I've search around a bit about this issue but it is very confusing, a lot of times the instructions assume the AP's WAN port as the internet gateway connection, this is not the case.
This is the basic network layout:
Internet Router <-> Switch / DHCP Server <-> (((( OpenWRT AP )))))
The main cabled and wireless network is 192.168.1.x
I assume the secondary wi-fi network should be on a different subnet, lets assume 192.168.10.x
So, the AP has DHCP disabled, static IP, and just forwards the broadcast requests which the DHCP server eventually replies to. What I would like to do is create a secondary wi-fi network completely isolated from everything else and can only just use internet, but keeping in mind that the internet gateway is not directly connected to the AP. Does the configuration involve setting up vlans and tagging in other parts of the network or can everything be done in the AP itself?
A quick write up or useful links for this particular setup would be much appreciated.
I set these up as routed clients. The guests are on a separate network. The AP issues them DHCP addresses and NATs them back to the main network. Firewall rules prevent them from reaching any private part of the main network, but they can reach the Internet. There is no additional configuration of the main network needed. The OpenWrt AP looks like a simple LAN device to it.
I can almost see how that could work, but I'm not quite sure how to do this.
Lets say that the internet gateway is 192.168.1.254, the private DHCP server is 192.168.1.1.
If I create a guest wi-fi network and enable DHCP exclusively for that wi-fi network with a different subnet (192.168.5.x), how do I configure the NATs to the main network and at the same time set up firewall rules so that guest clients can't reach the private range's but can still fully reach the internet?
The gateway and AP are on the same subnet, but the connection between both runs through a dumb switch. Also, the internet router (gateway) doesn't do VLAN tagging.
Yes, that is already the case, the AP has been working fine for a while, I just want to explore the guest wifi possibility and have the clients from it isolated from the rest of the internal network.
Unfortunately I'm not sure how to do that and what it requires.
Would I need a second Ethernet cable for traffic exclusive to/from the guest network?
A gateway on an upstream switch is fine; but if you cannot VLAN on the main router nor VLAN the switch, then obviously one cannot isolate networks from there.
You can only setup the OpenWrt as a normal router. One SSID can face LAN and ther other face WAN. You could firewall LAN then - so it cannot contact IPs on the Internet Router's LAN.
Be sure to allow DNS or use a public one on the OpenWrt WAN!
Yes, I suppose you're right. I have no way of tagging the traffic on both ends, so I see how that would never work. Even if I swapped the switch for a medium one that supports tagging I would still have the gateway to deal with - also doesn't do tagging.
This suggestion seems to be similar to the one from @mk24
I have many doubts how to achieve this... I assume that the guest wi-fi must have its own DHCP and subnet, but if it is on a different subnet how do I route the traffic to the internet gateway? And whenever WAN is mentioned, I get confused between the interface in OpenWRT and the actual internet.
But the text doesn't seem to match the settings in the screenshots at times which makes me doubt everything I try. Being visually outdated also doesn't help, but that's the least of it.
I'm referring to the network facing the WAN side of your OpenWrt, that would be LAN on your Internet router. No discussions have mentioned your true Internet (WAN on the Internet Router).
The tutorial is good. The screenshots are from an earlier version but most of the stuff should be the same (I'm a CLI person so I don't know that much about it). First get the router working with the default LAN (which you will leave in place for administration use) and a wired or wireless connection to your main network which is the WAN. Anything beyond this router is the wide area, even if it is in the same house. I'll return to that later.
Next you're creating a third network. It has to have a different IP range than the other two. It has its own firewall zone. The firewall forwards from guest to wan. This connects the guests to the Internet, the same way lan users connect to the Internet, but through a parallel path so that guests can't reach the lan. Now if you don't set up the firewall, the guests could still see (and if they hack it, use) the router's internal web and ssh servers. Setting "reject input" blocks that. But it also blocks router services that they need which are DHCP and DNS. The tutorial explains how to make specific exceptions for them.
The only thing left is that since from the router's perspective, the main network is part of the Internet, guests can access it, for example going to 192.168.100.1 which is what most cable modems use. You don't want that. So add another rule to block guests from 192.168.0.0/16. That seems like it wouldn't work since your main router gateway to the Internet is somewhere in there, but it does because the rule is based on the final destination of the packet not any intermediate steps.
Finally you can install sqm and put a bandwidth limit on br-guest, which will prevent guests from hogging up all of your ISP speed, and help mitigate hacked IoTs that try to make DDOS attacks.
As expected, following the tutorial mentioned in one of my previous posts resulted in no internet access. I followed the tutorial exactly as explained, but I can't help thinking that the tutorial refers to WAN as the physical port, which is not being used by the AP.
Great, @mk24!
Seems to work nicely.
At first the internet worked but not the isolation, then I tweaked the firewall rule and changed the destination zone from device (input) to any zone (forward):
Any tcp, udp
From any host in guest
To IP range 192.168.0.0/16 on this device
to:
Any tcp, udp
From any host in guest
To IP range 192.168.0.0/16 in any zone
