Home set-up with OpenWrt and Ubiquiti

Hello everyone !

I'm a pretty new user in this community, I've took some reading in the past to install and use OpenWRT on a Netgear wndr3700 and I really appreciated the work done here (forum, documentation). Now I'd go on the next level for a better homemade set-up, but I need your advice (good/bad parts of the set-up according to my requirements)

Requirements - Long story short:

• I want to set-up a mesh network, including vlan tags (per ssid) and where each mesh node can wired multiple devices.
• Also capable of having a vlan tag on the switch behind the mesh node (not limited to a vlan per ssid).
• Close to open source solutions, avoid proprietary (not looking for cloud dependent devices or any external services, except the firmware updates of course...) and except if it can be self-hosted.
• The included figure will be explicit enough I guess (see at the end).

Motivation:

Because I'm used to move and rent different houses, I can't wired all the final devices (e.g., pc) - avoid to make holes for the owner of the house. For now, I end up with a Netgear rbk23 (1 * RBR20 + 2 * RBS20) mesh solution. It works pretty well, however I'd like to improve the security by set-up different vlan per ssid as well as connecting the device on different vlan. I need something slightly more "scalable", and not limited to two ssid as it exists in Netgear product right now.

I thought using Ubiquity devices, since they proposed a vast choice of products (router, switch, APs). However, even if the UI is beautiful, I'm a little bit reluctant to run java process (UI/Controller) on the devices that will manage my network. That's why I thought replacing the whole OS by OpenWRT on the different devices. I've seen a lot of contribution on the Table of Hardware (https://openwrt.org/toh/start?dataflt[Brand*~]=Ubiquiti), which make me confident to use their device.

To better summarize how I'd set-up all of this, I depicted a figure that you can find at the end. Please take in consideration that I'm not an expert in network, so I maybe not using the right words.

Here are some questions according to this project:

1. Is this project feasible ? without having to change the current source code of OpenWRT.
2. The selected mesh solution (UAP-AC-M) have a RJ45 port (PoE and usage as an AP wired to the router), but can I use it to connect a switch where each device will be connected to the router (thanks to the mesh functionality) and by consequence to internet ? It seems possible with the Ubiquiti controller, but with OpenWRT ?
3. If it is possible to connect a switch on the mesh node, does it handle vlan tag on the switch ?
4. Is it possible to have vlan tag per ssid (and repeated along with the mesh nodes) ?
5. If the set-up is possible (mix of mesh and vlan), it will certainly have an impact on the performance (bandwidth, latency). If anyone has a similar set-up, I'd be interesting to have some numbers/statistics (e.g., loosing half of the bandwidth per mesh, or something else...) ?
6. If the set-up is possible, can I configure some QoS (limit bandwidth on a specific vlan tag, or specific ssid) ? And by the same time monitoring the different flow (bandwidth usage per vlan/ssid).
7. In the future I'd like to install a vpn (e.g., openvpn with mullvad.net), which would be only used by specific vlan that I choose, is it feasible ?
8. I'm interesting to add some IDS and other solution to better secure the network (find suspicious movement for specific vlan), any suggestions ? recommendation ? should it be done directly on the "main router", or on a dedicated board (intel, or arm board, not sure the latest one is fast enough or well explored for network solution with an open source soft) ?
9. What would be the biggest cons of this architecture ?

I know that I'm asking a lot, and maybe no one will have the answer for all my questions. Maybe some question have nonsense. But if you have experience for some part of them, I'd be honored to hear them

Thanks in advance!
Laurent

EDIT: I stay open to alternative device that I've selected (i.e., UAP-AC-PRO and UAP-AC-Mesh). Ideally I'd go to Wifi 6 solutions if it improve the bandwidth on such a mesh network.

home-network805×760 65.1 KB

Hello Laurent,

I can't comment on Ubitquity hardware but I will try to answer the remaining questions.

