Hi,
Im running the latest LEDE on two AC1750 v2 routers with all packages up to date.
What im trying to do is connect two separated LAN networks with their own WAN/ISP. One network is that of my neighbour (lets call it network B) and the other is mine (network A) which is why it needs to be this way due to accountability and costs. The networks will be interconnected via wifi.
Network A has multiple firewall groups as seen in this picture. Network A only needs to reach servers on network B for now so I enabled masquerading to prevent IP conflicts on network B. The wifi network in the "IntraBridge" group is what connects network A to B by acting as a DHCP client to network B's AP.
Network A functions on 192.168.1.0/24 (most interfaces) and 192.168.2.0/24 (WLANprivate) and 192.168.3.0/24 (WLANpublic), where x.x.x.1 always is the gateway in that subnet. Network B functions on 192.168.24.0/24 with 192.168.24.1 as gateway. WLANpublic and private don't need to connect to Network B although it would be nice if WLANprivate could.
When I simply connect network A router via wwan_bridge to network B router, 192.168.1.0/24 devices can reach the machines on 192.168.24.0/24 but network A router seems to send my normal browser traffic over to network B router too. I have completely ignored IPv6 during my trail and error exploration since it seems like much of an hassle but I haven't disabled it either on network A as far as I know
I don't really understand much of how to set up routes and such. The LEDE documentation on IPv4 static routes is too specialized since I don't know the basics of IP routing. I tried setting up an static route like this:
But that didn't do the trick for me and had the same result, sending everything to network B. What am I doing wrong? Do I need to specify that all traffic has to go through network A's WAN interface as well? I tried using "ip cache flush" to clear the ip routes but that didn't help.
If you go into the Firewall rule for wwan you will notice there is an advanced options tab.
If you set "Restrict Masquerading to given source subnets" and "Restrict Masquerading to given destination subnets", I THINK that will stop it trying to route WAN traffic over wwan.
If that doesn't work you can try going into interfaces for your WAN and then into the advanced settings and specify a gateway metric above 0. That should prevent the wwan from taking priority as the default route.
Then if you set your static route for wwan at the same priority, that should I think stop the default routes from ever being used for wwan. Its a bit of a hack as ultimately what I think we need to do is prevent the default route for wwan being created that is telling it to route all traffic over that connection, but I can't find any information on how to do that in LEDE.
The way routing works is that anything that can't be reached by simply sending a packet out of a particular network interface is reached by sending the packet out the network interface to a router. The router is also called a "gateway". For ipv4 the router is looked up by sending an ARP packet asking for which MAC address has the ipv4 address associated, and then when the reply is received the IP packet is sent to that MAC. When the gateway receives this packet it sees that it's not destined for its own IPs and it forwards it along.
When a packet is received by a router, it tries to find the most specific route to send the packet on. It does this by looking in a routing table. Under linux there are many possible routing tables, but the default one is usually used unless there's a rule to say otherwise
Without knowing more about the names of your interfaces and soforth (as opposed to just the firewall groups) it's not clear how to set it up exactly. But the main idea is that network traffic from your LAN to 192.168.24.0/24 should go to your wwan_bridge, and everything else goes to your WAN port, unless you want some subset of your regular traffic to also go over to the net B network, perhaps because there's a higher speed or something over there.
So your route table should look something like this:
default via YOURWANIPHERE dev YOURWANDEVICE
192.168.24.0/24 dev wwan_bridge_interface_here
192.168.1.0/24 dev br-lan
so now only packets destined for 192.168.24.0/24 go to your wwan bridge
192.168.1.0/24 packets go to your LAN,
EVERYTHING ELSE goes over your WAN
Aha, now I understand. Seems easiest to simply set the wwan interface to use a static IP since he's coordinating with a neighbor. Only problem will be if the router on B network uses all the addresses in its DHCP pool. Usually this isn't the case, and only say 192.168.24.50 to 192.168.24.150 or something similar will be handed out by DHCP. So, the device can just be given 192.168.24.13 or some such thing and all will be well.
Also btw most devices will prefer ipv6 to ipv4 when it's available, and so the mention of:
suggests another avenue to look at as well. @tjeulink IPv6 is great and if you can set it up do it... but you might want to do something policy-routing wise to prioritize your own WAN for ipv6 egress. Since you're probably not interested in dynamic routing, you will probably do best to turn off reception of router advertisements on the wwan network and then set up a static route to the ipv6 subnet your neighbor has if there is one.
