[Apologies in advance for the long post!]
Hi guys.
I'm thinking about redesigning my network architecture.
My goal would be the following high-level design, and I'd appreciate to hear your view about the feasibility to implement this with standard OpenWrt gear and "el cheapo" switches:
- Dual WAN setup with automatic fail-over: I have one fibre-optical internet line (400 MBit/s down, 200 MBit/s up), terminated in an optical network terminator ("ONT", media bridge fiber-to-Ethernet that "speaks" DHCP) and a DSL super-vectoring line (250 MBit/s down, 40 MBit/s up), terminated in a Fritz!Box running FritzOS
- Powerful Linksys WRT1200AC router which is my main router/internet gateway
- Multiple el-cheapo routers flashed to OpenWrt, acting just as plain WiFi access points
- Multiple el-cheapo switches to allow for a more complex physical setup across some rooms/floors
For the internet connectivity, I plan the following (and I believe it's possible, because I had a similar setup running some years ago already, using LTE as the fail-over WAN connection):
- Fibre to be the "main" internet connection; ONT connected to Linksys' WAN ethernet port, with the router obtaining an IP address directly from the ONT with DHCP
- DSL line to be the fail-over; one of the Linksys' Ethernet ports would be defined as a secondary WAN port, it would be connected to one of the Fritz!Box's LAN ports, from where packets would be masqueraded and sent thru the Fritzbox's WAN port (DSL line); so in this case the Linksys would not be the gateway, it would just be a router routing packets to a different gateway (the Fritz!Box)
Now the tricky part. I know in principle it should also be possible, but I'm not sure which challenges I might face:
- All access points should have two WiFis (SSIDs actually): one "trusted" WiFi, and one "guest" WiFi. Traffic coming in via either of these wireless interfaces must be completely separated from the either WiFi.
I know this can be done with VLANs, and I also know that OpenWrt can do this in principle. What I'm not sure about: Would I have to tag each of these VLANs, or could I have one "untagged" VLAN ("trusted") and one "tagged" VLAN ("guest") configured?
Background of my question about mixing "tagged" and "untagged" traffic on one port/cable is my idea to have all my "trusted" traffic untagged (because somehow I feel that's simpler and "more resilient" against misconfigurations, also some devices may not even be able to "tag" Ethernet frames, especially cheaper devices like printers).
(Can untagged traffic remain untagged, or would the "untagged" traffic have to be "auto-tagged" to a default VLAN?)
I'm using several switches inside my house. Will every el-cheapo switch be able to handle tagged Ethernet frames, or does it need a "smart" (managed) switch to be able to do so? Considering that the VLAN tag is included in the middle of the Ethernet frame, with the Dest/Src MAC address at the beginning, I believe using el-cheapo switches could work, because the VLAN tag (and even the fact that the frame is a "tagged" frame) would be simply "invisible" to them?
- Traffic from all "trusted" WiFis and all (by definition "trusted!") ethernet ports should land in the same IP network (regardless of which physical AP they originate from), and traffic from all "guest" WiFis should land in a different (but for all guests the same) IP network. This way I could prohibit "guest" traffic to be routed by the Linksys to the "trusted" network (where for example my NAS devices reside), but allow it to just be routed (and masqueraded) to the WAN port.
Ok, I hope you're still with me at this point. I'm eager to hear your comments about my intended design, and whether it's feasible.
Many thanks in advance.
Kr,
Ralf