I have a OpenWRT setup that I'd like to extend with an isolated guest network - that will primarily be used for IoT devices. The intention is devices on this wifi network will only be able to talk to the internet, nothing on the local network. But... just checking the 'isolated' option doesn't cut it in my setup.
I have 3 OpenWRT routers in the house, where one is the primary behind the modem and the other 2 are strategically placed for wifi throughout the house. The primary router has a normal 'wan' and 'br-lan' interface, and does DHCP/DNS for the entire network. The wifi routers are setup as a bridge, and only use a 'br-lan' interface for all ports, including the upstream. This gives me a flat 10.0.0.0/24 network that works really well, and allows everyone to connect to everyone.
Extending it with a guest network is however not quite as easy as I'd hoped. Beyond isolation of wifi, I'd likely also need a separate network where firewall rules for the local network are in place.
I'm looking for input on how to best configure this. Would I need a separate network on the primary router as well, and can that pass over the same cable as currently going to the wifi router? Will VLANs be required for separation at that level?
Probably I'm making this more complex than needed, and am missing the simple solution. Would be greatly appreciated if someone could point me in the right direction.
Start with the primary router and create a guest network on it. The tutorial linked here just creates a wifi network... when that is working, you'll want to extend that to wired, too, and then setup all of the devices to handle this network via VLANs. But start simple and build up from there. Let us know if you get stuck on this part.
What @trendy has posted is a good link for making dumb APs into self contained guest networking devices, but I think it makes more sense to make the guest network on the main router and then use VLANs and extend the guest network WiFi using those VLANs.
If you don't expect the guest users in one AP to communicate with the others, I don't see the reason for creating vlans and unifying the whole guest in one broadcast domain. It makes the solution complicated for no actual profit.
I guess it is a matter of opinion. IMO, setup is easier and maintenance is much easier when all of the l3 functions are on the main router and the others are just dumb APs (with VLANs).
Vlans themselves are usually a pitfall for inexperienced users.
If we were talking about many dumbAPs it might make sense to have a central management point. Otherwise for 2 dumbAPs the addition of the guest wifi is quite fast.
This is a fair point! Otoh, a great way to learn more advanced networking techniques, if practical (obviously available time/effort and the freedom to break the network without disrupting critical internet for other users all play into this).
My understanding is that an isolated network on the dumb APs would only be isolating on the AP it is attached to. Firewall rules could restrict that further, but that's another thing to be managed. Are my assumptions here correct?
I'll see about going down the path of VLANs, because as you pointed out - this will require some trial and error. The feedback that this is the correct way to go about it helps tremendously, although I was really hoping that I missed a simpler solution.
Regarding VLANs... I would not necessarily say that it is the 'correct' way, as other methods such as the guest network on a per-AP (dumb AP w/ guest network) basis will work, too. But, IMO, using VLANs it is the preferred method, and certainly the path I'd recommend if you can afford the time to learn (and break) things.
If you go with the dumb AP + guest wifi setup on each AP (as compared to the VLAN option), each dumb-AP actually becomes a router again, specifically routing the guest network and firewalling it from reaching the main network. The effect that this would have is that all APs would have the same trusted LAN, but the guest network would actually be unique on each one. This means that if you had two devices on the guest network that were associated with different physical APs, they would not be able to talk to each other because they would be on their own little islands.
Another thing that just occurred to me is the issue of guest devices roaming between APs. Roaming works easily when client devices can roam from one AP to another while keeping the same DHCP lease. It is plausible that roaming may not be as seamless and fast if using the dumb-AP + guest network method because the DHCP servers for the guest network would be distinct (i.e. as many DHCP servers as there are APs) and they would not be synchronized. OTOH, the VLAN approach uses a single DHCP server for a monolithic guest network and the APs simply bridge wifi/wired networks.
Thank you again for such detailed and thoughtful answers.
Having two guest networks that would be completely separated would probably work for my use case. That said, like many OpenWRT users I like to tinker and not settle for a half-solution.
I'll need to schedule some time where breaking stuff won't result in getting shouting at and perhaps combine it with a hardware upgrade on the main router.
Truly appreciate you helping me out here, thanks again!