Guest network for washing machine, etc

After my "normal" network is setup now (more or less, see No internet connection from the router via ssh from time to time ), I want to create a guest network for a washing machine and other things.

The AVM FRITZ!Box 7390 belongs to the ISP and has to be used with the stock-fw.
Connected to the Fritzbox is a Netgear R7800 with Openwrt 18.06.1 with an ethernet cable at the lan port.
The R7800 works as wds-master for an Archer C7 as wds-client.

For my understanding, I cannot connect the guest-network of ther R7800 via ethernet to the Fritzbox, so I have to use Wifi, right? The guest network has to have another ip-range.

If this is correct, I have to create a wireless bridge, where the R7800 becomes a wds-client too (is already a wds-master) for the Fritzbox in the ip-range of the Fritzbox guest-network.

Please help me to design this correctly.

First a few questions:

• Does the device need Internet connectivity, or only local connectivity
• Does the device connect directly to cell phone apps (meaning not indirectly through a server)?
• Does the device need NTP?
• Is the device IPv6 capable?
• What are your objectives behind putting it on a "guest" network?

At the moment I am in the planning phase and I have to learn what is possible, the washing machine is a Bosch WAYH2891 and I have a lot of problem with it with wifi (same with the dryer), I got it once work with the old TL-WR1043ND but never with the R7800. Probably it was luck with the TL-WR1043ND. The connection has to be done with https://play.google.com/store/apps/details?id=com.bshg.homeconnect.android.release IMHO the app is very very poorly coded, looks for me like a proof of concept, that the washing machine can connect to the internet.

Maybe it is easier to start the discussion with a TP-Link HS110(EU), which needs https://play.google.com/store/apps/details?id=com.tplink.kasa_android (AFAIK). I didn't buy the HS110 already and if you can recommend anything else, let me know. I will buy the HS110 especially for testing the router configuration.

Does the device need Internet connectivity, or only local connectivity

I am not sure, but let's say yes. This is one reason, why I would like to use another IP range.

Does the device connect directly to cell phone apps (meaning not indirectly through a server)?

I assume a server is used with Home connect, and with the HS110 you have to login to the cloud.

Does the device need NTP?

No idea, the washing machine doesn't show a time, but who knows what updates bring.

Is the device IPv6 capable?

No idea, but I assume, otherwise the IP-addresses will be limited too much. At the moment I tried IPv4 with the washing machine, but I assume this is a question of configuration. The R7800 has IPv6 disabled.

What are your objectives behind putting it on a "guest" network?

Security reasons? I want to keep IoT away from my personal things as much as possible. So at the end we have to discuss firewall rules to limit as much as possible.

To keep it simple I suggest to use IPv4 for the start, there are 3 things, which I want to include, a washing machine, a dryer and the wifi-plug.

It seems you may not need physical ports on your switch; but everything else applies.

IP range isn't the issue, an aging IoT device on the Internet is. Although, separating them from your other devices via VLAN is an excellent idea too!

So, you likely need Internet. You would allow forwarding from the Zone to WAN.

I'm quite concerned of a washing machine that needs Internet; but YMMV.

Many "smart" home appliances use cloud services instead of local discovery which means that they "need" Internet access in other to work with your mobile phone, tablet etc.

https://www.home-connect.com/global/ (BSH home appliances)
https://www.samsung.com/us/smart-home/ (Samsung home appliances)
etc

I'm very familiar with the TP-Link devices in that line.

• They "phone home" even if you disable it in the app
• They have a proprietary app that works through the cloud, and might work on the local network
• They utilize a fixed set of NTP servers
• They have very weak "encryption" (OK, trivial "encryption")

I run them on their own subnet, with very strict firewall rules. That subnet is bridged to a specific SSID that only TP-Link devices are connected to. I supply "forged" DNS for their cloud servers (returns NXDOMAIN) as I manage them locally with MQTT and a server that runs third-party control software. The DNS redirects the hard-coded NTP servers to a local NTP server. In short, they're on a "dead-end" subnet.

That is the general approach that I take, opening up Internet access only when required. For example, the Lutron Caseta system requires MQTT-over-TLS connection to its cloud-based service (which I marginally trust) and that's all it gets.

