Hello,
Please check this diagram and let me know if this is possible ? This is similar to guest access but I am deploying 2 routers.
From 192.168.* another network 10.0..... should be reached. but other way not.
Yes, this can be done, but the main router must support the addition of static routes. Does your main router support this (if it is OpenWrt, it does). This is required.
The secondary router doesn't need much in terms of additional configurations, just turn off masquerading on the wan firewall zone (assuming that is the physical connection), then allow forwarding from wan > lan. If you intend for 10.0.0.0/24 to have internet access, you need to keep lan > wan forwarding enabled, but you'll add a traffic rule to drop/reject any traffic from the lan that is destined for 192.168.1.0/24.
Thanks for your quick reply.
Both routers are openwrt. Master is openwrt-22.03 and slave is 21.02 branch.
You mentioned
- you need to keep lan > wan forwarding enabled, but you'll add a traffic rule to drop/reject any traffic from the lan that is destined for 192.168.1.0/24.
is this to be done on slave router ? I already have trafic rule , as shown in diagram.
just turn off masquerading on the wan firewall zone on slave router - Done
forwarding from wan > lan. If you intend for 10.0.0.0/24 to have internet access, -- This already have internet access. Do I need forwarding for each and every IP ?
The traffic rule you've shown does not appear to be the ideal way to achieve this -- it appears to be an accept rule rather than a drop/reject, so it is not protecting your 192.168.1.0/24 network . But let's review the actual config files and I can comment on how I would recommend this be achieved.
Starting with the secondary router:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.1'
option ip6table 'default'
list ip6class 'local'
option ipv6 '0'
option delegate '0'
config device
option name 'eth0.2'
option macaddr 'ec:XXXXXX:XXXXXX'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option type 'bridge'
option ipv6 '0'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
And Firewall cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option name 'BlockMaster'
option target 'DROP'
option src 'lan'
list src_ip '10.0.0.0/8'
list dest_ip '192.168.1.0/24'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'SLAVEROUTER'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '10.0.0.1'
option dest_port '80'
config forwarding
option src 'wan'
option dest 'lan'
Here I have one added rule is BlockMaster for blocking 192... and SLAVEROUTER is for reaching home page of slave router from master network.
You'll need to turn off masquerading here (but only after you add the static route to the main router -- we'll get to that shortly).
Do you want to be able to reach the secondary router (for admin purposes) from both networks, or only from one? Currently, both the 192.168.1.0/24 and 10.0.0.0/24 networks can connect to the router.
In the firewall blocking rule below... you may need to add the protocol type (use all)
list proto 'all'
Also, I believe that the source IP is not strictly necessary, but I would recommend making it 10.0.0.0/24 instead of /8 (unless you have other networks you'll be adding in the /8 envelope). It doesn't matter either way, but personally I prefer to make the rules as targeted as possible.
Finally, this rule is not necessary since you currently have the wan zone defined with input=accept. In the event that you decide to change things up and make input=reject or drop, you should create this using the 'traffic rule' type definition, not port forwarding as you have done here. You can delete this rule for now.
Let's see the same two files on the main router.
Should be reachable. does not matter if available - or not. I can switch network and access. Purpose of doing this configuration is .. I have lot of IOT devices. I am separating them and not allowing internal device access, they can connect to internet.
In this network I have IP cameras, so I should be able to see that but camera should not see our network. These cheap devices stores passwords on text files and risky. Now with proxy they may get password but its behind the main router so nothing to worry, and my slave router is weak in conf so cannot transfer huge data.
option masq '0'
list proto 'all'
10.0.0.0/24
Removed rule SLAVEROUTER
Below is neat and clean file for slave router -
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '0'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option name 'BlockMaster'
option target 'DROP'
option src 'lan'
list proto 'all
list src_ip '10.0.0.0/24'
list dest_ip '192.168.1.0/24'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'lan'
On master router - Below is cat /etc/config/network file.
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdbd:XXXX:8103::/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
config interface 'wan6'
option proto 'dhcpv6'
option device 'wan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
and cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
config rule
option name Support-UDP-Traceroute
option src wan
option dest_port 33434:33689
option proto udp
option family ipv4
option target REJECT
option enabled false
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
Right now slave network is not visible from main network.
you're missing the closing tick mark here. Small detail, but may cause the firewall to fail to load properly.
Everything on the main router looks fine, but you need to add a static route:
10.0.0.0/24 via 192.168.1.200, type unicast.
This gets added to your network file on the main router:
config route
option target '10.0.0.0/24'
option gateway '192.168.1.200'
Typo was in writing as I wanted to make bold. some how it did not worked. so while removing it remained. not a big deal. verified its correct.
Below rule worked. Now need to test reverse - from slave network to main network.
config route
option interface 'lan'
option target '10.0.0.0/24'
option gateway '192.168.1.225'
Many many thanks... I will rewrite post in detail for some one if they want proxy for IOT devices.
What typo? What wasn't working and what did you remove?
You're welcome! Technically this is not a proxy router config...
it is purely creating a second subnet using symmetric routing. You can even do this on your main router... additional routers are not required.
Meanwhile...
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Single quote- I wanted to make it bold to show difference. looks like HTML formatting in code section does not get recognized.
ah, makes sense.
This problem is solved.. I am hobbyist and play with openwrt in free time. On main router is possible, but it will be loaded. I wanted to make main router free for doing some other tasks. I am trying to get signal strength via ubus and php. This requires continuous ping on main router and may eat up resources.
What exactly do you mean by "signal strength"?
Routing a second network on the main router doesn't really require any significant resources.
Main Router is loaded with adblock. I am having plan to run webserver on main router. signal strength for each device is needed via rest api. there is blog some one written, I am just extending it. this will help me to detect where I am (inside /out side, near or far) and based on that I can make certain decision in network.
Ok... that info is already available in the radio status section of the existing interface.
Sure... but you don't need to go to these lengths. There are standard settings that you can use if you wish to kick a device off the network based on a minimum signal strength metric.
But, whatever you goals, could be a fun project.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.