I would like to configure a router to share my network's internet connection but be completely isolated otherwise. The reason is to create an isolated network where I can lock down firewall rules for just the devices that connect to this router. Ideally, this router connects to my current network from its WAN port to the LAN port of my current network and has an IP address within my current network, for ease of management.
I don't know what this is called so I can't find any guides to do this.
If instead there is a way to turn this router into an access point that has its own firewall and IP tables, that would work too I suppose. It's really about blocking specific traffic through the WAN port.
If I understood you correct then this is simply a router cascade. There is no guide for this because you can connect through their WAN as many routers as you want in like a row.
As soon you've connected a 2nd router's WAN to the 1st router's LAN you have control what on WAN (2nd router) is allowed to send/receive. I would not try to control this on 1st router.
It would help if you explain exactly more detailed what you want to achive.
This setup may give you a better idea how you could do it. Managing firewalls on each router is pain and leads to more errors and time to search for those errors. Separting LAN's with VLANs and managing one firewall in front of those devices makes more sense (IMO).
This sounds like what I'm trying to do; cascade a router. Thanks! I reset my OpenWRT router config back to defaults and plugged its WAN port into an open LAN port on my primary switch but I can't get a ping to any external site from the diagnostics page. I think maybe the WAN port isn't getting an IP address? I've tried configuring it for DHCP as well as a static IP but no dice. Clearly I'm misunderstanding something here. Also, the WAN interface doesn't have the option to stop like the LAN interface and it's red, not green.
I think my issue here is with IP addressing. I need mirror the 1st and 2nd octet between the routers and vary the 3rd octet, right? I'll play around with this.
If you connect your 1st router via LAN to the 2nd router's WAN then you have a firewall in between. The WAN on 2nd router is only allowing outgoing traffic. From devices connected to LAN on 2nd router. Your 2nd router should get an IP address within the range of the 1st router's defined LAN.
If you want to allow incomming traffic you have to modify the WAN firewall zone on 2nd router first. To access LuCI interface on the 2nd router you have to connect a client to the 2nd router's LAN and configure it.
Then it depends on your needs. You could just create a so-called "dumb ap" which means disable firewall, dhcp server, etc.: https://openwrt.org/docs/guide-user/network/wifi/dumbap
As you requested:
you can use some parts of this guide. So disable DHCP first. Assign your LAN interface an address e.g. 192.168.2.1
You would need to allow some ports incomming on WAN:
443 and 80 for LuCI interface access.
67-68 for DHCP; for DHCPv6 things are more complex. So I'll skip it.
22 for SSH access to the device.
With a routed client, which is what you should use if you don't know or trust the network you're connecting to for Internet access, the router's LAN can't be the same subnet as the network on the WAN.
The default LAN subnet is 192.168.1.0/24, meaning all addresses with the first 24 bits the same (192.168.1.X) are in it. If the network you're connecting to is also 192.168.1 you need to change the LAN IP to something like 192.168.2.1.
Thanks pwned and mk24 for the guidance. @pwned I think I want to explore the cascaded router configuration first, as my original goal was isolation except for internet traffic.
@mk24 so I think I understand this but the OpenWRT configuration has me a bit confused. To clarify:
router 1: IP 192.168.1.1/24
router 2: WAN static configuration
IP 192.168.2.1
gateway 192.168.1.1
broadcast 255.255.255.0 (same as router 1, shouldn't matter)
router 2: LAN configuration 10.0.0.1/24
That sounds good! The more you know the better. Your approach makes things more complicated. But go with this first and try to learn. You can segregate your LAN with VLAN later also (if needed).
If the goal is to just block some devices from internet access you could block them with a simple firewall rule also:
config rule
option name 'Block-Device-to-access-Internet'
option src 'lan'
option src_mac '00:00:00:00:00:00'
option dest 'wan'
option proto 'all'
option target 'REJECT'
Important here the the device MAC address. The device can still access the LAN.
Yes, I'm going to need to write a few of these rules, specifically to block all LAN devices from all IP addresses except for those I list. Likely unnecessarily complicated, but it makes sense to me.
For future reference, I was able to configure the second router cascading from the primary router and add a rule under Network > Firewall > Traffic Rules which blocked all traffic from this isolated router through the WAN port to the primary router network. This rule rejects any protocol from the LAN source zone to the WAN destination zone. There was no need to specify a MAC. I still want the device to have access to the network in case I want to grant access to an internal server in the future, such as DNS or a printer, but this rule prevents visibility from the LAN.
I was then able to add a rule above the reject-all rule specifying TCP:443 traffic from the LAN to the WAN for a specific IP address, say one for wikipedia.org, was allowed, and tested this successfully in a browser. The understandable caveat is that if the website were to change IP addresses, or use Dynamic IP and that host was down, the site would not load, but this is acceptable and can be remediated by adding/removing a new IP address.