this post was submitted on 23 Sep 2023
10 points (91.7% liked)
networking
2811 readers
1 users here now
Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So I guess the OpenWRT has the Fritzbox as default gateway, right? In that case, you need to just add a static route to your Fritzbox so he knows that there is a 192.168.1.X on the interface that connects to the OpenWRT. But if that traffic is being tunneled the VPN, it won’t work.
You should set up the OpenWRT (as is, the most capable device) at the internet gateway and just use the Fritzbox as a repeater. If you need the Fritzbox as a cable modem then you are out of luck and probably need to buy a new device.
In your place I would ditch the Fritzbox as much as possible (as is, use it just as a modem) and connect everything to the OpenWRT. If you have special needs, the OpenWRT can also create more than 1 SSID with different networks. Definitely buy new hardware if needed.
Thank you for your answer! I guess you are right, I should connect everything to OpenWRT and use the Fritzbox only as modem. In that case I have to figure out how the pihole, NordVPN on the router level and a piVPN all work together on one router. My head hurts.
Well it would depend on how you are routing your traffic. What is your VPN doing? How is it configured? I am a network engineer, happy to give you a hand.
I would have it in one of two ways:
2 different SSIDs/networks, one fully VPN’nd and the other directly connected to internet.
or use 1 network to rule them all and then PBR (policy based routing) for the VPN, meaning that you send only specific traffic through the VPN. This can depend on IP, port, protocol, etc. Definitely the most advanced (and fun!) option.
Maybe I can describe my favorite outcome of this:
The Fritzbox serves as modem and connects to my phone and a nextcloud-server. One LAN-connection is plugged into the 'internet-port' of the openWRT-router.
The openWRT-router is connecting all my PCs, Smartphones and my home-assistant-Pi. On the OpenWRT-router every connection to the internet is tunneld through NordVPN to hide my location. And every device connected to the OpenWRT-router uses the Pihole as DNS-Server. And I want to be able to use PiVPN (wireguard) to tunnel into my OpenWRT-network to be able to reach the home-assistant-Pi and to enjoy the benefits of the Pihole and NordVPN while I travel.
Is that even possible? My main concern is the NordVPN-part and if it works together with the Pihole and the PiVPN. I have a very limited understanding of VPNs and DNS-Server and I don't want to make myself vulnerable.
Well I would create 2 networks in your OpenWRT, Net1 would be tunneled over the VPN and Net2 will break out locally.
On Net1 you basically keep what you have.
Then you assign the NC Server to Net2. You can even create a SSID for this network (call it Guest or whatever) for when somebody needs your WiFi. Or if you want to connect a device you don’t care sending outside the VPN.
Afterwards you can go and turn off the WLAN in your Fritzbox. The telephone will continue working over DECT most likely.
You will probably also need to “expose” the OpenWRT on your Fritzbox. What this does is forward all traffic, unfiltered, to your OpenWRT. You need to do your own research to see if you want to do this, otherwise just forward porta as you need them.
Two networks on the OpenWRT is a really good idea, thank you! With the next free weekend and some duckduckgoing I should be able to implement this.
Yup, no sense using the fritzbox for routing when there's a more capable device already in the network. The two routers setup is possible but creates unnecessary complexity IMO.