I'm in the process of planning an upgrade from my HH5a to a setup with a separate router, switch and access point (because the router isn't in an ideal place for wireless, it's not quite fast enough for my internet connection any more, and I'm running out of Ethernet ports).
I currently have a guest WiFi network in addition to my main one, and I want to keep that on the new setup. The standard advice seems to be to get a switch with VLAN support for this, but I was wondering whether it was possible to achieve similar isolation from the main network using firewall rules, in setups where both the AP and router are running OpenWRT. (I have no need to isolate any wired clients from the main network, in the foreseeable future.)
I'm considering this because I already have an unmanaged switch that I got for free, and because a managed switch seems like an extra devices that would need keeping up-to-date etc.
Is it possible to provide internet access to guest WiFi clients without giving them access to other devices on the LAN without using a managed switch? If it is possible, are there significant downsides to this approach?
You don't need a smart switch at all. Assuming you're doing a dumb AP setup with no Wi-Fi on main router, all you need to do is create a guest LAN and attach a tagged VLAN interface on the port that's going to switch/AP. On the AP side, create a VLAN interface again on the port connected to upstream. Then, plug that interface to the guest SSID.
Assuming you're doing a dumb AP setup with no Wi-Fi on main router
That sounds about right, yeah.
all you need to do is create a guest LAN and attach a tagged VLAN interface on the port that's going to switch/AP. On the AP side, create a VLAN interface again on the port connected to upstream. Then, plug that interface to the guest SSID.
I'm having a bit of trouble understanding this. I think it's because I don't have any practical experience with VLANs yet.
In the setup you describe, what exactly prevents guest wireless clients from making connections to wired clients on the switch?
Did you not already have a guest SSID in your original set up? That SSID is supposed to connect to a guest-only LAN on your router, rather than default LAN that OpenWrt ships with. By that LAN separation alone—not VLAN—do you have guest devices isolated from your main LAN. What VLAN will do in your new setup is provide a channel for your guest SSID on the dumb AP to interface with guest LAN you created on the router, instead of mingling with regular LAN traffic. So long as your guest devices are on different network address and/or subnet, they won't be able to talk to your LAN devices wired or wireless unless you allow it on router firewall.
You can think of VLANs this way: suppose you create a VLAN on port 4, imagine that you're adding a new port to the device. And if you configure the same VLAN on any of the devices downstream of port 4, imagine you're connecting a cable that new port on the router to the new port on this client device. This cable will only carry traffic within the VLAN and nothing else.
VLANs should never be passed through unmanaged switches. This is because the behavior in this situation is undefined (they are only designed for a single, untagged network). In some cases it may be okay, and in others it may cause problems (sometimes minor, other times major).
That said, if you can connect two OpenWrt devices directly together, that link can be configured with VLANs, and then the switch can be connected to another port (on either device) that has up only the main/trusted LAN.
Alternatively, if you only need your guest network on one AP, you can do this fairly easily using one of the two recipes:
Guest wifi on a dumb AP - applies to a dumb AP configuration (i.e. a wifi AP only, not being used as a router).
If 2 or more APs need to broadcast the guest wifi, it is best to use VLANs from the main router (the first link + a few tweaks). But as stated earlier, you should not put VLANs through an unmanaged switch -- so you'll either need a direct connection between the two OpenWrt devices or a managed switch.
If you would like to draw a proposed network topology diagram, we can advise further.
I'm not sure that I'll have time to read those docs properly today, but having skimmed them, they seem like just the thing I'm looking for.
I won't know if I need a second AP to fully cover the house until I receive the first AP and test it (currently considering buying a NWA50AX). However, if I do end up with two APs, I think it will be fine for the guest network to be available in only half of the house anyway.
Does this topology look suitable for the setup described on the Guest wifi on a dumb AP page?
Based on the network diagram you have shown, the 'guest wifi on a dumb AP' solution would be the right one in your circumstances.
If you changed the order of connections (Internet > OpenWrt router > OpenWrt AP > Switch), you could consider using the main router for the creation of the guest network, but as drawn, that could cause problems because you'd be passing tagged ethernet frames through an unmanaged switch. (Alternatively, you could also use the main router for the guest network and use the topology as drawn as long as you replaced the switch with a managed version).