1. To me the project seems feasible. OpenWRT supports multiple mesh technologies and can use multiple SSIDs. As I said, others can comment on the hardware and make assurances about it. I'm just referring to the software.
2. I'm not sure that I understand your question completely but PoE implies that it is a normal 1000BASE-T Ethernet port that can also be used to power the device. You can connect to any other Ethernet device including a switch or a router.
3. I'm not sure that I understand your question but as far as I understand it, you can connect both the wireless mesh network and the wired network.
4. Yes.
5. There will be a negligible overhead of the VLAN tag but practically the performance will be the same as without a VLAN tag. Depending on the hardware a wireless mesh network generally shares the channels and the wireless spectrum with other wireless networks. Therefore, a general rule of thumb is that each mesh node halves the available bandwidth. With hardware that has multiple wireless radios you might be able to use multiple channels but you are also competing with nearby networks over the spectrum. In general a wireless mesh network should be your last resort. I tried it several years ago in a building complex with several dozens of tenants in a smaller German city. In the 2.4 GHz spectrum the performance was almost unusable and I had to cancel the project as the result. That being said, if you are happy with your current mesh network and do not increase the number of nodes in the mesh network, the performance should not be much worse (there might be hardware and antenna differences though). Moreover, the multiple SSIDs also generally share the same channel or frequency spectrum.
6. Yes. You can also use 802.1p or tc with ebtables. However, it might require some more in-depth knowledge depending on your requirements. There might also be some supported hardware that perform some wireless QoS but I have never personally seen one. Guaranteeing any QoS on wireless network with a shared spectrum is also impossible. If you live in the country side and don't have nearby neighbours, it might work though.
7. Yes. Both OpenVPN and WireGuard are supported by OpeWRT and Mullvad.
8. I recommend a passive IDS on a dedicated computer with port mirroring on a switch or the router. There are several Free Software network IDS. You should evaluate them based on your requirements. However, I would say based on my limited experience with Snort as a network IDS that you should not expect miracles. A network IDS might be able to find some obviously infected Windows computer that is communication with its command and control server but it cannot provide any protection against serious threats or insecure software (as the name already suggests). I would suggest to assign this idea a low priority and revisit it when your network functions properly.
9. I think I already addressed this in 5.

If you are a first-time user of OpenWRT beware that OpenWRT is not a turn-key solution. Common use-cases can generally be easily configured through the web interface but less common and more complex requirements can require in-depth knowledge of the software. This is different from, for example, a Netgear wireless router where a software integrator has built a Linux based solution with some configuration options for a fixed number of use cases. OpenWRT can do a lot and fulfil requirements that no proprietary vendor can but at the same time it can also require more knowledge and sometimes things might not work as expected.

Therefore, I would recommend to build the new network separately and test it beforehand. Otherwise, the people in your house might become upset if they don't have Internet access and you will blame it on OpenWRT.

Also do not expect that everything works and do not spend money that you cannot loose.

As for a switch recommendation, an unmanaged 1000BASE-T Ethernet switch should suffice if you don't need port mirroring. The same goes for the router, almost any Gigabit router that supports VLANs and DHCPv6 Prefix Delegation should be fine.

I use a ZBT-WE1326 with Openwrt as a gateway router at home, same cpu as Edgerouter, but goes for $20 used, in various brands. Connect to a Netgear managed switch using OEM firmware, or the new Openwrt for Netgear, snapshot only, about $50, used. Then use TP-Link EAP225v3's as wired or mesh access points, much faster than Ubiquity UAP-AC-LITE by Jim Salter test on https://www.smallnetbuilder.com/wireless/wireless-reviews/33201-tp-link-eap225v3-ac1350-wireless-mu-mimo-gigabit-ceiling-mount-access-point-reviewed . Go for $60 each, as new on Amazon, snapshot of Openwrt available for them. OEM firmware fine with bells and whistles, just setup using their controller software, then turn off their controller software, just lose seamless mesh if you are using it. Works fine, no problems, just as good as my Ruckus Wireless network in office. Great Luck in your search for the perfect network!

