e-horn wrote:I tried to setup my network at least three times and everytime something doesn't work right. So I thought that I can set up my network piece by piece.
In my imagination I should first start to configure the VPN-Router. (please reply if i am wrong)
The idea of building network piece by piece is correct, but I think you are starting from the wrong end. To build this kind of a network, I would start from the VDSL router, with a single laptop connected to it over a regular LAN cable.
The VDSL router's WAN settings come from your ISP. Whatever they are, I do not know.
The VDSL router's LAN settings are static IP 192.168.1.1 with Netmask 255.255.255.0. DHCP server is enabled on the LAN side and address range is from 192.168.1.10 to 192.168.1.20 for a maximum of 10 clients. I do not know how to configure a Telekom router, so you're on your own to get these settings rights.
Now test that you can reach the Internet from the laptop that is connected to a LAN port on the VDSL router. If you can't reach the Internet at this point, go back to start and check your settings.
----
Now we move on to the OpenWRT side. Connect the laptop to the OpenWRT router's LAN port. Ensure you can access LuCI on the OpenWRT from your laptop. Set the administrative password if not set yet, then disable the OpenVPN service in System -> Startup for now. First we need to get the general network working, then we build the VPN tunnel and other fancies on top of it.
DISCLAIMER:
The configuration files below are my own making and have not been tested in your specific situation. They may work, but they may also brick your device completely, making it inaccessible. Check and double-check the files carefully and before you save them, ensure you have some means of restoring the previous configuration if things go south. I will not take responsibility, nor will I compensate for any damages caused. You have thus been warned.
The baseline of these configurations comes from the files you posted earlier. I have removed everything that I thought unnecessary. Note that all # comments written into the files will be removed if you use LuCI or the 'uci' command-line client to alter settings. Keep this in mind later on.
/etc/config/network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp' # We get the WAN IP from the VDSL Router - this may change later on
option defaultroute '1' # This will create a default route for all traffic not intended to local LAN or WLAN clients
config interface 'lan'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ipv6 '0' # We don't want IPv6 for now; we keep things simple
option type 'bridge' # We will bind to this network directly from the wireless config file
As you can see, the switch option has completely been eradicated from this file.
I do not know if the Linksys device requires the switch configuration section in order for the Ethernet ports to work. If the switch configuration is required, then omitting it will cause the OpenWRT device to become inaccessible through the LAN ports. You should still be able to connect to it through WLAN, so all is not lost.
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
option htmode 'VHT80'
option country 'DE'
option txpower '20'
option channel 'auto'
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'psk-mixed'
option key '***' # Change this
option ssid 'WLAN 5GHz' # Change this if needed. There's no VPN yet, though
option network 'lan' # Adds this interface to the LAN network, creating a two-way bridge (LAN & 5 GHz)
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
option htmode 'HT20'
option country 'DE'
option txpower '20'
option disabled '1' # Toggle to '0' to enable this radio device
config wifi-iface
option device 'radio1'
option mode 'ap'
option macaddr '62:38:e0:d9:2e:f6'
option encryption 'psk-mixed'
option key '***' # Change this
option ssid 'WLAN 2,4GHz' # Change this if needed
option network 'lan' # Adds this interface to the LAN network, creating a three-way bridge (LAN, 5 GHz and 2.4 GHz)
option disabled '1' # Toggle to '0' to enable this AP station on the radio device
As you can see, we are bridging the LAN and the two WLAN networks together, and all the clients will be served by a single DHCP server residing in the OpenWRT router. Devices in the LAN and WLAN networks will be able to connect to each other right away.
/etc/config/dhcp:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option nonwildcard '0'
config dhcp 'dhcp-lan'
option interface 'lan'
option dhcpv6 'disabled'
option ra 'disabled'
option ignore '0'
option start '10'
option limit '150'
option leasetime '12h'
config dhcp 'dhcp-wan'
option interface 'wan'
option ignore '1'
We enable DHCPv4 server on the LAN interface and disable it on the WAN.
/etc/config/firewall:
config defaults
option syn_flood '1'
option input 'REJECT' # By default, all traffic in all zones is rejected so as to protect your networks
option output 'REJECT'
option forward 'REJECT'
config zone
option name 'zone-lan'
option network 'lan'
option input 'ACCEPT' # Traffic coming to this router from interfaces in this zone is allowed
option output 'ACCEPT' # Traffic going from this router through interfaces in this zone is allowed
option forward 'ACCEPT' # Traffic forwarded between interfaces in this zone is allowed
option family 'ipv4'
config zone
option name 'zone-wan'
option network 'wan'
option output 'ACCEPT' # Masqueraded traffic will generate new packets, so we need to allow this
option masq '1' # This option, together with forwarding configs below, will create the necessary rules for return traffic to work
option mtu_fix '1'
option family 'ipv4'
# We need to allow incoming DHCPv4 renew, since the WAN interface is using DHCP
# Otherwise it will not get a new IP when the lease-time expires
config rule
option name 'Allow-DHCPv4-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
# Remove this section if you do not want to allow pinging the router from WAN
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option target 'ACCEPT'
option family 'ipv4'
# Remove this section if you do not want to allow IGMP traffic to the router from WAN
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# Allow LAN & WLAN traffic to forward to WAN (and to Internet).
# Return traffic works automatically due to masquerading
config forwarding
option src 'lan'
option dest 'wan'
option family 'ipv4'
This configuration should work, assuming I have not made mistakes or typos in the files. Check it and double-check it nevertheless. It can also give you some ideas on how OpenWRT works internally.
After making these changes, plug the WAN port of the OpenWRT router to a LAN port on the VDSL Router, restart the OpenWRT router and ensure your laptop can connect to Internet from the LAN and WLAN sides of the OpenWRT router.
Then we can carry with the remainder of the tasks.
---
e-horn wrote:@Antek you wrote that "the 'bridge' option for LAN and WLAN seems odd." What did you mean?
I configure the router via LUCI and there are no bridge-mode active?!
You also said "The route configuration for WAN doesn't make sense to me since there are interface configurations using DHCP and DHCPv6"
Can you explain me what you mean here?
The bridge option seemed odd because your earlier configuration did not add any other physical interfaces to the "LAN" UCI interface in /etc/config/network or in /etc/config/wireless. Perhaps this was a remnant from an older configuration?
The old 'wifi' interface in /etc/config/network was the target of both 'wifi-iface' interfaces from the old /etc/config/wireless, so the bridge option made sense there. You basically bridged the two WLANs together.
As for the old route configurations...
config route
option interface 'wan'
option target '192.168.1.8'
option gateway '192.168.1.2'
The old WAN interface was using DHCP and DHCPv6 clients (although who was serving it, I don't know).
In your picture, there are no devices with '192.168.1.8' address, nor are there any 'host' entries in the old DHCP config with this address. I didn't know what this route was supposed to do, so it seemed odd.
config route
option interface 'lan'
option target '192.168.0.1'
option gateway '192.168.0.9'
The picture doesn't show who the address 192.168.0.1 belongs to, perhaps there is a typo and it should be 192.168.1.1 so as to refer to the old 'Server' computer? Anyhow, it doesn't seem to make sense.
(Last edited by Antek on 11 May 2017, 12:39)