Thanks for your replies. I have a lot to read

In the meantime I ordered 2 Teckin smart plugs with an Amazon deal for about the half of 1 HS110. It uses Smart Life - https://play.google.com/store/apps/details?id=com.tuya.smartlife

At the moment I do not see a big difference for testing compared to the HS110. If I understood everything right the data collecting with the HS110 can be reduced, but you have to learn how to do it. Generally said, all apps are collecting data as much as they can. and you cannot trust them.

So if I understood it right, I do not need a WLAN-bridge betweend R7800 and Fritzbox and I can use VLANs? Can you recommend a doc to read? What would be an easy way to test it?

You're on your own for figuring out what those Tekin devices need to operate and what they connect to. I'd make sure you've got wireshark up and running (on a laptop/desktop) and either know how to set up your switch to monitor a port, or how to use tcpdump remotely over SSH so you can monitor those plugs boot-up and operation.

Use of a network-monitoring tool like wireshark is really essential knowledge for "testing" that the connectivity is what you think, and only what you want. There are other tools like packet generators, but wireshark will get you 95% of the way there.

How you link your R7800 and Fritzbox have pretty much nothing to do with how you manage connectivity for the subnets and SSIDs offered by your OpenWrt box. Since you probably won't be trunking VLANs, the complexities of doing so over 802.11 aren't something you're going to need to deal with.

Setting up a "guest" LAN has been covered in numerous wiki pages and threads here. Doing it for a set of IoT devices is pretty much the same.

For split-horizon DNS, I use unbound as, with builds from source after September 1, 2018, "views" work very well in a wide set of situations and can be tied to specific subnets.

For DHCP, dnsmasq can probably handle it, but since I don't use it for DNS, I don't run it at all. I personally use kea.

Maybe there is a misunderstanding. For my first tests I do not care if the plug phones home and maybe I can ignore it, if I know what I will do with it later. I just want that it works with another ip-range. That is my first goal.

I do not understand a lot re VLAN, alhtough I started reading. Mainly I do not understand the connection to the Fritzbox, which seems to be the biggest understanding problem at the moment.

The Fritzbox has a "normal" mode and a "guest" mode with Wifi and not with ethernet-cable. So how can I connect via cable to the Fritzbox, if I want to setup VLAN with a R7800 using openwrt. Are you sure I do not need a wireless bridge between Fritzbox and R7800?

One way to think of VLANs is that they are "tags" on the packets flowing on the same wire (or through a switch). All devices on that wire can "see" the packets, but will only "read" the packets that have the VLAN tag that they are configured for. Alone, VLANs are not secure against "snooping", but when combined with a "managed" switch, they allow traffic from different subnets/clients to be run over the same wire, then split apart at the other end. VLANs are needed for the switch in a typical all-in-one router to operate as well.

How is your Fritzbox configured? Is it running NAT, or passing the DHCP through to your OpenWrt box?

One concept to implement this, assuming that your Fritzbox only can provide NAT-ed service to your OpenWrt box might look like (net numbers made up):

  ISP
   |
   | 203.0.113.113/24 (public IP)
FritzBox
   |  192.168.0.1/24
   |  (untagged)      	    
   |  192.168.0.2/24          	       	       	       	       	       	       	       	 
OpenWrt
   |
  NAT
   |
------- (inner workings and firewall)
|  |  |
|  |  | 10.0.0.1/24 VLAN 100 - bridged - wireless SSID GuestNetwork  
|  | 						    		   
|  | 10.1.0.1/24 VLAN 101 -- bridged - wireless SSID WashingMachine   	   
|
| 10.2.0.1/24 VLAN 102 -- wired network (untagged in the Ethernet jacks, for most people's config)

The switch generally needs to be configured to send tagged packets to the SoC's phy(s) so that the OS can easily tell the difference between them. (Easy to forge IP address, harder to forge which wire or SSID you're connected to.)

You'd want to set up the firewall you want, as each subnet would be able to get Internet access and connect to all the other subnets without rules to control the connections.

There are ways of getting fancier if you want to know which of your deep-inside hosts are connecting at the Fritzbox, but for most people not important.

