think you can do much better, unless you flash OpenWrt to the FritzBox, too.

1 Like

My Fritz is a 7530 AX so not compatible with OpenWRT. :cry:

What I don't understand is why, though the devices I'd like to set static IPs are connected to the OpenWRT Netgear router and I've set up the DHCP server on it with the "authoritative" option disabled so, AFAIK from theory, I should be able to have the two DHCP servers on the same network and the "closer" one should be the one serving.
I've even tried to disconnect the Netgear from the FB and so it gives the static IPs, then connect it to the FB after it's done; this way it seems to work (dunno long term); but looks more like a workaround then a solution and as soon as I reboot the Netgear I'm stuck with the FB ruling again.
I don't know: there's a managed switch on Amazon for a little more than 20€, supporting VLANs, but is that needed and would it solve my problem?

I do not think this is a reliable solution, and I do not think this is the path to fix your issues.

1 Like

Yeah, I know.
This thread on superuser.com is giving me hope that the managed switch could instead be the solution.

I don't think so... yes, a managed switch can help you work with VLANs and configure some more sophisticated options, but the topology you're proposing isn't really going to work.

Is it not possible to do one of the following:

  • turn off the DHCP server on the main Fritz router?
  • Or run all of your devices behind the OpenWrt router which can be configured quite flexibly and with full configurability of your VLANs?

To do the latter, you might just make the main Fritz device a modem only (bridge/pass-through mode if supported) or deal with double NAT.

If these don't seem to make sense or be practical, maybe you can draw a diagram of what your ideal topology might look like and we can make suggestions from there.

2 Likes

Thanks for your help. This is how it's set up now. It somehow works but the Fritzbox "Guest LAN" is sort of a black-box with its own DHCP server that isn't configurable in any way.
I can disable the Fritzbox DHCP server on the LAN (192.168.0.x) but that doesn't disable the guest network DHCP that keeps choosing the IPs on the guest subnet (192.168.179.x).
The FB can't work in passthrough mode (as stated here) so I should fallback to double NATting which, AFAIK, is quite deprecated.
Here's a chart of the network:

Do you need to use the fb wifi? If not, you can run everything from the openwrt device.

Or you can setup your openwrt device as a dumb ap with the guest network on the openwrt config rather than the fb. That will give you more flexibility.

1 Like

Well, the old Netgear is just 2.4Ghz so it'd be a huge step back. But I could add a WiFi 6 access point if I want and, as you can see, I don't use WiFi that much (most devices are on cables).
But that's the least of my problems: maybe I forgot to mention that I can't connect the Netgear to my ISP, because it has a modem that only works with ADSL and my current connection is a FTTC VDSL that it can't handle. So for internet connection I can't avoid using the Fritzbox.

I would recommend making your Netgear device a dumb AP with a guest network.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

With a minor modification of this recipe, we can make your guest network also available with ethernet if that is needed/desired.

1 Like

Let's see the complete config and I'll comment based on the whole picture.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Sorry, forget my last post (that I deleted), with all this network switching the guide was not completely loaded in the browser and was missing the last images with the correct firewall settings.
Now the "guest" wireless clients connect to the "dumb AP", they get a random (if that could change... But let's try one step at a time) IP address in the AP subnet (192.168.1.x) in the "Wireless" LuCI page but are not present in the list of connected devices on the Fritzbox (192.168.0.x subnet). So they can't reach neither the internet nor the other devices on the guest subnet (that I'd need to connect the security cameras to the NAS).

The outputs you requested:

ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "AR9 rev 1.2",
	"model": "Netgear DGN3500",
	"board_name": "netgear,dgn3500",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "lantiq/xway",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:b041:89ca::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option firmware '/lib/firmware/adsl.bin'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr 'xxx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'
	list dns '192.168.0.1'

config device
	option name 'dsl0'
	option macaddr 'xxx'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.1.255'
cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:0e.0'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'guest'
	option mode 'ap'
	option ssid 'em_wireless'
	option encryption 'psk2'
	option disassoc_low_ack '0'
	option key 'xxx'
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest_DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Guest_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block_Guest_from_LAN'
	option src 'guest'
	option dest 'lan'
	option target 'REJECT'
	list proto 'all'
	list dest_ip '192.168.0.0/24'

Everything looks fine there.

You can now create DHCP reservations for the client devices on your guest network so that they have known IP addresses.

Also, do you need the guest network to also be connected to ethernet?

Looks fine but unfortunately doesn't work. All clients that connect to the AP WiFi can't access the internet. :cry:

I need just two specific wireless guests (the two security cameras) to connect to one single ethernet device (the NAS that controls them). In the original configuration I did that by connecting the secondary LAN port of the NAS (that is on a different interface, not a switched one) directly to the Netgear router (now "Dumb AP" :wink: ).

Ah... I missed something...

Add masquerading to the lan firewall zone like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

Ok... so we'll add ethernet to the mix.

We'll remove logical port 3 from VLAN 1 and make VLAN 2 for that port. I don't know which physical port this will correspond to, but I'll guess port 4 -- you may need to try each physical port to verify. You can use this recipe to adjust if you want to use a different port than whatever results here.

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 5t'

Now we'll add eth0.2 to the guest bridge.

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	list ports 'eth0.2'

Restart and you should have internet access on the guest network as well as the connection via ethernet to that you've requested.

Simply great! Thanks a lot! Everything works as expected, the cameras are even "autodetected" on the "trusted LAN" with a 192.168.0.x addresses.
The security check I've done is that from the trusted LAN I can access devices on the guest (like the webadmin pages of the security cameras) but not the other way around: I've tried to connect this computer to the guest network WiFi and I can navigate the internet, access the router admin page (is there a way to avoid that?) but everything else is beyond reach. My trusted LAN should be safe in case any of those IoT devices exposed to the internet (the air conditioner, a couple of Chinese "smart plugs") should be hacked, right?

EDIT: There's a little problem: with the last modifications to include ethernet, I can't access the openWRT anymore neither from LuCI nor via ssh.

The main router page or the Netgear? From what I see in the firewall, both should be inaccessible.

Is it possible that you were connected to both networks at the same time (i.e. ethernet on one network, wifi on the other)?

1 Like

Yes sure. That must have been the reason, I probably forgot to turn off ethernet connection when switched on WiFi.
Btw, now I have the opposite problem: I can't access the Netgear anymore. I mean, it's working, but I can't reach it for any further configuration (like backing up all this nice stuff I made thanks to you).

try connecting to the main network (not the guest) -- you should be able to reach the device at 192.168.0.2 -- if you can't reach it via browser, try ssh and/or just ping it.

Yes, tried all three of them with 192.168.0.2. Even turned it off and back on. Ping get 100% packet loss, ssh "no route to host" and LuCI times out connecting.