[SOLVED] Connecting to other network

Hello,

I am trying to troubleshoot an issue where im not able to connect to an additional network

My Setup:

OpenWRT: 192.168.1.0/24 - Running a wireguard VPN (Nord) connected tplink router from Wan to Lan
TPLink: 192.168.0.1/24 Running my main network connect to openwrt from Lan to wan

Im not able to access the other subnet from the either network. I have added static routes on both sides making sure I specify the correct interface (tplink - 192.168.1.0/24 - LAN) (OpenWRT 192.168.0.0/24 WAN)

OpenWRT serves as a VPN router to encrypt my traffic with NORDVPN. I use it for work.
TPLink Serves the rest of my residence for all Devices (Clients, cameras, lights, tv, ect, pihole, ect)

I have a NAS on my tplink network I want to be able to access from my openwrt network.

Im beginning to suspect that NORD, how i have it configured isn't going to pass traffic from the wan to the lan. but, im not sure. If anyone could help me, that would be awesome.

Thanks for taking the time to read and reply to my issue.

UPDATE:

After configuring the routes. I am able to reach tplink(192.168.0.0/24) from the openwrt network (192.168.1.0/24) but not in the other direction.

You've connected TP-Link LAN -> OpenWrt WAN. By default, the WAN is NAT'd and firewalled, so it will not allow incoming connections. You will need to disable NAT on the OpenWrt device and then allow forwarding from wan zone > lan zone on the OpenWrt firewall. If you put your VPN into the wan zone, you will need to move that to its own zone with NAT enabled.

You'll also need to add a static route to your TP-Link router's configuration. If that feature is not supported/exposed, you will not be able to achieve your goals.

I am able to add routes to my tplink router, but when I disable masquerade on the opwnwrt side, i lose connectivity. I have created fowarding zone and added routes. but it's not working.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

And also please show how you added the route on the TP-Link router.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option force_link '0'
	list dns '8.8.8.8'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth1.2'
	option delegate '0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.10'
	list dns '192.168.0.2'
	option gateway '192.168.0.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config route
	option netmask '255.255.255.0'
	option target '192.168.0.0'
	option interface 'wan'
	option gateway '192.168.1.1'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option mtu_fix '1'
	option network 'lan wan'
	option forward 'ACCEPT'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'lan'

Screen Shot 2022-07-07 at 6.40.20 PM1392×242 28.3 KB

Your wan zone should not include the lan network... remove lan from this:

Your route is wrong... it should have the default gateway as 192.168.0.2 (which is the address of the WAN of your OpenWrt router).

This should not be necessary because the route is already known (as the WAN/default route), but if you are running a VPN, I could see where this might become necessary. The preferred method would be to use policy based routing.

These changes should allow things to work once masquerading is disabled. The VPN is not shown, though -- I'm not sure how that factors into things.

192.168.0.2 is a dhcp/dns appliance. my OpenWRT router is 192.168.1.1. I am not sure where it's showing my OpenWRT Router is 192.168.0.1 & 192.168.1.10 (assigned)

I wiped the VPN to get this working first to alleviate extenuating complications.

i applied the settings suggested and it knocks out internet connectivity.

I'm sorry... It should be 192.168.0.10 (for the gateway address in the TP-Link router)

Screen Shot 2022-07-07 at 7.23.19 PM1398×256 27.9 KB

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option mtu_fix '1'
	option forward 'ACCEPT'
	option network 'wan'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'lan'

You need to add:

config forwarding
	option dest 'lan'
	option src 'wan'

And turn of masquerading on the wan zone.

The route is still wrong... default gateway is 192.168.0.10

sorry, you're right. too many subnets, too many trial and errors.

That worked! Thanks a ton.

Great! You're welcome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.