My current setup is a mess - but I am willing to clean it up.
My start was actually the WRT54GL, of course with the OpenWRT firmware. Next was/is a D-Link DIR865L which seems to be not supported https://openwrt.org/toh/d-link/dir-865l_a1 . This needed replacement some day and now I have:
Modem Fritzbox 7560
1 TP-Link EAP 115 powered through PoE
1 TP-Link EAP 225 powered through PoE
4 TP-Link E4R "deco" Access Points
1 NanoPi R5S with Docker for Zigbee2MQTT, MQTT and Home Assistant, Sonoff P stick
Many Zigbee devices, several MQTT devices connected through Ethernet and WLAN
"dumb" switches with currently no VLANs
an increasing number of new Wifi devices, all capable of Wifi 6 etc.
My target is at least two strictly separated networks, one for MQTT/IoT only and one for internal traffic - and a guest network that has only access to internet.
My initial plan was to do this with the NanoPi R5S and its three Ethernet ports - however, the FriendlyWRT is not really what I expected so the setup I currently have in mind is more like:
Fritzbox 7560 purely as a modem as it looks like this does not work with OpenWRT
2 PoE Access Points with OpenWRT
Ideally, one of those two Access Points accepts the Zigbee coordinator USB stick and runs Zigbee2MQTT, connecting to the MQTT on the HA server
5-6 regular Access Points with OpenWRT - my E4R also seem not to work with OpenWRT
all APs should offer 1 general 1 IoT and ideally 1 guest WLAN that are separated from each other. All should support as-secure-as-possible WLAN access
currently several independent WLANs (EAP and deco) with no gapless roaming between them
no Wifi6, no WPA3
no network separation
So my first step was to check https://openwrt.org/toh/start for devices. Now I was lost. I understand that I can search there for the OpenWRT support for a specific product - but to be honest I don't even know which elements my architecture should have!
So how do I generally start, what are architecture decisions that are more or less fixed? Are there proven recommendations for modern & OpenWRT capable PoE and regular (mains powered) Access points? Does OpenWRT generally support something like "plug in a Zigbee USB stick and configure Zigbee2MQTT" either directly or simply through a Docker system where I could move my existing setup to?
Is OpenWRT the correct system where I would do my network separation or should I do that at a different point / with a different device? Would I have to set up OpenWRT on ALL access points or just on one system and then have "dumb" APs?
And generally: How do I search correctly for OpenWRT supported products that realize the above-mentioned setup?
I am rather happily using an EAP615-Wall here, which is 802.11ax en PoE+. My wired router is a MikroTik RB5009UG+S+IN (granted, a bit overkill, since I'm on 150/50 - but let's say it's a bit future-proofed). Historically, my setup evolved into a wired router and as PSE a separate PoE+ switch (ZyXEL GS1900-10HP). The MikroTik has a PoE+ sibling as well, but that one hit the market after I got my RB5009UG+S+IN. I also have a Netgear GS108T v3, which is a PoE-powered switch (saves me a power outlet and cabling in the TV/multimedia corner).
All these devices run OpenWrt here (but don't need to, of course, if you're uncomfortable with e.g. installing it on your switch). At my brother's place, I have similar ZyXEL switches (GS1900-8HP and XGS1250-12) which run the vendor firmware since I need bonding, e.g..
Many thanks - so one example would be to buy a bunch of EAP devices like e.g. the 615 (nice one, this has PoE passthrough), this time check OpenWRT compatibility before buying, flash OpenWRT and then? Would I have one "master-config" that is then automatically replicated to all OpenWRT-EAPs?
Like, I have two WLANs (general & IoT) that allow gapless roaming between APs, then some friends come along, so I set up a guest WLAN that should then be active at all APs.
There's no automatic replication, but except for MAC addresses etc. you should be able to copy configuration to the other identical devices. You can look into Openwisp for provisioning.
Many thanks - when reading this https://openwrt.org/docs/guide-user/network/wifi/dawn my thought was: It seems possible but not really the standard procedure. This makes me think: It is always good to buy hardware that is capable of running OpenWRT - but could it be the better option to use the manufacturer tool to open several WLANs (as long as they can assign different VLANs to the different WLANs) and then use OpenWRT only at the point where they terminate? Is OpenWRT then the correct tool to do the network separation?
OpenWrt does not have out of the box support for zigbee2mqtt or USB Zigbee dongles. I advise to designate separate devices for Network routing and Domotica
Access Points
Do you have a large multi-floor area that you need to cover with 6+ AP's?
FYI: my house is 135m2 - I placed one EAP615 in my living room at 2m height above surface near backyard garden and another in the stairwell between 1st/2nd floor and this provides perfect wireless coverage on all floors and (small) garden.
These accesspoints are well supported and problem-free since I bought these 21 months ago (together with 86 mm wall junction boxes).
Power consumption is around 4W and PoE passthrough is indeed a nice extra feature. See here for a review
VLAN
For a VLAN setup you need to configure VLAN id's on Router, Managed switch and Access points. You can opt for either a full tagged- versus a mixed tagged VLAN setup - I tested both and eventually decided to choose the mixed tagged VLAN setup. An example of my setup is here
Central Monitoring
If you want you can export collectd output from Access Points + Router to a Grafana Server. An example can be found here
Central Configurator
Possibly this tool is useful to push configuration to several Access points (on the other hand: once you have setup one Access point it is only 5 - 15 minutes work to replicate the config to other Access points)
For a complete list of existing and new hardware I would recommend:
Modem Fritzbox 7560
Managed Switch Netgear GS308EPP or GS316EP (suitable for multiple PoE powered Access points and possibly other PoE powered devices like PoE cameras)
NanoPi R5S as Domotica server for Zigbee2MQTT, MQTT, Home Assistant, Sonoff P stick (and possibly Grafana Server)
NanoPi R5S as OpenWrt router (NanoPi R4S is highly recommended as well)
EAP615-WALL as OpenWrt Access points - with good placement 4 might be enough instead of currently 6 (?)
Indeed my location is big, has four floors, very massive walls, garden, garage, maybe even connecting some sensors in the next building. Right now I have four mesh APs and struggle a bit, so the target number is really at least 8 APs and to be honest when a guest enters the house and asks for guest WLAN it currently takes 10sec to set up a new guest WLAN and I don't want to have to connect to every AP to replicate this.
My initial idea (maybe this was the stupid part) was to have OpenWRT (just as In not have FriendlyWRT) as Dockerhost on the AP and have just Zigbee2MQTT on it and it would connect to the MQTT server in the central server room. Maybe it is really easier to purchase a PoE stick that does all that and directly connects to MQTT.
And yes, I would need to open at least two WLANs, each gets a VLAN id that terminates at the switch for network separation.
Now I will read through all the articles you posted, thanks for that!
