My main router is a TPLink (192.168.1.1) in which is connected a openWRT router working in AP mode (LAN 192.168.1.253, WAN 192.168.4.1). I can connect to openWRT, use the internet and ping machines under in any part of the network (192.168.1.x or 192.168.4.x). The problem is I can't ping from any machine in the 192.168.1.x network to machines in the 192.168.4.x one. I tried dealing with firewall (even turning it off), masquerading and so on.
To confirm that at least I am inputting the right data to the router (TP_Link):
From the rest of your description, I would not call this ap mode. It is functioning as a router if you have a different subnet on the lab of the OpenWrt router compared to the upstream.
This seems backwards. If it is working, your openwrt wan is 192.168.1.253 and the lan is 192.168.4.0/24.
Turn off masquerading on the wan firewall zone and then allow forwarding from wan>lan (only do this when the upstream network is trusted, never when the wan is a direct connection to the internet).
Also be aware that some hosts, particularly windows, don’t accept connections from a different subnet unless the firewall on the host itself is modified to allow those connections.
The static route on the main router looks correct.
From the rest of your description, I would not call this ap mode. It is functioning as a router if you have a different subnet on the lab of the OpenWrt router compared to the upstream.
Only to confirm, this is my /etc/config/wireless file:
That's not completely right, you also nee to allow the lan->wan traffic. However in your case it would make more sense to delete the wan zone and assign the wan interface to the lan firewall zone.
You took it one step further. What I meant was to keep it as a router, but eliminate the firewall factor by placing both wan and lan in the lan zone.
If routing is not indeed needed, then your suggestion for converting into a dumbAP is certainly the best for this usecase.
@ebiscaia - what is your goal for this device? Do you specifically want different subnets, or just how it is currently setup? As others have stated, a dumb AP is an easy solution for your issue, but may or may not be what you want. Can you give us a description of your goals?
I did that. Funnily, we I save the the changes it starts to ping straight away but if I try to ping again it stops working.
Not sure if I deleted the wan zone but I applied the lan firewall zone to the wan interface and then it worked fine.
Well I would rather keep the networks separated so I can choose which machines to use openVPN. I will keep the post open for now in the hope of finding more inputs from you guys.
IMO, this is a good reason to use a different subnet like this. There are other ways you could achieve the same end result (such as replacing your main router with one running OpenWrt and then using VPN policy based routing), but this one is perfectly valid.
That said, if you have a VPN running, you may need to do VPN-PBR anyway in order to allow the local traffic between your two subnets. That may be the reason you were having issues in the first place.
I think you can probably close this thread and start a new one if/when you have issues or want to change the topology.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
