Hi gang. I have a WRT3200ACM running 19.07. My primary use for OpenWrt is to have this router use the OpenVPN client to connect to my VPN provider, on a kill switch, so any connected devices are always behind VPN. I also have 8 or 10 gigabit ethernet ports in my house that run to this router (over a separate unmanged switch).
Now, I have some appliances and stuff that hook on to my home wifi, which I can control with my phone. They work great! Except for a few troublemakers -- I'm looking at you, damned Mysa thermostats (previous thread on opening firewall for these). These things require 2.4ghz and UPnP, meaning they poke holes all over the firewall. I've not had success opening the specific ports they need on the firewall (and in the VPN connection). I think it's a combination of me not really knowing what I'm doing, the WRT3200ACM wireless being a little flakey, and the router being unable reliably to run anything newer than an ancient 19.07 build. So whenever I need to do any configuration on these Mysa thermostats, I have to switch to the stock Linksys boot partition, then they connect to this just great; then configure them, and reboot the WRT3200ACM back to the OpenWrt partition whereup on the Mysa thermostats fall away but it's ok because I don't need to do much with them.
I'm trying to come at it from a few different angles.
One idea I had was maybe I can make a guest network. It will be insecure as hell -- kind of like a stock router: it won't be tunnel through my OpenVpn client connection, it won't have any fancy firewall rules, and it will have UPnP so that my IOT devices can just wreck havoc on it. This insecure guest network will also be isolated and unconnected to my LAN and my second, 'secure' wifi network. If I have to, I think I can sacrifice the 2.4Ghz radio for this guest network, and use a different SSID for the 5GHz radio so that my laptops, phones, and other devices I care about having a secure connection just connect to this.
Another idea I had was to buy a new router that supports a more modern build of OpenWrt. Maybe the newer versions of OpenWrt work better for opening holes in the VPN and Firewall for a few select devices. Or maybe not, but I could revert the WRT3200 to its stock Linksys firmware with UPnP and no VPN, disable its 5Gz radio, and just have my IOT devices connect to it on 2.4GHz ... and then use the new router for 5GHz only and have all the other devices whose security I care about connect to this.
Is this crazy talk? Are any of these ideas worth perusing? Please let me know what you think!