Thank you both for your answer ! I appreciate a lot all your details.

Concerning the question 2 and 3, I will rephrase.

2. I was not sure if the ubiquity mesh solution that is powered supply through the PoE, can also handle a switch. It seems feasible if I'm using the whole product line of Ubiquity, but does OpenWRT can do that on this specific device ? If yes, it'd be great. I'm asking the question because it's not something i'm used to see, and i'm not sure if it follows a standard in terms of software, or if it's a dedicated copyright solution. So if the mesh node is capable to replicate the wireless signal + connect device that are connected on a switch through is PoE, it's awesome!

3. If the the question 2 is feasible, then I was curious if the concept of vlan (layer 2) also works on the mesh node for the both parts (i.e., repeated wireless and the switch directly connected on it). It seems okay with UI Controller, but it is on OpenWRT ? If it is not, it's a NOGO for my project.

4. I'm pretty happy with the current set-up, I have 400mbps (the limit from my ISP, I was pretty surprise that the final computer had such a performance...). But I would like to control a little bit more the network (vlan part + monitoring). I've seen that Orbi pro (part of Netgear) device seem capable of handling vlan as well as more SSID (4 to be exact right now), but I like the open source world and their solution are very expensive. Also, I've recently seen that OpenWRT is being used on the Orbi devices (https://www.reddit.com/r/openwrt/comments/l0v9gw/does_orbi_netgear_support_openwrt/ and Netgear Orbi RBR50 build?).

In general a wireless mesh network should be your last resort.

Yeah I know but due to the way I live (for now and for few years), no holes! So wireless is one of the best choice. I tried power line carrier, but I had bad experiment with old houses.

6. I'm not afraid to configure the different parts through cli (iptables and so on), but I am if have to code some part in OpenWRT (network coding is not my field of knowledge, and I would have no time to be part of it).

If you are a first-time user of OpenWRT beware that OpenWRT is not a turn-key solution. Common use-cases can generally be easily configured through the web interface but less common and more complex requirements can require in-depth knowledge of the software. This is different from, for example, a Netgear wireless router where a software integrator has built a Linux based solution with some configuration options for a fixed number of use cases. OpenWRT can do a lot and fulfil requirements that no proprietary vendor can but at the same time it can also require more knowledge and sometimes things might not work as expected.

Thanks to remind me that. I guess it should be okay to spend time to configure. I'm more afraid that the features (vlan on mesh, vlan on switch that is connected on the mesh, wireguard on a specific vlan) do not exist, or not implemented with OpenWRT yet, or that it exists, but only for specific devices (and in consequence I buy the wrong ones).

Therefore, I would recommend to build the new network separately and test it beforehand. Otherwise, the people in your house might become upset if they don't have Internet access and you will blame it on OpenWRT.

I will !

Just a small update, I've finally decided to go on the following hardwares:

• router: Ubiquiti EdgeRouter X (small, not expensive, quite performant for the price, good documentation on openwrt)
• switch: Netgear GS308Tv1 (small, not expensive, vlan capable)
• 2 * Ubiquiti LR-6 (Wifi 6, 4*4 MU-MO, quite accessible, apparently handled by OpenWRT)

Until now I was capable of configuring the switch and the router with OpenWRT. It was a little bit a mess to install OpenWRT on the GS308Tv1 (vlan 100 forcing... for those who knows)

I will give you more details as soon as I have installed and configure the mesh part

small update, everything is working, waiting confirmation that the configuration is good with the vlan under mesh (Mesh with Batman and DHCP per vlan, only one VLAN get an ip).

I'm trying to optimize the performance by changing the configuration (mtu, encryption, and other stuff in batman). So far the best I can get (locally and for internet) is approx 198mbp/s, while on the Orbi I was able to get 400mbp/s with a wired computer on the mesh. The limitation seems to come from the config, or the hardware (RBK20 has 4 cpu while lr-6 has two and both cpu are intensively). It would have been useful to know how Orbi configure the mesh on RBK20...

