Hello,
Use case - need to move media server from home to garage. There is one ethernet wire going from home to garage. There are one router in home (TP link native firmware) and one router in garage (flashed with OpenWrt 23.05). I tried to setup 2 VLANs on garage router that would serve a) allow traffic from home network to server (keeping home network IPs) and b) second VLan for IOT devices (different IPs/subnet).
Should I connect home router => garage router via WAN port? How to separate traffic on garage router for servers (home netw) and separate for IOT devices?
thanks
Since you have a wired IoT device, instead of creating an empty bridge, you will need to add some port to br-iot (the way depends on whether the device is DSA or swconfig).
Got it, will connect LAN 5 (on main) to LAN 1 (on garage). Is it possible to reconfigure WAN port (on garage) to act as normal LAN port (i have more IoT wired devices than free LAN ports (after "loosing" one LAN port for router-to-router connection)
Dumb AP + Guest Wi-Fi on a Dump AP done. Works great. Thanks.
How to add Lan 3 & Lan 4 to "br-iot" bridge ?
How to transform Wan port to Lan 0 ? (afterwards I assume I will need to modify "br-lan" interface and add Lan0 to already existing Lan1 and Lan2 ports.
I assume I can remove interfaces "wan" and "wan6" for cleaner config, right?
posting my /etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd11:3388:aa9f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.0.3'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '10.0.0.1'
list dns '1.0.0.1'
list dns '8.8.8.8'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'br-iot'
option bridge_empty '1'
config interface 'IoT'
option proto 'static'
option device 'br-iot'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'wan'
Right, even mandatory.
Please note that there is a possibility that the device may not support more than one bridge. If it doesn't work as expected, we will need to switch to bridge vlan filtering.
Configured Dumb AP + Guest Wi-Fi on a Dump AP as per provided links.
Problem - with firewall zones and firewall traffic settings my IoT devices cannot reach/communicate with Home Assistant server that is located in "home" network connected to main router [10.0.0.5].
I assume traffic exception rule i.e. allow IoT network to connect to particular Home Assistant IP on home network [10.0.0.5] should be added to Firewall rules. Other connections from IoT to Home network should be denied, Right ?
I also want to be able to type from home network any PC browser to type in IoT device IP [e.g. 10.0.100.104] and configure my Tasmota flashed devices. Do I need to add some routing information to OpenWRT router ?
I have added explicit rule for outgoing traffic from IoT to "this device, IP 10.0.0.5, port 8123". I can now see/access IoT devices from Home assistant.
I have added static route on my Main Router (TP Link): to IoT network [10.0.100.0], Default Gateway = Garage router (OpenWRT) IP address. I can now see/access IoT devices from PC browser on my home network.
Any other suggestions how this can be configured without static route on main router or how to minimize security risks coming from IoT network ?
With current Firewall traffic rules I cannot access internet when connected to IoT network. I guess this is expected as NE_Block_IoT_To_Lan rule is enabled. Is it possible to modify the rule/ create new rule to (a) deny access to LAN; (b) allow access to internet. Reminder - my garage router is in Dump AP mode behind main router.