If your Fritzbox is in "bridged" or "passthrough" mode, it just sort of disappears from the picture and the OpenWrt box gets your public IP.

AVM's OEM firmware is very simplified for its intended target audience, there is no VLAN tagging available to be configured on the LAN ports. The vendor firmware only allows to enable a guest network on LAN4 (untagged) in addition to the normal (untagged) LAN on LAN1-4 (yes, obviously the OEM firmware does support VLANs internally, but it doesn't expose it to the user in any way - other than allowing to re-dedicate LAN4 as guest network or LAN1 as IPoE WAN).

Given that informative answer, I'd start simple (like the diagram above). Then, once you get it going and decide that there are things you want to add/change, you can decide if they're worth the time to configure.

Lots of people here can help with those kinds of modifications, especially if you give them a clear picture of your setup (since they will have long forgotten this thread).

Thanks a lot for your explanations! I searched the Fritzbox config and found something, which I attach as screenshots. I am very busy at the moment and I have to think about what I want exactly. It depends a lot what is possible with the Fritzbox.

But for testing, I would say, I want to get this work.

Fritzbox (FB) connects to the internet
R7800 is connected to the FB via ethernet cable to a lanport and is a wireless bridge master for a C7.
all is in the range 192.168.178.0/24
The WAN-port of the R7800 is not used.

It is not possible to connect a 2nd ethernet-cable between FB and R7800 (different rooms). Maybe this is the most important thing to know!

The guest network of the Fritzbox is in the range 192.168.179.0/24 (default guest-IP range of the FB)

The R7800-guest-network should be in 192.168.179.0/24.

The mobile phone should be able to configure the plug or whatever from the "normal" network range 192.168.178.0/24 and from a mobile internet-connection outside. So it should be possible to connect from the range 178 to 179, but not in the other direction.

If this is very difficult to configure or impossible, let me know. I can think about the mobile phone access for the plug-configuration. In a worst case I can connect with the mobile phone to the 179-network directly.

As a scenario I think at the moment to switch on and off light when I am on vacation to let a thief think, I am at home.

Personally, I'd "ignore" the Fritzbox and just deal with double-NAT. It will make the rest of your configuration portable and a bit easier.

If you need to bridge VLANs over wireless, things get a little trickier. The easiest (not "best") way of handling a couple of VLANs would be to use one WDS "channel" for each of the VLANs. This has the disadvantage of increasing "beacon pollution", so I'd read that article and take heed of disabling legacy rates and older 802.11 standards.

It's been a while since I've looked at WDS in depth, but I'm going on the assumption that a "normal" client can't connect to a WDS SSID. slh points out in the follow-on post that you may not need both an SSID for clients and a separate one for WDS, so I've struck out the separate WDS links.

Remembering that WDS needs to be on the same channel, that means that you're going to have to have both routers set to the same channel on the band supplying WDS.

Concept:

• Fritzbox provides IP connectivity to your "main" router
• Your main router provides NAT to its WAN address, all required services, and controls VLAN connectivity
• Your main router puts the "main network" out on its LAN ports
• Your "slave" router connects its AP SSIDs to the corresponding SSIDs and VLANs on your main router
• Your main router puts the "main network" out on its LAN ports
• Your slave router can only be managed by a single host on your "wired" network

On the main OpenWrt router:

WAN -- static, assigned to the subnet that the Fritzbox is providing, NAT enabled
VLAN 10 -- static IP, 10.0.0.1/24, tagged on the "CPU", bridged to SSID GuestNetwork, bridged to WDS SSID GuestNetworkWDS ; DHCP and DNS running here
VLAN 11 -- static IP, 10.1.0.1/24, tagged on the CPU, bridged to SSID WashingMachine, bridged to WDS SSID WashingMachineWDS ; DHCP and DNS running here
VLAN 12 -- static IP, 10.2.0.1/24, tagged on the CPU, untagged on the LAN ports, bridged to SSID MainNetwork, bridged to WDS SSID MainNetworkWDS; DHCP and DNS running here

Firewall rules to control traffic between VLANs, the Internet, and services on the router, as you see fit

On the slave OpenWrt router:

WAN -- unused
VLAN 10 -- (no IP, no CPU connection to switch), bridged to SSID GuestNetwork, bridged to WDS SSID GuestNetworkWDS
VLAN 11 -- (no IP, no CPU connection to switch), bridged to SSID WashingMachine, bridged to WDS SSID WashingMachineWDS
VLAN 12 -- static IP, 10.2.0.2/24, tagged on the CPU (for management), untagged on the LAN ports, bridged to SSID MainNetwork, bridged to WDS SSID MainNetworkWDS

Firewall rules block all VLAN-to-VLAN traffic, and block all traffic to the router itself, except for SSH/HTTP-S from your designated "desktop" that you use to manage it (better is a management VLAN, but that can wait for another day).

