I have a somewhat complex situation or desire, but am having difficulty getting it to work.

I rent a room, in this room is a network connection that goes to a switch, I want to allow this person to have multiple devices and wifi, but not using my network. Additionally, I want to have filtering and IP blocking for P2P, Torrents, etc.
I would just give them a router with the guestlan function from Fritzbox, but the Fritzbox router is not near the switch or a stong enough wifi signal. Pulling other cables is currently not an option, therefore I need another solution
In that my Fritzbox Wlan coverage is bad here, if it is possible, I would like to use the OpenWrt Router as an access point/Mesh. meaning use the OpenWrt Router to extend my fritzbox network at best with same SSID and login information.

Setup:

Fritzbox IP = 192.168.2.1

Static Routing setup as follows:
"IPv4 network" = 10.164.1.1
"Subnet mask" = 255.255.255.0
"Gateway" = 192.168.2.1

Netgear Smart Manages Plus Switch
Vlan 1 = Fritzbox and various computers and devices (all ports are untaged except the one for the OpenWrt router)
Vlan 2 = OpenWrt Router (only the OpenWrt Router is untaged)
Using Static routing both routers allow inter-vlan communication for internet access to the OpenWrt router.
Not one port is in both Vlans, Reason being, if the person disconnects the OpenWrt router and attempts to connect to my network, they have no access to my network or Internet.

Current OpenWrt Setup (after multiple attempts and resets)
Standard Setup /Fresh install except for:

Lan
Protocol: Static
IPv4 Address: 192.164.3.1
IPV4 Gateway 192.168.2.1

Wan
Protocol: Static
IPv4 Address = 10.164.1.1
IPV4 Gateway 192.168.2.1

Static Routes and Firewall settings have not been altered

Any and all help would be greatly appreciated, including suggestions on how to make this setup work. Pictures and config can also be provided, but that the OpenWrt Router was recently reset, I only included the current changes.

in this case... you'd best provide a diagram...

Hi, Thanks for the reply. I forgot that part
I hope the diagram helps, if it is not possible, or not feasible, I am more than open to other solutions.

nice diagram...

192.164 = typo?
you should also label which VLAN next to each 'interface' ( ip address / small colored box )

fundamentally all the action happens where 'vlan2'(smaller-large-square) intersects with the PI interface... which technically should be attached as a child of the switch... not a stepping stone... if it is 'internal' to the router and untagged on the wire then that may make sense... but I don't think so...

you may as well post;

uci show network

within <\/> code tags at the top of the posting box and remove any mac-addresses / passwords / usernames / public ip addresses...

but unless the switch is layer3 or each client tags 11q on the wire... the big vlan boxes dont make sense...

---

it 'looks' like you are trying to tag on the wire 192.168.2.x... to the Fritzboz over the L2 switch which some L2 switches will let you do (pass VLAN encapsulation info)... but that puts the client on the L2 switch in a predicament because it will probably expect the frames with the vlan tags stripped... traditionally you would 'trunk'(single-tagged-connection) direct to the fritz... have it strip the tags... then place the switch and both clients on the other Fritz interface (untagged frames)... or with a L3 switch that topology can work with a single interface only on the Fritz... because the switch will handle taking the tags away...

The problem here is that AVM's Fritz!OS doesn't expose any kind of VLAN configuration or control, so the only chance would be making the managed switch doing the tagging from two untagged ports of the Fritz!Box (LAN is untagged on ports 1-3, guest untagged on port 4; port 1 might be reconfigured as WAN).

The gateway needs to be on the same subnet as the interface. Lan shouldn't have a gateway in your case. And I think the wan subnet must be 192.168.2.0/24 since fritzboz seems to support only one wired lan.

Ok, an updated Diagram, hope it helps

uci show network

nice job... I was looking at in reverse before!(thought the net would have come in via the pi lol)

this is a left-field post and not super secure... but if you can;

• statix-ip a range of one of the 'green/blue' segment clients...
• logically isolate the ip ranges and forget vlans (on the L2 shared segment)
  (i'd personally do this faced with that topology in my home... for a business id buy a L3 switch but all routing would have to 'hop' via the rpi)...

think of the 'host-machine' as the green or blue clients... some get static ip's in one range and go via the pi... some get dhcp... and go direct via the gateway... ( the dark grey area would be your shared L2 segment )

really depends on your budget / intended level of isolation vs functionality... quite simple to flip a client from one network to another on the fly... but if you think clients are going to mess directly with other clients then it's not really appropriate...

(again... 192.164 is invalid... so don't tell IANA)

thank you for the input, I am not using a linux host, I was intending on setting it up using a standard Router

you could also possibly (dont know much about fritz sorry probably wrong on this too) use an eoip tunnel or similar to feed the green segment from the rpi to the fritz...

the only other topology that really works is a non-natted 'bastion-gateway' i.e.;

FRITZ 192.168.10.1<--------->RPI 10.2-|_________
                                               |            |x2
                                             20.1
                                         SWITCH
                                       SEGMENT1
                                   /        |
                            CLIENTa1  CLIENTa2                         CLIENTb1

I attempted that but: the Gateway for lan is automatically filled out from the wan interface. the changeing of the subnet was refered to as an invalid IP, and when saving it, then an error was in the subnet field

not sure if I understand the last part. Currently all the ports on the switch are in Vlan 1 and are untagged, there is one port in Vlan 2 for the Openwrt Router, also untagged. With Port 1 you mean on the OpenWrt Router? That is the setup I currently have and I have no internet from the OpenWrt Router

Having a VLAN only connected to one port is like connecting the OpenWrt router to an unmanaged switch with no other device connected. I don't see how you can used VLANs if fritzbox doesn't support multiple LANs that you can connect the VLANs to.

Ok, understand. I thought that was what the static routing would do for me, I read solutions that people had achieved inter-vlan traffic that way on a Fritzbox as a workaround.

In that case they probably terminate both VLANs in the second router, or they have a layer 3 switch which means it can route between VLANs.