How can I define static routes between two subnets in OpenWRT / LEDE?

Question

Migrated question here according to this. This is for hotel wireless coverage.

What I need is explained here for DD-WRT, but I am using OpenWRT and LEDE. I need to make routes (gateways) to between subnetworks, but I am stuck at this step. The OpenWRT guide says to do this: https://wiki.openwrt.org/doc/recipes/routedclient

After fixing the WAN address, a static route must be added to the Access Point with the following information:

IP address: 192.168.2.1 (IP address of our LAN interface)

Destination LAN NET (required in DD-WRT): 192.168.2.0 (our LAN interface subnet)

Netmask: 255.255.255.0 (Netmask of our LAN interface)

Gateway: 192.168.1.30 (IP address of our WAN interface)

It does not say how to do this. I know there are usually two ways: one temporary and one persistent. How can I achieve this? (I understand what needs to happen, I just don't know how to implement it) If anyone would like to know what I have tried, I'd be happy to add more info.

As an attempt, I tried adding a route to router 1 (/etc/config/network):

# Route to router 3 subnet
config route
  option interface lan
  # remote subnet that route is for (called destination on dd-wrt i think)
  option target     10.0.1.0
  # net mask of subnet on router 3)
  option netmask    255.255.255.0
  # ip address of next hop to destination subnet, router 3 wan
  option gateway    10.0.3.1

If that is correct, should I be able to ping 10.0.1.1 from router 3?

Typology

My network topology is very similar to this one except that I have 3 routers. I constructed my subnets with a logical, easy-to-remember scheme:

Private (one subnet per router; 10.0 for the private nets)

1. 10.0.1.0/24 private subnetwork 1 with router at 10.0.1.1/24 (this is also an internet provider over pppeo)
2. 10.0.2.0/24 private subnetwork 2 with router at 10.0.2.1/24 (routed client)
3. 10.0.3.0/24 private subnetwork 3 with router at 10.0.3.1/24 (routed client)

Guest (one subnet per router; 10.1 for the guest nets)

1. 10.1.1.0/24 guest subnetwork 1 with router at 10.1.1.1/24
2. 10.1.2.0/24 guest subnetwork 2 with router at 10.1.2.1/24 (routed client)
3. 10.1.3.0/24 guest subnetwork 3 with router at 10.1.3.1/24 (routed client)

All the routers are connected wireless over a backend wireless network just like in the diagram--each with a static ip address on their wan. In my case, the main network is 10.0.1.0/24 (which represents 192.168.1.0/24 in the diagram).

Notes

I want the routed way (as opposed to WDS or masquerading) for the flexibility of adding layers of security (e.g. join guest subnets across multiple access points, join private subnets across multiple access points, isolate guests from private network, provide everybody access to the internet). I just wish I log on to router 2 or 3 and run ping 10.0.1.1 and get an answer! I only get "pingto: sendto: Network is unreachable".

Using OpenWRT on a Icidu (rebranded TL-wr1043ND, hacked) and LEDE on a Linksys WRT1900WC.

Answer 1

The router on the 192.168.1.0/24 should have a route for 192.168.2.0.24 via 192.168.1.30. You could add this to individual devices on this network.

The wireless router should be routing all traffic to 192.168.1.0/24 to the router with the address 192.168.1.1. However it may be Masquerading (NATing) traffic. Disable masquerading for traffic to 192.168.1.1/24 if you want devices on 192.168.1.0/24 to be able to connect to devices on 192.168.2.0/24.

Add the route in the control panel of the router on 192.168.1.1, save and apply. This should make it persistent. Adding the route by executing a routing command will not be persistent. However, if you can add commands to run on reboot, that would also be persistent.

Answer 2

Routed Network Solution with OpenWRT or LEDE.

Perhaps the hardest part is setting up the auxiliary routers. Here I provide my changes (not the files in their entirety) to Router 3 as an example.

Router 3

/etc/config/network

Setup the lan network: I want clients on router 3 to get an ip address from router 3 (an ip different than the other routers:

config interface 'lan'
    option ifname 'eth1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '10.0.3.1'
    option netmask '255.255.255.0'

Note that WAN stays in DHCP mode so that it can acquire an ip address (10.0.1.3) from Router 1.

# WAN ACQUIRES IP FROM ROUTER 1
config interface 'wan'
    option ifname 'eth0'
    option proto 'dhcp'

Add static routes to the other subnets (targets are the other subnets)

# ADD STATIC ROUTE TO ACCESS SUBNET 10.0.1.0 from 10.0.3.0
config route
    option interface 'lan'
    option target '10.0.1.0'
    option netmask '255.255.255.0'
    option gateway '10.0.1.3'

# ADD STATIC ROUTE TO ACCESS SUBNET 10.0.2.0 from 10.0.3.0
config route
    option interface 'lan'
    option target '10.0.2.0'
    option netmask '255.255.255.0'
    option gateway '10.0.1.2'

# Gateway - This must be set to the IP address of the next hop to the 
# destination subnet which in this case is the WAN IP of Router2 and Router3. 
# In networks with more devices the next hop may not be the device that is 
# directly connected to the subnet.

/etc/config/dhcp

I had to make minor adjustment to the dnsmasq configuration. Here I save myself from having to manage a DNS on all clients by forwarding all requests on Router 3 to a single DNS on Router 1. Unfortunately, I still had at manually allow domain rebinding for some stuff, which defeats the purpose.

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option filterwin2k '0'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option cachesize '1000'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option localservice '1'
    # CHANGE
    list server '10.0.1.1'# Clients will still call 10.0.3.1 but dns list is at router 1
    list rebind_domain '.mydomain.com' # Allow rebind to web server hosted on 10.0.1.x
    list rebind_domain 'plex.direct'

/etc/config/firewall

This is the trickiest part, because if you mess this up, nothing will work. Because Router 3 is behind Router 1, and I know that Router 1 is safe (my other subnet as opposed to the internet), I opened up WAN to allow inter-network communication.

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    # CHANGE FOR AUX ROUTER WAN. NORMALLY REJECT.
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    # CHANGE. NO NEED TO MASQUERADE WHEN ROUTING.
    option masq '0'
    option mtu_fix '1'

# CHANGE. ADDED FOR SUBNET 1 TO SUBNET 3 COMM
config forwarding
    option src 'wan' 
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'wan'

# CHANGE. ADDED TO TRY AND FORCE ALLOW LAN PING
config rule
        option name 'Allow-Ping-LAN'
        option src 'lan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

You also need to add this stuff on all of the routers, so maintenance costs go up here.

config rule
        option name 'Allow-Avahi'
        option src 'lan'
        option dest 'lan'
        option dest_port '5353'
        option proto 'udp'
        option target 'ACCEPT'
        option src_port '5353'

config rule
        option name 'Allow-PlexLocalStuff'
        option src 'lan'
        option dest 'lan'
        option dest_port '32410 32412 32413 32414 1900 3005 32469 8324'
        option proto 'udp'
        option target 'ACCEPT'
        option src_port '32410 32412 32413 32414 1900 3005 32469 8324'