You can "hide" the WDS SSIDs to keep them from appearing on various devices' picker lists. It isn't really any more secure, but "looks better" on other devices.

If you can, using 5 GHz for the WDS will help reduce some of the congestion, especially if you can use wider channels.

("Better" ways would be using a Layer 2 GRE tunnel or a routing protocol like B.A.T.M.A.N. or OLSR. They, however, are much more complicated to implement.)

Normal clients can connect to WDS-AP interfaces just fine, WDS is only an optional addition (all the magic happens though an additional STA interface on the WDS-AP side) - clients not using/ supporting it will just ignore the option (of course there can always be buggy clients).

At the moment I do not understand your suggestion (a lot), but I will search the net to understand it better.

Want to say, that in a worst case, I can use my old TP-Link TL-WR1043ND v1.8 (have 5) for IoT.

So my 1st goal is, if I can get a wireless bridge work between R7800 or a TL-WR1043ND (openwrt 18.06.1) and the guest-network of the Fritzbox. I think I start with a TL-WR1043ND, 4 of them are already configured as a bridge (and now unused) with a TL-WR1043ND as master. I think it could be enough to change the IP-address of the client and MAC-address of the master in a TL-WR1043ND client. This worked more ore less with the R7800 for a 1st test, when I got a new R7800.

No 5 GHz would be a show-stopper for me in a wireless-bridged configuration. Even worse having several of them all locked on the same 2.4 GHz channel.

Now I remember, that all the IoT devices I know, do not support 5GHz. On the other hand, I think, speed is not important with a plug, washing machine, aso. A plug is configured once with the app and then there will be no traffic or very rarely. This topic has to wait a little, because I got my 2nd C7 today and the plugs for testing. My 1st goal is to configure the 2nd C7 in detail, generally I flashed it already with Openwrt and it works as AP.

You would use 5 GHz for inter-router links and then have 2.4 exclusively for users. 5 GHz APs could also be provided for users that are 5 GHz capable.

I fear the limitation is the Fritzbox. I cannot get a connection / IP-address

There is something special with the guest network of the Fritzbox, it doesn't support static IP-addresses (DHCP only) and doesn't support different SSIDs for 2.,4 and 5GHz, looks like the device gets the better connection.

This is a test with a TP-Link TL-WR1043ND v1.8 as wireless bridge, connecting to a Fritzbox 7390 as master.

OpenWrt 18.06.1, r7258-5eb055306f

root@TP1043IoT:/etc/config# cat network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.179.54'
	option gateway '192.168.179.1'
	option dns '192.168.179.1'
	option stp '1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'none'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'none'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config interface 'wwan'
	option proto 'dhcp'

root@TP1043IoT:/etc/config# cat dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@TP1043IoT:/etc/config# cat wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ath9k'
	option htmode 'HT20'
	option disabled '0'
	option txpower '24'
	option country 'US'
	option legacy_rates '1'

config wifi-iface
	option ssid 'PaT45'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'sta'
	option bssid 'aa:bb:cc:dd'
	option key 'pw'
	option wds '1'
	option network 'lan'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option ssid 'PaT4B'
	option network 'lan'
	option encryption 'psk2'
	option key 'pw'

When I try to connect with a mobile android phone to the wds-client I think it is connected (changing to blue), but then the phone doesn't get an ip-address and tries again and again.

If I connect the phone to the guest network and scan with the app Fing, I do net see the bridge, but eg my notebook, which is connected to the guest network too.

So the only chance I see, is to connect this TL-WR1043ND to port 4 of the Fritzbox and define it as guest network.