This is a general Linux networking question (as applied to routing), that dips into more network complexities.  It's a project I'd like to use this chance with the WRT3200 to do some heavy lifting in doing a merge of my different network segments that I've been avoiding for YEARS and hopefully eliminate some radios.  But I'm not sure if what I want to do can even be done.  (I used to do a lot of Linux work but I've atrophied...I've been in an all-Windows shop way to long! ).

What I have is this: Network A contains printers, samba server, etc.  Network B has some clients, nothing that needs to be directly accessed, and a load balancing router that splits the outgoing internet traffic between two WANs.   I've been trying to migrate network A onto network B for some years and instead i just keep adding routers!  What I have for now is network A connected to network b as a wan with a router in between.  That router is also the primary DHCP for network A.  Network B has the load balancing router as the DHCP.

What I would like to do is this.  Take the WRT3200, and insert it as it's own network on the network A side, we'll call it Network C, and bridge it, so that clients can connect into the 3200 and be on its own network, with its own internal DHCP server, but bridge so that clients on network C can get to printers and servers on network A.   Network A does not need to see network C (though it doesn't need to be avoided, either.)

The key is, for now, I want any client connecting to a network A AP to work as is with the old dhcp.  I want any client connecting to the WRT3200 (the OpenWRT one), to see it's own network with its own DHCP, but be able to access either all of or part of network A.   Over time, the network can migrate all to the WRT's network and that will become the new network A.  The DHCP management is the trick. 

The other trick is how to route internet traffic.

I'm not sure this can even be done (or if it's worth doing it.)

What I'm thinking I'd have to do is establish the wan port and one vlan as a DHCP client, both plugged into network A.  The wan port would be used purely as wan, and the single vlan could then be bridged to eth0 (or the existing br-lan).  BUT would that not allow the DHCP's to cross between networks?   Is there any way to set up the firewall rules to prevent cross contamination of DHCP over the bridge?

Did you rename network A to network C?

I don't think a bridge is the best solution, and it also require you to use ebtables (or similar) to filter the traffic, which is slow.

I think disabling NAT and allow traffic from network B to network A/C on WRT3200, and adding a static route to network A/C via WRT3200 on the load balancing router should be enough.

"Bridge" isn't the correct term here that refers to linking everything at layer 2 including DHCP requests, which you don't want.  In other words, two things that are bridged together become part of the same network.  To have limited access from one network to another is either routing or tunneling.

You could put a VPN server on network A, so selected users of C can log into the VPN and use printers or files on A.

With OpenWrt you can have as many networks as you want from the same box.  Depending on your site's physical arrangement you could consider running VLANs over Ethernet cables.

The VPN is too heavy a solution for the problem....I could do it, but I already have a VPN connecting the WAN, I'd rather avoid the complexities of multiple VPNs just to "bridge" a local network temporarily. The VLANs are probably the way to go. Trouble is, if I tag a port, I'm not sure I have any managed switches running on A to be able to handle the tagging (the one ancient 10/100 might...if I can remember how to get into the config, might).....

So I'm thinking maybe I pull port 4 from the WRT3200 off the eth0 interface, and set it up as an untagged VLAN3.  I haven't played with Linux/OpenWRT VLANs at all, only hardware level VLANs, so I'm kind of stumbling in the dark on that.  I assume if I set port 4 as an untagged vlan3, I'd have to create an Interface that is....I guess it shouldn't be a DHCP client, then route creation would be a mess, I should make it static on network A below the DHCP pool there, and the custom interface would be eth0.3?

Do I need to set a firewall rule at that point (and should it match LAN?)

And finally for the static route, if I have two networks, we'll say 192.168.1.0/24 (OpenWRT router) and 192.168.0.0/24, I'm assuming I'd create two routes, one for eth0 interface as a route to 192.168.0.0/24 with a gateway of the static IP assigned to interface eth0.3; And a second route for interface eth0.3 to 192.168.1.0/24 with a gateway of 192.168.1.1 (the OpenWRT router.)? 

I'd just add routes to the servers, but I believe the printers are DHCP clients right now.

I'm getting thrown off but the switch/vlan->interface->firewall->route setup where I'm used to just two matching hardware switch setups.

And I'd keep DHCP disabled on eth0.3 (assuming that's the right interface setup) obviously.

(Last edited by tux-o-matic on 30 Aug 2017, 15:56)