This didn't seem to work. What it caused was that I could only reach 192.168.24.0/24 addresses for some reason. But it did help me find a function i wasn't aware of so thanks for that
This is what eventually led me to the solution, together with @dlakelan's explanation of what the routing table should look like. What I did was the following
interface WAN = gateway metric 1
interface WWAN_BRIDGE = gateway metric 100
after that my ip route table looks like this:
root@LEDE:~# ip route
default via 172.31.1.97 dev eth0 proto static src 172.31.1.110 metric 1
default via 192.168.24.1 dev wlan1 proto static src 192.168.24.105 metric 100
172.31.1.96/28 dev eth0 proto static scope link metric 1
172.31.1.97 dev eth0 proto static scope link src 172.31.1.110 metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-WLAN_PRIVATE proto kernel scope link src 192.168.2.1
192.168.24.0/24 dev wlan1 proto static scope link metric 100
192.168.24.1 dev wlan1 proto static scope link src 192.168.24.105 metric 100
But it doesn't seem to be a very elegant solution, it has some hiccups when i send ping requests to an machine on 192.168.24.0/24 but after a few seconds it finds a route. When looking into "ip route", before pinging towards 192.168.24.0/24 but with the same settings as after pinging, the ip route table looks like this:
root@LEDE:~# ip route
default via 172.31.1.97 dev eth0 proto static src 172.31.1.110 metric 1
172.31.1.96/28 dev eth0 proto static scope link metric 1
172.31.1.97 dev eth0 proto static scope link src 172.31.1.110 metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-WLAN_PRIVATE proto kernel scope link src 192.168.2.1
But it did solve my problem and i am very grateful for that. I would never have figured this out on my own
I would love to but its not much use. my wan is hooked up to an firewall from the apartment building, it was set up years ago and they never bothered to implement ipv6 routing so I don't even get a lease from them. And I don't really see the use for ipv6 on the small scale my neighbor and i are using it. Or are there more benefits to using ipv6 other than a larger pool of addresses?
It is slightly elegant in that if your WAN goes down, you will still get internet through your neighbor
The pinging to the neighbor may be caused by:
That first line seems superfluous, you can reach everyone on that neighbor LAN by just sending down the wlan1 connection, rather than routing via the neighbor's router. Probably when the neighbor's router refuses to route for those destinations, eventually the metric 100 route takes over. I'm not sure why that first line appears, but if you can eliminate it and make the metric 1 for the second line that'd probably help.
Hmm i tried unplugging my WAN but it doesn't fall back to my neighbours network until I powercycled LEDE, but it did fall back to my WAN again as soon as i plugged it in. Is there a way to configure LEDE that if the packet doesn't have 192.168.24.0/24 as destination it gets dropped?
Yes that first line was from a static route that was still set, I removed it already. I can change the metric of the second line by changing the WWAN_BRIDGE interface's gateway metric to 1, but after that my ip route table looks like this:
root@LEDE:~# ip route
default via 192.168.24.1 dev wlan1 proto static src 192.168.24.105 metric 1
172.31.1.96/28 dev eth0 proto static scope link metric 1
172.31.1.97 dev eth0 proto static scope link src 172.31.1.110 metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-WLAN_PRIVATE proto kernel scope link src 192.168.2.1
192.168.24.0/24 dev wlan1 proto static scope link metric 1
192.168.24.1 dev wlan1 proto static scope link src 192.168.24.105 metric 1
Which means that everything is routed to 192.168.24.1 by default again which is undesirable because I only want 192.168.24.0/24 to be routed there and everything else be routed to 172.31.1.97 regardless of the availability of either route.
So if you don't want to try to use the neighbor's WAN but just the LAN, I really think you should set up a static IP for your router on the 192.168.24.0/24 subnet. Then DHCP won't tell you a route and you won't get a default routing entry for the neighbor's router. You should be in control of your routing table, NOT the DHCP server on your neighbor's LAN.
Actually that failover link may be out of date. I'm not sure how to get failover to work. It might require a separate daemon to monitor the connection.