EDIT: I'm using the 5ghz as a backhaul (only for mesh) in the set-up.

EDIT 2: did not try WireGuard yet. For IDS I set-up a rock64 board with Snort and redirect packets with iptables ... mangle ... tee, but not sure it's well configured, I'll check once that the mesh+vlan is well configured.

Last update, i've been spend quite hours if not days, and the set-up is done and working.

Here is the final scheme of the network (if it interest any):

home-network805×771 69.5 KB

Spend money: 600€

• Ubiquiti EdgeRouterX: 100€
• Unifi Long Range 6: 180€ each (360€ both)
• Adapter PoE+: 22€ each (44€ both)
• GS308Tv1: 47€ each (~100€ both)

Performance (pc wired on the switch, itself wired on the mesh node) - verified with proof.ovh.net:

• 300mbt/s download average
• 250mbt/s upload average
• Latence 14ms.

Feeling: very cool to have a complete open source set-up (openwrt on each node) but it can be quite expensive and have lower performance compare to already existing solution (thinking of Orbi rbk23 where I had 400mbt/s download/upload: the limit of the ISP. I'm pretty sure that locally it is even better than 400mbt/s). At least I have the full control of my network (e.g., vlan, add multiple ssid) that I haven't with Orbi rbk23. Note that it is possible to have this kind of features with others models (more expensive also).

After all of this I'm still having some questions to improve the set-up:

1. Do the configurations include some nonsense instructions ? Is it well specified according to the new 21.02 version with DSA architecture ? (see Appendix.B)
2. How would you optimize the network ? to approach the 400mbit/s download as done with Orbi rbk23. After some debug that I ran (see Appendix.A), it feels that the mesh network is might not be the limitation (maybe the switch ? the router ?). However, I'm loosing half of the bandwidth from batman to the IP part of the same device (736Mbps with batctl and 423 Mbps with iperf), is this normal ? Would you change some part of the mesh nodes configuration to improve the performance ? (e.g., channel, or tx power, or htmode ?) Looking for an expert guiding me to gain some time, because I spend too much of trying without understanding the impacts.
3. The mesh nodes get an ip through DHCP (static lease). What are the risk/consequences? Is it a bad practice and I should be better to set-up static ip ? e.g., the lr6-node1 is up, but not the lr6-gw, I guess the node1 will not have any IP, and I will have no access to debug it easily (i.e., ssh).
4. I thought to set-up a management SSID on each mesh node, in case the gateway is dead and I want an access to debug it. Is it a good practice ?
5. I'm trying to disable ipv6, what is the best way ? (why ? because I do not understand well enough the protocol yet in terms of security and impacts. I want to take more time to understand how to well set-up the dhcpv6. I do not really like the fact that each device has a kind of static ipv6 visible on internet: I feel it ease the work for tracking website and so on). It feels repetitive to add option ipv6 '0' on each interface for each device (switch, mesh node, router). If I don't, I find an ipv6 everywhere (example on Appendix.C). Is this normal ?
6. Adding a vlan feel to repetitive (adding on each device). Is there any known solution to say that in-between device accept any vlan ? Is trunk the right terms ? I'm thinking about the mesh nodes. E.g., Every new x vlan need a new bat0.x port.
7. Even if the set-up work (followed the OpenWRT documentation), I'm a little bit confuse why the bat0.x are not tagged like eth0:t. Why ?
8. What's the good practice of configuration to allow any device in lan (vlan 100) to access/ping any home device (vlan 200). Only need a firewall rule on router right ? (see appendix.D)
9. I guess since the router is the only routing part (layer 3), having firewall is worthless on the other devices (mesh nodes, switch), right ? it can be disable ?
10. (bonus) LEDs are dead on GS308Tv1 (some post talk about fixing on v3). Where should I look on the code source to help make it works ? or understand why it does not work on v1.

