I am relatively new to OpenWrt. I am wondering if it is possible to configure my OpenWrt router (Linksys wrt1900acs, OpenWrt 19.07, 4 LAN ports, 1 WAN port) in such a way that I can connect a vendor device (another router) to the LAN and route all the traffic from other LAN ports to this vendor device and let it forward it to the WAN port of my OpenWrt router. The topology I am thinking is like below:
The data flow (I am hoping) is marked in red dotted line. The vendor device feels almost like a gateway to all the other devices connected to the LAN.
The vendor device is effectively a vpn device with static routing rules baked in. It needs to hardcode the rules based on its gateway ip address hence I am thinking to connect it as a downstream device (lan1) of my OpenWrt router just so that I can control its gateway ip address.
The vendor device only has one lan port, but it is a router device so it can act like a DHCP server. I am thinking to make it the DHCP server for lan2, lan3 and lan4 port of my OpenWrt router.
I would like to run wifi from my OpenWrt router and bridge it in a way that my wifi traffic goes through the same route as the hardwired PC traffic.
Is such a topology even possible? What are the proper tools to make it happen? Do I need to form two vlan (one made of port lan2/3/4, and another made of just port lan1)? What about the inter-vlan routing? Or am I overcomplicating the whole thing and it is just a matter of defining static routing rules somewhere?
uci set network.lan1.ip4table="1"
uci set network.lan2.ip4table="2"
uci set network.lan3.ip4table="3"
uci -q delete network.lan3_lan2
uci set network.lan3_lan2="rule"
uci set network.lan3_lan2.in="lan3"
uci set network.lan3_lan2.lookup="2"
uci set network.lan3_lan2.priority="15000"
uci -q delete network.lan2_lan3
uci set network.lan2_lan3="rule"
uci set network.lan2_lan3.in="lan2"
uci set network.lan2_lan3.lookup="3"
uci set network.lan2_lan3.priority="15000"
uci -q delete network.lan1_wan
uci set network.lan1_wan="rule"
uci set network.lan1_wan.in="lan1"
uci set network.lan1_wan.lookup="main"
uci set network.lan1_wan.priority="15000"
uci -q delete network.wan_lan1
uci set network.wan_lan1="rule"
uci set network.wan_lan1.in="wan"
uci set network.wan_lan1.lookup="1"
uci set network.wan_lan1.priority="15000"
uci commit network
/etc/init.d/network restart
I think the OP wants a direct layer 2 switch and dumb AP so that two wired devices and some wireless devices would be strictly in the VPN device's LAN.
That would be done with VLANs, basically to break out ports 2, 3, and 4 into their own network and also have a software bridge of proto none for the wifi. (In DSA you need to set up a software interface in any case before it will complete the hardware switching).
If you stay with 19.07 which is not DSA it is swconfig. The following instructions are for swconfig.
Have a wifi AP on OpenWrt's LAN and log in through it, so you don't lose access if the Ethernet becomes misconfigured.
Go to the Switch page and create a new VLAN numbered 3, then move ports 2, 3, and 4 into it (untagged, change these ports to Off in the original LAN VLAN 1) and a CPU port (tagged).
Go to the Interfaces page and create a new interface named "vpn" with proto Unmanaged, bridge box checked, and physical connection eth0.3.
Go to the wifi page and create a new AP and attach to the vpn network. You can also add an additional AP on the other band if needed.
I don't really recommend the dumb AP/switch mode in this case, even only for the downstream part.
It strips OpenWrt of most of its functionality, making LAN clients unmanageable by the router.
Configuring DHCP, firewall, routing and setting up PBR becomes problematic.
Meanwhile, you can retain the complete functionality of OpenWrt like this:
Split the ports lan1 and lan2 each to a respective network/interface.
Keep the ports lan3, lan4 and wlan bridged together as lan3.
That should be combined with the routing described above.
Tried out the approach and it works exactly as I wanted. Just to make sure my understanding is correct: the essence of this setup is to turn lan2/3/4 into a logical layer 2 switch so that they because just port extensions to my vendor vpn device, is this correct?
Thanks for looking into it and apologize for the late reply. I am just slowly digesting all the helpful information provided by you guys.
Conceptually, if I am right, you are suggesting to effectively split the router into "two routers" - lan1 and wan becomes the first router, lan2, lan3 and lan4 forms the second router and lan2 is the "wan" port? Then the vendor vpn device is just another router in between is that right?
Yep, it's like 2-in-1 OpenWrt router.
This should provide much better control over the LAN clients.
Also abstracts the VPN device as one of the upstream interfaces.
