We have an obscure use case for OpenWrt - I am looking to configure a device to act as a lightweight man-in-the-middle between a consumer modem and a router. It will inject a VPN connection over a range of IPv6 addresses, and potentially take over as the authorative DHCPv6 server if none exist upstream - but otherwise, it should act as transparent, and as low-configuration, as possible. Assume we don't have control over the downstream.
Right now I am concerned about how a soho router would handle potential LAN address space conflicts. E.g., would assigning your average stock, non-OWrt router 192.168.1.2 as its "WAN" address break it?
If so, is there a way to configure OpenWrt to forward any IPv4 packets without creating an extra address space between the injector and the router?
With the default configuration, yes... but the solution is simple. Just change the subnet for the lan of one or the other so that you have non-overlapping subnets. So if one is using 192.168.1.0/24, the other could be 192.168.2.0/24.
If you're using a VPN, the double-NAT doesn't actually matter in the IPv4 space, although it's not clear what you mean buy "inject" and "over a range of IPv6 addresses".
That would be a good start - but let's say I do not know what exactly the downstream router's configuration is.
The end goal is to route to, and delegate addresses over, an IPv6 block (we will reach it using another means, tunneling through the WAN upstream is unnecessary), and keep everything IPv4 as pristine as possible. It doesn't have to be invisible, but it needs to work with a pretty much arbitrary network. Is there a canonical way of doing this that won't involve horribly hacked solutions that spring to my mind?
Can you describe your ultimate use case and goal? Is this a travel router? Or something else? Is it connecting out to another vpn somewhere (commercial or road warrior home)? Or is it supposed to accept inbound connections?
We are looking to create a consumer-grade injector for a local wireless mesh network. The goal is to have a zero-configuration device that can be installed between a modem and a router. It should allow users to access addresses in the mesh in a way that is minimally intrusive to their LAN setup.
How does the user connect to their network from a remote location? Do they connect directly? Or do they use a cloud broker to establish a p2p connection or a vpn in the cloud to which both devices are connected?
At this point, we have a ready solution that gets you an IPv6 prefix and connectivity if you give it a radio interface to manage and a peer in its range, nothing else needed.
We want to deploy over two-port wireless CPEs (example 1, example 2) that would sit on the wire between the ethernet port of a modem and the WAN port of a customer's (arbitrary) soho router. I assume having two IPv6 upstreams is trivial route table work - the main problem is not breaking the customer's connection to the "normal" internet.
This sounds like a commercial product... you may want to hire developers who already have experience in doing stuff like this.
Also, it's still not clear what this actually does on the network... if it sits between the CPE and the wan of the downstream router, it won't be able to participate in the customer's lan or wireless network because the wan of that router should be firewalled such that no unsolicited inbound connections are allowed (unless the customer makes explicit changes to their router's firewall).
It seems to be a unique enough problem, even among the other community mesh projects - I would probably be one of the first.
My idea is emulating a WAN connection, almost exactly the same as the modem's upstream - but with an extra block of IPv6 addresses reachable. To the customer's router the extra block would be part of the WAN, indistinguishable from the rest of the network.
But what does it even do?? I'm still not understanding what this actually does. This can't provide connectivity to the customer's network in any way since it is upstream of the customer's wan.
Or maybe better stated...
What is the benefit/feature to the customer (why would they install this)?
and/or
what is the benefit to the ISP? Why would they want to install this?
Forgive the amateurish drawing. The diagram above is the dream, where "mesh device" is the only thing we can configure, and the rest is completely arbitrary. Is it possible to configure it so that it passes all IPv4 like a dumb switch?
(We are working on what's basically our local flavor of Freifunk - think a local, community-centered neighborhood area network of friends' homelabs. We would like to get non-technically inclined people on, too - that's the ultimate purpose of this device. But I think this is getting a bit off-topic.)
I could be wrong, but my guess is that without a routed IPv4 network, connectivity may not work in all cases for your community wifi network.
But you could try simply bridging the two ethernet ports together... that should make it transparent. Then, tie the bridge to a wan6 interface, and create a routed lan network (IPv6 only).
The community wifi network is IPv6 only. I am considering running a DHCPv6 server on the device (optimistically thinking that everything will just work on its side. If we had control over the router too), but how to run IPv4 is still an open question. Will bridging ports give the device an IP? I think the ISP allocates only one per household - and I'd like not to compete with the router.
Think my best bet would be hosting a DHCP server between the device and the router that allocates some deprecated address range that is not in one of the private network blocks and auto-forwarding every port through the inevitable NAT. This seems like such a hack, though.
it's easy enough to make a dumb switch as you say by setting up a bridge interface betweek the two ports it's a little confusing for me after that sorry i'm not a full expert
basically with openwrt now there's the 'device' and the 'interface' section, so its trivial to make a 'dumb switch' you just make the bridge device with the 2 ports in it and setup no 'interfaces'
but you can set up the mesh network as an interface that uses the bridge device, make a static interface with only ipv6 configured or an interface to grab an ipv6 address via dhcpv6, easy enough to configure no ipv4 only ipv6 and then ipv4 stuff will just get forwarded through easily and you should still be able to do ipv6 through to the router but I guess it's complicated if your isp does ipv6 and you'd prefer the router grab the public addresses but firewall rules to block ipv6 from modem should be possible, there's different ways to do alot of things like it still might be possible to use firewall rules that still operate on physical devices as one possible example. Then you set up your wireless config and chose it to connect into the mesh interface you just set up.
eg any ipv6 that is identified as incoming/input (not forwarding) on physical interface connected to the modem -> drop you might have to make sure you build your openwrt with the appropriate support for it
then also set up firewall rules to prevent mesh devices from doing any ipv4 through to the modem or the router or whatever
Bridging the ports makes them basically just switched. If you tie that to a WAN with IPv4 (specifically DHCP assuming that the ISP is using DHCP to allocate IPs), the device would attempt to take the IP that would otherwise be used by the customer's router. However, if you don't setup an IPv4 WAN at all, there will be no such attempt and the device should be transparent wrt IPv4. Try it on your own... you'll see.
I don't understand the purpose of this dream of yours, it looks like something not well thought.
Why would you deliberately cripple IPv6 connectivity for users? Making IPv6 rely on the availability and bandwidth of some VPN server (owned by you?).
That picture above with the modem -> mesh -> router is already wrong, because you would expect the modem to also be a router? and nobody wants double NAT from the start.
How else will your VPN work? Are you relying on WiFi for the infrastructure? Where is that in the picture?
Can you explain these problems?