I'm ready to pay 10$ worth LTC for a good answer and another 10$ worth LTC on the optimization part.. I'm not sure posting this here is the good way ? Should I make a new post on installing and configuring topic ?

More ressources (personal notes, can be messy):

• http://devel.memorandum.parmentier.io/network/gs308t/
• http://devel.memorandum.parmentier.io/network/unifi_long_range_6/
• http://devel.memorandum.parmentier.io/network/edgerouterx/
• http://devel.memorandum.parmentier.io/operating_systems/openwrt/

-- APPENDIX --

A. some commands to check performance between two node mesh (gw and node1)

root@lr6-node1:~# batctl tp lr6-gw
Test duration 10530ms.
Sent 969239016 Bytes.
Throughput: 87.78 MB/s (736.36 Mbps)

root@lr6-node1:~# iperf -c 192.168.2.156 # ip of mesh-lr6-gw
------------------------------------------------------------
Client connecting to 192.168.2.156, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  1] local 192.168.2.208 port 55738 connected with 192.168.2.156 port 5001
[ ID] Interval       Transfer     Bandwidth
[  1] 0.00-10.10 sec   509 MBytes   423 Mbits/sec

B. Configurations

edgerouterx - /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd3b:fde2:a5d2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        option ipv6 '0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

# personal
config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth1:u*'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4:u*'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'
        list dns '192.168.2.227'
        option device 'br-lan.100'
        option delegate '0'
        option ipv6 '0'

# services
config bridge-vlan
        option device 'br-lan'
        option vlan '150'
        list ports 'eth1:u'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4'

config interface 'services'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.4.1'
        list dns '192.168.2.227'
        option device 'br-lan.150'
        option delegate '0'
        option ipv6 '0'

# home
config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        list ports 'eth2:t*'
        list ports 'eth3:t*'
        list ports 'eth4'

config interface 'home'
        option proto 'static'
        option device 'br-lan.200'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
#       list dns '192.168.2.227' # disable for now, AdGuard mess the performance of different services (Amazon Video, Netflix)
        option delegate '0'

# iot
config bridge-vlan
        option device 'br-lan'
        option vlan '300'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.300'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        list dns '192.168.2.227'
        option delegate '0'

# office
config bridge-vlan
        option device 'br-lan'
        option vlan '400'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4'

config interface 'office'
        option proto 'static'
        option device 'br-lan.400'
        option ipaddr '192.168.110.1'
        option netmask '255.255.255.0'
        list dns '192.168.2.227'
        option delegate '0'

mesh-lr6-gw - /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:4bb4:8223::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'bat0.100'
        list ports 'bat0.200'
        list ports 'bat0.300'
        list ports 'bat0.400'
        option ipv6 '0'

config interface 'bat0'
        option proto 'batadv'
        option routing_algo 'BATMAN_IV'
        option aggregated_ogms 1
        option ap_isolation 0
        option bonding 0
        option fragmentation 1
        #option gw_bandwidth '10000/2000'
        option gw_mode 'off'
        #option gw_sel_class 20
        option log_level 0
        option orig_interval 1000
        option bridge_loop_avoidance 1
        option distributed_arp_table 1
        option multicast_mode 1
        option network_coding 0
        option hop_penalty 30
        option isolation_mark '0x00000000/0x00000000'
        option ipv6 '0'

config interface 'nwi_mesh0'
        option mtu '2304'
        option proto 'batadv_hardif'
        option master 'bat0'
# lan
config interface 'lan'
        option device 'br-lan.100'
        option proto 'dhcp'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'
        list ports 'bat0.100'

# services
config interface 'services'
        option device 'br-lan.150'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '150'
        list ports 'eth0:t'
        list ports 'bat0.150'

# home
config interface 'home'
        option device 'br-lan.200'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        list ports 'eth0:t'
        list ports 'bat0.200'

# iot
config interface 'iot'
        option device 'br-lan.300'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '300'
        list ports 'eth0:t'
        list ports 'bat0.300'

