Hi, I'm new to OpenWRT and am trying to set up my router with the following, using both IPv4 and IPv6:
I'm aiming to have two subnets, completely isolated from each other, with one subnet completely isolated from the internet and the other (LAN) configured as a standard home network. I have put the two subnets into separate VLANs and separate firewall zones, and ensured that forwarding between the two zones is disabled, which is good enough for the IPv4 configuration.
I don't have much experience with IPv6 so I'm not really sure how to complete this configuration on the IPv6 side of things. I think I should configure two separate ULA /64 prefixes for both subnets, so that I can use ULAs instead of link-local addresses in DNS records, and then set up router advertisements with RDNSS on both instead of DHCPv6, so that I can disable the DHCPv6 server entirely (I'm only using it for advertising DNS servers and nothing else currently).
Link-local addresses are inherently confined to one interface. Typically the router's link-local is a client's default route and DNS. If you have a prefix from your ISP you can set up two LAN /64 (or possibly larger) GUA subnets which are isolated from each other but still route to the Internet.
One problem with ULAs is that many endpoint client OS do not treat them as a way to reach the Internet. If your LAN endpoints have only ULA of course NAT6 must be used, but again the clients are likely to fall back to v4 and not even try v6.
Sorry, I don't think I conveyed my intentions clearly in the post. What I'm aiming for is:
#1) home lan subnet: has my laptops, phones, TVs, etc. #2) isolated subnet: contains devices which communicate with each other but which shouldn't access or be accessed from anywhere outside the subnet
which is essentially equivalent to having two separate networks. The most appropriate thing to use of course would be two separate physical routers but I would prefer to just use one due to space constraints.
That is possible on OpenWrt. Create a new Interface and place it in a new separate firewall zone, and don't allow forwarding in or out of that zone. There are instructions in the wiki for a guest network which is basically this concept. To use IPv6 in the network allow ICMPv6 input since that includes RA.