networking @sh.itjust.works glasgitarrewelt @feddit.de 1 yr. ago

Router behind a router - how to connect two networks?

Hello! As a complete beginner in home networking I am a bit lost with my problem. Maybe someone can help:

Setup: Internet socket in the wall -> Fritzbox-router -> Linksys router with OpenWRT and a VPN (NordVPN)

I have to Networks I can connect to, the Fritzbox-Network (192.168.178.) and the OpenWRT-Network (192.168.1.). Most PCs/Smartphones are connected to the OpenWRT-Network to be a bit more protected with the VPN. Some are connected to the Fritzbox.

Now two questions:

How can I connect those two networks so that I can e.g. ssh from 192.168.178.10 to 192.168.1.30?
Who is providing the DNS, when I connect a PiHole to the Fritzbox, set it as DNS-Server and then connect my PC to the other network, which is routing everything to NordVPN? Does NordVPN use its own DNS-Server?

What do I need to learn to understand my own network better?

13 comments

My first question is why do you have/need two routers?

My suggestion would be get rid of one or the other and that should solve all the questions you are asking.

Edit: A router is a device that is placed at the edge of your network and controls traffic between inside your network and the internet. If you need more wired connection ports than either router has your setup up should be:

Internet > Router > network switch
- I will simplify my network now and connect everything to OpenWRT and use the Fritzbox only as modem.
- Yeah this feels like a classic XY problem.
Use one as the DNS and DHCP server and the other one as switch and access point.
So I guess the OpenWRT has the Fritzbox as default gateway, right? In that case, you need to just add a static route to your Fritzbox so he knows that there is a 192.168.1.X on the interface that connects to the OpenWRT. But if that traffic is being tunneled the VPN, it won’t work.

You should set up the OpenWRT (as is, the most capable device) at the internet gateway and just use the Fritzbox as a repeater. If you need the Fritzbox as a cable modem then you are out of luck and probably need to buy a new device.

In your place I would ditch the Fritzbox as much as possible (as is, use it just as a modem) and connect everything to the OpenWRT. If you have special needs, the OpenWRT can also create more than 1 SSID with different networks. Definitely buy new hardware if needed.
- Thank you for your answer! I guess you are right, I should connect everything to OpenWRT and use the Fritzbox only as modem. In that case I have to figure out how the pihole, NordVPN on the router level and a piVPN all work together on one router. My head hurts.
  
  Well it would depend on how you are routing your traffic. What is your VPN doing? How is it configured? I am a network engineer, happy to give you a hand.
  
  I would have it in one of two ways:
  
  2 different SSIDs/networks, one fully VPN’nd and the other directly connected to internet.
  
  or use 1 network to rule them all and then PBR (policy based routing) for the VPN, meaning that you send only specific traffic through the VPN. This can depend on IP, port, protocol, etc. Definitely the most advanced (and fun!) option.
- Yup, no sense using the fritzbox for routing when there's a more capable device already in the network. The two routers setup is possible but creates unnecessary complexity IMO.
All you need to do is add a static route to your fritzbox for 192.168.1.0/24 via 192.168.1.x, where x is the wan ip of the openwrt router and then add a firewall rule in openwrt to allow either all traffic or add specific rules/ports from wan to lan. Another way, if you only need ssh is setup portforwardimg im openwrt so that wan port tcp 22 is forqarded to 192.168.1.30 and then connect from 192.168.178.10 to the wan ip of the openwrt router, which will forward it.
I would recommend starting with tail scale. Tail skill will help you set up wire guard to connect your networks. And it'll work across a large diversity of network topologies..

Once you get things working with tail scale, then you can look at doing ethernet bridging, more advanced things. But they're going to be more fragile and depend more precisely on your topology

You've viewed 13 comments.