Expanding your OpenWRT router

by kacang bawang

network diagram

network diagram

This post is about how to add a second router to your existing OpenWRT setup.

It has been a while since I’ve written anything. Life starts to get more and more in the way as one grows older…

Say you have your router all set up, but one day you want to add some PoE devices to your network. Like an ntp-clock or a camera. Or maybe the ports are just running low. Hub, you say? No siree. What we need is another router. By the way, I still want the OpenWRT to serve DHCP and DNS across this new router.

So what do we want? Free beer! A route between the two, ahem, routers and a way to forward DNS and DHCP requests. This way every machine that comes online automatically gets a hostname that is known across the home network.

We will create a virtual interface (a software network card) which will be used to route traffic based on its destination. It will either be sent further down to the second router, or delivered directly, locally.

My new router is a hEX from Mikrotik, btw. 5ports, PoE and spf for a reasonable price. (I had bought it in an attempt to ditch the providers GPON box, but that’s another story).

Let’s create the required network interfaces:

If before, you had eth0 getting an IP address, it will no longer do so due to being involved in a VLAN. Now, the interfaces that will get IP addresses will be of the form eth0.x, where x is the vlan number. Nevertheless, eth0 will still be shown in the output of ifconfig.

Above, we split off one of the lan ports into its own interface, ie ip-address, which can then be used to forward traffic to the remote subnet. As opposed to carbon-copying all the local traffic to the remote subnet regardless of whether its target is on the remote subnet or not (this is what a simple hub would do).

Another note, you need to know which plug on the router corresponds to which port number. This is available on the OpenWRT model wiki page. Here’s mine. You can also map the ports by hand by plugging and unplugging cables and checking the output of this command swconfig dev switch0 show | grep port

And let’s add a route to the new subnet. Thus, all traffic meant for 192.168.88.x will go via the gateway (backbone remote), which is reachable via the interface (backbone local).

Now we need to do the same thing on the mikrotik:

Note: I had to disable ICMP redirect on the mikrotik in order for the routing to work correctly.

On the OpenWRT, since the link is through a different interface (eth0.3 vs eth0.4) we need to take care of the forwarding rules. This is done via firewall configuration. We could set up something more complicated, but for the purposes of this article I will simply add the link to the “trusted” lan zone.

On the Mikrotik I will cheat a little bit and just bridge its ports together. Sorry 🙂 If you want to contribute an update, I will gladly incorporate it.

At this point you should be able to plug into the Mikrotik with a manually assigned ip address (from the subnet) and be able to reach the OpenWRT box. Note that the backbone does not show up in the traceroute. Wireshark is indespenceable for debugging if things are not working.

One of the things I love about running OpenWRT is doing dhcp-dns combination. New device comes onto the network and automatically gets a hostname. Very nice. How can we keep this going with two routers on the network now? If we run DHCP on the mikrotik, openwrt will not know about those leases and will not be able to assign a hostname.

To remedy this predicament, we will use a feature call DCHP Relay. The DHCP request, which is by its nature link-local, needs to be forwarded across network segments to the designated DHCP server. Let us specify how this is to be done.

Hat tip.



Note that we are not going the usual route to specify dhcp configs via /etc/config/dhcp, as the latter does not allow us to specify a dhcp-range without binding it to an interface. (This interface exists, except it is on the Mikrotik). Thus we feed it directly to dnsmasq, bypassing the openwrt configuration engine.

Watch outs:
– Make sure dnsmasq starts (and does not crash because of config syntax errors). Use ps to check

– Make sure the options are read. In the ps output you will see the path to the generated openwrt config file (/var/etc/dnsmasq.conf….), but our edits will not show up there. You have to look in the log (/var/log/messages) for signs of activity.

– There will be a warning message in the log that reads ‘no address range available for DHCP request via eth0.3’. It is referring to the interface-less range that we just added entered. Despite it, the functionality does not seem to be affected so I guess we will just disregard the message.

– The DHCP server on the mikrotik should obviously be off

With this, the setup should be complete. If things are not going according to plan, debug with wireshark.


It is important to specify the following in /etc/dnsmasq.conf, otherwise dns leases become flaky and sometimes issue and sometimes don’t. This fixes it.