When radio0 is connected to my 192.168.0.0 networks and gets an IP of 192.168.0.97
and radio1 is the DHCP that provides 10.7.7.1 IPs to the network
I am able to connect from both networks both ways. NOW..
I have added a second OpenWRT on my TPLink with a LEDE FW.
It is small network an only provided IP for a small amount of devices that are mostly IoT devices
I have it setup that the Wifi is Extending amn existing AP on network 192.168.0.0 that it gets a Static IP from 192.168.0.96
and the other connection is WIRED ethernet connection that provides a DHCP when connecting to it.
I have connected a RPi to the port and it got a DHCP IP for that network
the network is configured as 10.8.8.X and the RPi got 10.8.8.191 as it should from a DHCP.
Also network 192.168.0 and 10.8.8 are talking to each other without any issues at all - Both ways.
Up to this point I think that I have everything as it should - as mentioned above - I want to add and mention that there are already two static routes in my home router for both 10.7.7.0 and 10.8.8.0 and both works.
the current goal is that I want to be able to connect from 10.8.8.0 to 10.7.7.0
The router that connects to 10.7.7.0 network is set on one leg to 192.168.0.97
The router that connects to 10.8.8.0 network is set on one leg to 192.168.0.96
I have added the following to the 10.8.8 router LEDE TPlink Settings:
content of network file on TPLink LEDE
BTW - tried with option gateway '192.168.0.96' and IT also did not work.
I have used the LuCi to setup the route through the web GUI and I am not sure what I need to chose for the Metric MTU Route type if at all - I have left the defaults multicast for the Route Type and empty for the rest.
I am not sure if the above settings are correct - and I am NOT able to ping and ssh from 10.8.8.0 network to 10.7.7.0 at all - none of the devices are replying ICMP and not SSH as well.
I would be happy if you can assist with understanding what I need to do in order top make network 10.7.7.0 accessible from 10.8.8.0 - And hoping that I will understand that I will be able to move forward to connecting the other side 10.7.7.0 to 10.8.8.0 and to new networks that I will add in the future.
This is probably a firewall issue. For symmetric routing, do not enable NAT (masquerade). It is enabled on wan zone by default. Also you need to enable forwarding both ways between the two zones. By default, only lan->wan forwarding is allowed.
If you don't need the firewall to block anything (you trust all the devices in all the networks) you can just place both networks in the lan zone.
Yes. Running the 'route' command will show your routing table.
It's not clear to me how this network is set up, but if it is a "star" arrangement of one main router and several sub-routers, the sub-routers don't need further routes installed other than making the main router their default route. Packets destined for any other LAN will go there, and the main router has routes to all the other LANs.
It is not clear if the 192.168.0.1 router has routes for the 10.7.7.0/24 and 10.8.8.0/24. But even if it did, with this wrong route it would be useless.
Still not routing.
Yes I do have both two static rout that from 192.168.0.0 network accessed to 10.7.7.0 and 10.8.8.0 with no issues.
I am still not able to connect from 10.8.8.0 to 10.7.7.0
Is it something that I am missing?
It is star when 192.168.0.1 is the main network with internet.
10.7.7.0 is an IoT network as well as 10.8.8.0 - both Lan7 and Lan8 can access the main network and be accessed from the main network without any issues at all.
I have changed to wwan and still no connection. Can that be something that I miss?
Thanks
Thanks, Looks like I need to check that route.
Where should I not enable NAT? Lan8? Lan7? Both?
I am not sure exactly how to do what you ask me to.
Can you assist with a bit of guidance
I am adding my firewall settings - that I might hope will help.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wwan'
option masq '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'lan'
option src 'wan'
config forwarding
option dest 'wan'
option src 'lan'
In wan zone. The rest of the firewall settings are fine.
Keep in mind the firewall of the devices you are trying to access. They usually don't allow connections from different networks.
Thanks.
I would be happy to try the second one that you mentioned should be easier.
How can I move the wwan to the lan?
and if doing that will make it connect both ways - that means i will need to move the wan to the lan on both?
What exactly I am getting by doing so? Just wondering.
Thanks for your help.
Yes you need to configure both sub routers the same since you want a fully symmetric network.
NAT hides the LAN address from the upstream network by converting all packets to appear to have originated from the WAN address. This is an essential feature for connecting to the Internet since there are millions of PCs with a LAN address of say 192.168.1.120, and the Internet can't route back to a particular one. A router running NAT remembers a local temporary return route for each connection out from the LAN, based on port numbers.
But within a network that you control, hiding a LAN IP from the other LANs makes it impossible to directly connect LAN to LAN. So you need to run without NAT, which is possible because you will be assigning unique IPs to everything.
I tried doing the same with Lan7 and it does not keep the settings.
I clicked save and save and apply and after a while and I log back in and it revert to the OLDF settings.
I am not sure what i am doing wrong - the settings are saved with LEDE Lan 8 but when I did the same on Lan 7 it is not saving.
Any idea why?
Thanks
Connect to the LAN side so you don't lose connection when changing the WAN. If you lose connection it will auto-revert. This can be worked around by waiting about 2 minutes for the "Settings Reverted" box to appear then click "Apply Unchecked."
- as mentioned above - I want to add and mention that there are already two static routes in my home router for both 10.7.7.0 and 10.8.8.0 and both works.