I'm planning on installing OpenWRT on a Netgear R6260 (AC-1600) router and have a question about access control. More specifically, what is the best way to achieve what I'm after? Here's my situation...
Router 1 is my main home network (Netgear R6260).
Router 2 is going to be my IoT network (GL-inet AR300M16-ext), plugged into Port 2 on Router 1.
I want to filter traffic from Router 2, so it can only access the Internet, but nothing else on the LAN for Router 1. At the same time, I want any device connected to Router 1 to be able to access Router 2
Is this as simple as setting a firewall rule that basically says "Any traffic on Port 2 going to WAN is allowed." and "Any traffic on Port 2 going anywhere else is blocked.", plus "Any traffic destined for Port 2 is allowed"?
Or do I need to put Port 2 into another VLAN and set rules as to where traffic from that VLAN can go and what traffic can get into that VLAN?
In reality, I will have Port Forwarding going to a home assistant located on the GL-inet and can access that via an external domain name from my home LAN. But, I'm hoping to avoid having to do that (as well as open more ports to the GL-inet for other devices on the IoT network--lights, Alexa, Nest devices, etc.)
Thank you for any help you can provide and have a great day.
Yes for that to work, port 2 has to be in a separate network. Traffic inside the same network cannot be controlled by the firewall. A typical guest network configuration would be used, including either a VLAN in the switch or DSA to break out port 2 for the separate network.
Another approach is to put a rule in Router 2 so that only Internet IPs can be reached by LAN->WAN forwarding, not LAN-like IPs as may exist in router 1's LAN.
The second approach seems easier to implement. Would it be as simple as a firewall entry that says if the IP Address is in the 192.168.2.0/24 range, block? I'm going to have to dig into the firewall information to see how to apply this. Luckily, the GL-inet has OpenWRT as its firmware, so this works regardless of what the Netgear Router has for firmware.
the 5Ghz wifi on the 6260 is tricky. Before flashing to openwrt go through openwrt forum and look for comments on this issue. I have the 6260 and after installing openwrt could not get the TX power above 7db. Instead I use ddwrt on this device which works fine with the 5Ghz wifi but I miss some of the packages such as batman-v that are not available on ddwrt. Also under ddwrt the USB port is broken on 6260 so if you plan on using any usb devices with ddwrt that won't be available.
Just in case putting OpenWrt on your 6260 is problematic (per @papdee 's comments), does the stock Netgear firmware have a place for you to set static routes?
(If you use OpenWrt, there are a few ways you can approach the configuration, but if you use the stock Netgear firmware, you'll probably need static routes in order to achieve your goal of lan > IoT connectivity).
Yes, I can put Static Routes in the Netgear, although I'm not sure if that's necessary. What I have now is a port forwarding to Ports 8123 and 4357 on the GL-inet router that points to my Home Assistant. I might need them after I migrate things like my Nest Hub and Nest Thermostat to the IoT network, but I'll cross that bridge when I get there.
As for the issue with 5 GHz, would the low TX power still make it usable in about a 75' radius? That's about the maximum distance that I need it to work.My alternative is buying a new router, which I might need to consider anyhow as I've had this one for a few years and we've upgraded to fiber in our town. Not that it doesn't work, but it is showing its age--and they don't update the firmware anymore. (Just don't let Home Assistant tell you otherwise. That's a bricked router story for another time).
If you only need to connect to one device, port forwarding is simple and easy. If you need to be able to connect to multiple devices from the upstream network > downstream, things become messier. Static routes on the upstream router allow you to disable masquerading on the downstream router's wan interface and allow forwarding from wan > lan on that device. From there, you'll be able to directly access any device on the downstream network just using it's IP address.