Two Routers - Double NAT -- for malware experiments

My goal is to have two internet networks: homeNetwork and malwareNetwork.

Both networks carry 3 vLans: LAN. IOT. GUEST.

Internet flows via ISP router to [LAN <-> WAN] Belkin RT3200 router. Wired.

The Belkin RT3200 runs OpenWrt 22.03-SNAPSHOT r19451-2726c8c315.
It is running a fresh openWrt install with default configs.

(default openWrt) Belkin RT3200 ipv4 -- : 192.168.1.1 (Lan/LuCi)
ISP router ipv4 --192.168.1.1

There are two more Belkin RT3200 on standby for use as, wireless, dumb Access Points.
Both are powered off currently.
Two older switches (lol), both currently off: managed Netgear 'FSM726S' + D-Link 'DSS-8+' --- for fyi.

The malware(s) I will be experimenting with are capable of escaping virtual machines.
Escaped malware and other anomalies is excellent for analysis.

Is anyone willing to share the steps they've taken? What are the settings/configs to achieve segmented wifi via Double NAT, Subnets & vLans?

Ultimately, the Belkin RT3200 router and it's clones will be running Batman-adv (using onemarcfifty's video tutorial as reference). However, I've spent wild amounts of time retrying & resetting the routers to achieve an internet connection [which I've done successfully but not consistently] dealing with subnets, DHCP, DNS, firewalls and honest user error.

That will not work. First you can't have two devices with the same IP. Also in order to route between two networks, they have to have different subnets. Routers look at the destination IP of a packet to decide where to send it. Change your LAN IP to 192.168.2.1/24. Then the routing table will look something like this:

192.168.1.0/24 wan
192.168.2.0/24 lan
0.0.0.0/0 (default) via 192.168.1.1

If wan and lan are both 192.168.1.0, the router doesn't know what to do since the table is ambiguous.

Appreciate it mk24,

For this post I had ssh into the router and ran
firstboot && reboot now

I've been using
172.16.50.0 -- GUEST
172.16.20.0 -- IOT
172.16.10.0 -- LAN
192.168.100.3 -- LAN (during my last recent effort)

Thanks again, I've made the IP changes
192.168.1.1 --> 192.168.2.0/24 -- LAN

Srry for my ignorance, am i changing 192.168.1.1 --> 192.168.1.0/24 -- WAN ; as well?
If so, to set 192.168.1.0/24, am I changing the WAN protocol from DHCP to static IP?

P.S. the routing table you mentioned can be found in Luci > Network > Routes?

I'm overthinking the configs, critiques and hints are welcomed. At the moment, wifi is my main obstacle: Wifi is reached but Internet connectivity is not.

In the previous go-around, I took these steps (in order):

via PC

1. Change network adapter settings -- Edit Ethernet/IPv4: Change IP -- 192.168.2.x
2. Change network adapter settings -- Edit Wi-Fi/IPv4: Confirm IP -- chosen automatically
3. Connect ISP router LAN port 1 <-> WAN port of Belkin RT3200 Router

via LuCi

4. Network > Interface > Edit LAN: Change IP -- 192.168.2.0

   • Open new lab for LuCi via 192.168.2.0

5. Network > Interface > Edit LAN: add Gateway -- 192.168.1.1

6. Network > Interface > Devices > Edit br-lan: via 'Bridge Ports' -- add Switch Port: "wan" (wan, wan6)

7. Network > Wireless > select Radio Add [new network]

   • Change country code
   • Change default channel
   • Set Mode -- Access Point [without WDS]
   • Change ESSID
   • set Network -- lan ***[wan] & [wan6] also added. No internet access w/o both lan AND wan/wan6
   • Add encryption & key

via PC

8. Available networks > Connect to ESSID

   • Successfully Connected -- ***No internet, secured -- [w/o lan + wan/wan6]
   • ESSID > Wi-Fi status > Activity: strong 'received' & 'sent' signal bytes; strong wifi connection

All the steps above (including the ESSID wireless' network selection of lan + wan/wan6 together) will allow the ESSID to reach wifi with internet access.

9. Speedtest -- Miscellaneous info

   • 72.33/down 94.64/upload
   • ISP Public IP seem to be 100.11.xxx.xxx

I can not replicate the steps to achieve a working IOT or Guest connection. Even with the addition of IOT/GUEST firewall settings, Guest traffic rules, etc.

I've read quite a few documentations but any guidance is greatly appreciated, Thank you!

That is wrong, .0 is not a valid IP, use 192.168.2.1.

Do not do this. In a lan->wan routing use case, the gateway is configured through wan. It will be automatically set by DHCP from the ISP router.

Do not do that either. wan needs to stay a separate network, not part of the lan bridge. In the default configuration, wan is a separate network or proto dhcp which is ideal for connecting by Ethernet cable to an ISP router.

Step 7 there you are right.

Once the IPs and routing are set up, wifi and wired will work exactly the same since once the packets reach the br-lan they are in the same format whether they arrived by wifi or wired.

The only thing you need to do from a default configuration are steps 4 and 7. And in step 4 use a valid IP in the 192.168.2.0/24 subnet range, which means 192.168.2.X, with X being any 8 bit value from 1-254 (not 0 or 255). It is conventional to use 1 for the network's router, the other IPs will be for endpoint devices.

When the basic lan->wan route and NAT works, both wired and wireless, and you understand why, then you can add guest networks. There is a page about guest networks in the OpenWrt wiki.

Thanks for the guidance, mk24. Your clarifications went a long way.

Using your tips & openWrt's "Guest Wi-Fi using LuC" wiki I am able to connect both to LAN and GUEST wifi networks.

If you wouldn't mind dropping further knowledge on me, I do have a question -- this is my first time not creating a bridge device [br-guest] for the network > interface > GUEST interface.

I had been creating br-guest and br-iot bridges, is this bad form?

fyi -- guest wiki for anyone pursuing a similar setup: Guest Wifi guide

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.