First the setup:

modem -> TP-Link 1043nd(192.168.10.0/24 subnet) -> 300 yrds point-to-point wireless bridge <- (192.168.10.225) TP-Link 1043nd (192.168.15.0/24 subnet). 

What I am attempting to do is forward all traffic from the 192.168.10.0/24 subnet over to 192.168.15.0/subnet(well not necessarily all, but at least what is trying to get to that subnet).  Of course the child subnet can communicate with the parent, as most of you know. 

I imagine one of the first responses would be use relayed and keep them on same subnet.  The problem is, the organization is growing and dhcp pool allocation could be a problem in the near future. 

On one of the win7 boxes on the parent subnet(192.168.10.0/24) I have setup a static route.

This can be accomplished by doing the following:
route add 192.168.15.0 mask 255.255.255.0 192.168.10.225 -p

The -p flag = persistent, which means it will remain after reboot.

I can ping the router ip address on the lan interface, which is 192.168.15.1 from the parent subnet.  I CAN NOT ping anything else on that subnet.

The only firewall rules I changed was I added allow all from wwan/wan -> lan and allow all lan -> wwan/wan.  I imagine I don't need the second rule, but did it just for testing purposes. 

I attempted to bridge the wwan interface with lan, instead of putting it in same zone as wan.  Of course that did not work.  I read something later that kind of explained the situation. 

What is the best way or suggested solution for a setup like this?

I do understand the purpose of NAT and so forth.  It seems when you hit the wan/wwan interface that it would reject any private network requests.  I also would assume, by design, that the WAN zone is not designed for handling this type situation.

Any suggestions would be greatly appreciated.  Even if it is pointing me in some direction. I do not mind doing the footwork, but I need somewhere to start.

Thanks a bunch!

Think I may have posted this in wrong forum.

Admin, may have to move over to appropriate forum.

Thanks

just simply allow forwarding between both zone's.
or simply stick both interfaces into the same firewall zone, and you are set as well

I believe I tried putting in same zone, but I may have also had them bridged.  Which I am not competent enough to understand why that wouldn't work. 

The forwarding definitely sounds like it will work though.  I guess what had me stumped is thinking the allow all should let it all through.  When you said that, I can see the error in my thinking.  You have to explicitly tell it to forward those packets over between the different zones.

I guess that is why on the router itself you could ping it's 192.168.15.1 address on the lan side, but couldn't go any further.  Since it didn't forward the packets over to the other clients.

Is this correct?

Thanks a lot FriedZombie!

On network devices you can always ping the device itself. it is rare that you can't ping the own ip address from the device.

But if you bridge the network cards, what you then do is merge but devices into one. This also does forward packets from one interface to the other. But only as long as they are in the same subnet. And there is no routing done between subnets.

but if you put them in the same zone it acts like a router with two separate interfaces, and it happily forwards the packets between subnets as long as the forwarding is enabled, this is default for the lan zone.

The router in this case would be reachable from two ip addresses (one for each subnet).
Also to reach the other side, you have to configure a static route to the router so the devices you connect to the network know where to send it. (but you already mentioned that)

or you can set the openwrt router as default gateway and add the internet gateway to the router's static route table.
(or connect the internet to it as well).
but then the internet traffic gets routed over the openwrt device as well.

(Last edited by FriedZombie on 14 Sep 2013, 15:21)

I was referring to pinging the lan interface from the win7 box on the parent subnet. 

I appreciate the explanation and understand where you are going with what you are saying.  My main problem is I had no formal iptables training, so I've had to learn that type stuff as I run into different situations.  You can do a lot of stuff from luci, but I like understanding what is going on behind the curtains.  It really helps when you run into situations like this so you can map out what is going on in your mind.

Eventually, when I have the time, I would like to just start off with a barebone or no rules and work my way up from there.  I have jacked up rules quite a bit in the past trying to learn some stuff. 

Failsafe, is your friend...

I appreciate taking your time out to answer my questions and help me rethink how things work.

Have yourself a good weekend bud!

Edited:
Here is what I believe is happening.  Basically when I changed those rules to allow, it allowed an accept to that device(router).  Because I did not do a forward, everything would stop there.  Simply, because there was no forward rule to forward the packets on to the devices on that subnet(192.168.15.0/24 child subnet).

(Last edited by slippyC73 on 14 Sep 2013, 16:46)

if you allow forward for a specific zone (without a explicit forwarding rule).
web interface forward=accept
or /etc/config/firewall
in the config zone
  option forward 'ACCEPT'
this means this zone is allowed to forward any traffic to any subnet or ip in an other zone.

So with more complex setups it is sometimes recomended for it to reject it by default and maybe define the zone forwards manually. (but in this case it wouldn't be needed).

Alos I never had a formal training in anything IT related but it is the entousiam and willingness to learn more about a subject that counts the most.

But to learn more about iptables from the ground up, I would recommend to install a linux box and go from there.
Because that has less complex chains then iptables on openwrt. but the principle is the same. Only easier to grasp on the first go.

Yea, there are a few occasions where I have had to do what you are talking about.

Basically the network was setup like this:

modem -> router (lan/wifi1 interface and wifi2 interface)

It was to use 1 piece of hardware and have private network and an open wifi for guests.

I wanted lan/wifi1 to have unlimited access, which was pretty straight forward.

The wifi2 I put on another interface and used different subnet.

I set some rules up first to deny wifi2 ports 22, 80, etc from getting direct access to the router.  You have to keep some of them because dns and so forth(well if you want the router doing dns).  Then I denied any forwards to all ip addresses in the lan/wifi1 subnet.

It was a little more complex than that, but that is the general idea. 

Then I found out about nodogsplash, which made life a lot easier.  Plus it would give a splash page for guests, which was nice.

I run linux on all of my computers now, so that isn't an issue.  I never thought I would be able to just depend on VM's for my Windows' needs.  Only real reason I even use Windows anymore is because of Quickbooks. 

Sometimes I do miss gaming, but honestly I don't have much time for it anymore.

My gaming is usually on Android based devices now.  I've got one of those tv sticks(mk808b), but it can be a pain with some games.  It makes a really cool multi-media device though.

Alright Fried, go have yourself a beer or something and quit worrying about this bs for a night...

Was nice chattin' with ya...