Hello! As a complete beginner in home networking I am a bit lost with my problem. Maybe someone can help:
Setup: Internet socket in the wall -> Fritzbox-router -> Linksys router with OpenWRT and a VPN (NordVPN)
I have to Networks I can connect to, the Fritzbox-Network (192.168.178.) and the OpenWRT-Network (192.168.1.). Most PCs/Smartphones are connected to the OpenWRT-Network to be a bit more protected with the VPN. Some are connected to the Fritzbox.
Now two questions:
- How can I connect those two networks so that I can e.g. ssh from 192.168.178.10 to 192.168.1.30?
- Who is providing the DNS, when I connect a PiHole to the Fritzbox, set it as DNS-Server and then connect my PC to the other network, which is routing everything to NordVPN? Does NordVPN use its own DNS-Server?
What do I need to learn to understand my own network better?
My first question is why do you have/need two routers?
My suggestion would be get rid of one or the other and that should solve all the questions you are asking.
Edit: A router is a device that is placed at the edge of your network and controls traffic between inside your network and the internet. If you need more wired connection ports than either router has your setup up should be:
Internet > Router > network switch
I will simplify my network now and connect everything to OpenWRT and use the Fritzbox only as modem.
Yeah this feels like a classic XY problem.
Use one as the DNS and DHCP server and the other one as switch and access point.
So I guess the OpenWRT has the Fritzbox as default gateway, right? In that case, you need to just add a static route to your Fritzbox so he knows that there is a 192.168.1.X on the interface that connects to the OpenWRT. But if that traffic is being tunneled the VPN, it won’t work.
You should set up the OpenWRT (as is, the most capable device) at the internet gateway and just use the Fritzbox as a repeater. If you need the Fritzbox as a cable modem then you are out of luck and probably need to buy a new device.
In your place I would ditch the Fritzbox as much as possible (as is, use it just as a modem) and connect everything to the OpenWRT. If you have special needs, the OpenWRT can also create more than 1 SSID with different networks. Definitely buy new hardware if needed.
Thank you for your answer! I guess you are right, I should connect everything to OpenWRT and use the Fritzbox only as modem. In that case I have to figure out how the pihole, NordVPN on the router level and a piVPN all work together on one router. My head hurts.
Well it would depend on how you are routing your traffic. What is your VPN doing? How is it configured? I am a network engineer, happy to give you a hand.
I would have it in one of two ways:
-
2 different SSIDs/networks, one fully VPN’nd and the other directly connected to internet.
-
or use 1 network to rule them all and then PBR (policy based routing) for the VPN, meaning that you send only specific traffic through the VPN. This can depend on IP, port, protocol, etc. Definitely the most advanced (and fun!) option.
Maybe I can describe my favorite outcome of this:
The Fritzbox serves as modem and connects to my phone and a nextcloud-server. One LAN-connection is plugged into the ‘internet-port’ of the openWRT-router.
The openWRT-router is connecting all my PCs, Smartphones and my home-assistant-Pi. On the OpenWRT-router every connection to the internet is tunneld through NordVPN to hide my location. And every device connected to the OpenWRT-router uses the Pihole as DNS-Server. And I want to be able to use PiVPN (wireguard) to tunnel into my OpenWRT-network to be able to reach the home-assistant-Pi and to enjoy the benefits of the Pihole and NordVPN while I travel.
Is that even possible? My main concern is the NordVPN-part and if it works together with the Pihole and the PiVPN. I have a very limited understanding of VPNs and DNS-Server and I don’t want to make myself vulnerable.
Well I would create 2 networks in your OpenWRT, Net1 would be tunneled over the VPN and Net2 will break out locally.
On Net1 you basically keep what you have.
Then you assign the NC Server to Net2. You can even create a SSID for this network (call it Guest or whatever) for when somebody needs your WiFi. Or if you want to connect a device you don’t care sending outside the VPN.
Afterwards you can go and turn off the WLAN in your Fritzbox. The telephone will continue working over DECT most likely.
You will probably also need to “expose” the OpenWRT on your Fritzbox. What this does is forward all traffic, unfiltered, to your OpenWRT. You need to do your own research to see if you want to do this, otherwise just forward porta as you need them.
Two networks on the OpenWRT is a really good idea, thank you! With the next free weekend and some duckduckgoing I should be able to implement this.
-
Yup, no sense using the fritzbox for routing when there’s a more capable device already in the network. The two routers setup is possible but creates unnecessary complexity IMO.
All you need to do is add a static route to your fritzbox for 192.168.1.0/24 via 192.168.1.x, where x is the wan ip of the openwrt router and then add a firewall rule in openwrt to allow either all traffic or add specific rules/ports from wan to lan. Another way, if you only need ssh is setup portforwardimg im openwrt so that wan port tcp 22 is forqarded to 192.168.1.30 and then connect from 192.168.178.10 to the wan ip of the openwrt router, which will forward it.
I would recommend starting with tail scale. Tail skill will help you set up wire guard to connect your networks. And it’ll work across a large diversity of network topologies…
Once you get things working with tail scale, then you can look at doing ethernet bridging, more advanced things. But they’re going to be more fragile and depend more precisely on your topology