Using another LAN device in a different subnet as gateway

Rado2 · February 21, 2023, 1:46pm

Hi y'all, I'm running OpenWRT 22.03.3 on GL.Inet Convexa-B and my setup is as below:

331964014_585427300146077_8473985985660116921_n

Basically I have two interfaces (at OpenWRT level) that are corresponding to two subnets:

lan interface with 192.168.1.1/24 network.
lan_vpn interface with 192.168.10.1/24 network.

I have a bunch of devices that connect to this OpenWRT router under lan and they all have internet connection (via wan). Also under lan, I have a Raspberry Pi device (192.168.1.123) that runs a VPN client.

My goal: I would like to route all the traffic from lan_vpn to the Raspberry Pi device -- basically treating the Pi as a gateway.

Things I have tried (and failed):

Via Luci, under Network -> Interfaces, set the "IPv4 Gateway" option of lan_vpn to 192.168.1.123.
Via Luci, under Network -> Routing, create a static route under lan_vpn that specifies 192.168.1.123 as default gateway and 0.0.0.0/0 as target.

Either way, my Raspberry Pi never saw the traffic coming in.

How did I verify the setup

I run tcpdump -i eth0 on the Raspberry Pi device to monitor the traffic (eth0 is the interface on the device that connects to the OpenWRT router). I confirm this is the correct command as I could see the traffic if I ping the Pi from the router. However, I never see incoming traffic if a device under lan_vpn tried to reach out to the internet (e.g. curl <some-external-ip>).

Before I copy-paste my network configurations, I'd like to ask for a pointer first. What would be the best way to achieve my goal? Would using luci be enough or I will need to touch the configuration files directly? Should I continue playing with the routing table or trying some nftables rules?

Thanks all in advance.

Rado2 · February 21, 2023, 1:52pm

Here's my current network configurations:

/etc/config/network:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd34:fa97:377d::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'
	option delegate '0'
	option dns '192.168.1.1 1.1.1.1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'br-wan'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth1'

config interface 'lan_vpn'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option device 'br-lan_vpn'

config route
	option interface 'lan_vpn'
	option target    '0.0.0.0'
	option netmask   '0.0.0.0'
	option metric    '100'
	option gateway   '192.168.1.123'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'br-lan_vpn'
	option type 'bridge'
	list ports 'eth0.1'

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'lan_vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'REJECT'
	list network 'lan_vpn'


config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

Current routing table:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         <sniped>   0.0.0.0         UG    0      0        0 br-wan
<sniped>   0.0.0.0         255.255.240.0   U     0      0        0 br-wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan_vpn

wilsonyan · February 21, 2023, 2:07pm

guessing with firewall you've got to allow forwarding with 'lan_vpn' since that's exactly what you want to do, forward traffic from 192.168.10.0/24 to 192.168.1.0/24

trendy · February 21, 2023, 4:15pm

In network:

config rule
        option in 'lan_vpn'
        option lookup '100'

config route
        option interface 'lan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
	option gateway '192.168.1.123'
        option table '100'

Remove the other route you have, it is not useful.
In firewall remove the masquerade from lan and lan_vpn. Add:

config forwarding
	option src 'lan_vpn'
	option dest 'lan'

Rado2 · February 21, 2023, 6:25pm

Thanks @wilsonyan and @trendy . The change that @trendy suggested is exactly what I wanted. I really appreciate the help.

trendy · February 21, 2023, 7:09pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · March 3, 2023, 7:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.