So far I have managed to set up OpenWrt in a config that connected to wireless networks as a client and then has a Lan/Wifi that offers the usual wifi.
What I want to know is whether devices or services I connect to can see the devices on my network?
If so what can I use to hide all that.
It is a complicated setup but long story short I am having to use a neighbours wifi as it is easier than trying to connect to my own network.
The next goal is to create a site to site VPN with two OpenWrt routers going via that connection and then connecting to the Internet from our main house Internet so that we are all on the same Lan where I can access NAS and some devices or services can connect to each other.
For example TV in extension using an HTMI stick can go from lan, through a site to site VPN to the main house and connect to say Netflix, AppleTV etc.
LAN example is extension devices being able to see Plex Server or alarm and monitoring kit all appearing on one Lan in main house if that makes sense.
Depending on how you have configured it. If the network interface for your STA wireless interface say wwan and it's in the same firewall zone as wan, then assuming you didn't go messing with firewall rules, the wwan should be as isolated from your lan clients as wan usually is on default OpenWrt install, so no it wouldn't be possible to "see devices" from upstream. For more qualified reply (most likely by more qualified experts), your should post the following files (redacting passwords) from /etc/config: dhcp, firewall, network, wireless.
Depending on your DNS config tho, the upstream network may see your DNS requests.
It is a very old listed building that is not allowed to be modified, the extension is effectively a granny studio that is right on the edge next to the neighbour.. We can't run cable and we have tried mesh, the main building has extremely thick walls.
The current connection of going via neighbour's wifi works better than I could have expected, the latency is a bit of an issue but no getting around that and it will be fine for what we are using it for.
We want it all to operate like one Lan, that of the main living room, this will help make alarms and cctv practical, at same time we want to provide access from the granny studio to devices in the main living room.
I will have to break this down into separate replies as I am a total newb and get information overload.
I have not changed anything in the default config of firewall although I have copied some config options from various threads, so I may understand less than one might think.
config defaults
option synflood_protect '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'masquarade'
option src 'wan'
option masq '1'