# office
config interface 'office'
        option device 'br-lan.400'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '400'
        list ports 'eth0:t'
        list ports 'bat0.400'

mesh-lr6-gw - /etc/config/wireless:

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option hwmode '11a'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option disabled '0'
        option country 'FR'

config wifi-iface 'mesh0'
        option device 'radio1'
        option ifname 'mesh0'
        option network 'nwi_mesh0'
        option mode 'mesh'
        option mesh_fwding '0'
        option mesh_id 'meshlr6'
        option encryption 'sae'
        option key 'xxx'

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'lan_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Livebox-2090l'
        option encryption 'psk-mixed'
        option key 'xxx'

...

mesh-lr6-node1 - /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8f:77cb:b992::/48'

# Bridge
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'bat0.100'
        list ports 'bat0.200'
        list ports 'bat0.300'
        list ports 'bat0.400'
        option ipv6 '0'

# Mesh network
config interface 'bat0'
        option proto 'batadv'
        option routing_algo 'BATMAN_IV'
        option aggregated_ogms 1
        option ap_isolation 0
        option bonding 0
        option fragmentation 1
        #option gw_bandwidth '10000/2000'
        option gw_mode 'off'
        #option gw_sel_class 20
        option log_level 0
        option orig_interval 1000
        option bridge_loop_avoidance 1
        option distributed_arp_table 1
        option multicast_mode 1
        option network_coding 0
        option hop_penalty 30
        option isolation_mark '0x00000000/0x00000000'
        option ipv6 '0'

config interface 'nwi_mesh0'
        option mtu '2304'
        option proto 'batadv_hardif'
        option master 'bat0'

# lan
config interface 'lan'
        option device 'br-lan.100'
        option proto 'dhcp'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'eth0:t'
        list ports 'bat0.100'

# services
config interface 'services'
        option device 'br-lan.150'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '150'
        list ports 'eth0:t'
        list ports 'bat0.150'

# home
config interface 'home'
        option device 'br-lan.200'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '200'
        list ports 'eth0:t'
        list ports 'bat0.200'

# iot
config interface 'iot'
        option device 'br-lan.300'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '300'
        list ports 'eth0:t'
        list ports 'bat0.300'

# office
config interface 'office'
        option device 'br-lan.400'
        option proto 'none'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '400'
        list ports 'eth0:t'
        list ports 'bat0.400'

switch-gs308t-desk - /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddc:4119:d273::/48'

# last port allow to manage switch
config device
        option name 'management'
        option type 'bridge'
        list ports 'lan8'

config interface 'management'
        option device 'management'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.20.1'

config device
        option name 'switch'
        option type 'bridge'
        list ports 'lan1 lan2 lan3 lan4 lan5 lan6 lan7'

# lan
config interface 'lan'
        option device 'switch.100'
        option proto 'dhcp'

config bridge-vlan
        option device 'switch'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan2:u'
        list ports 'lan3:u'
        list ports 'lan4:t'

# home
config bridge-vlan
        option device 'switch'
        option vlan '200'
        list ports 'lan1:t'
        list ports 'lan5:u'
        list ports 'lan6:u'

# office
config bridge-vlan
        option device 'switch'
        option vlan '400'
        list ports 'lan1:t'
        list ports 'lan7:u*'

C. ipv6 presence inet6 fe80::2e0:4cff:fe00:0/64 scope link

root@gs308t:~# ip a
13: switch.100@switch: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:e0:4c:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.102/24 brd 192.168.2.255 scope global switch.100
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:4cff:fe00:0/64 scope link
       valid_lft forever preferred_lft forever

D. lan (vlan 100) networking accessing home (vlan 200)

edgerouterx - /etc/config/firewall

config forwarding
        option src 'lan'
        option dest 'home'

You've done a great job of configuring. My Apu1 is doing 400/400 symmetric with the free equipment a major networking company sent me. I like yours better!

Thands dude

looks like you live in the belle republique aussi
why did you decide to stick with the livebox 5 and not go for a router which can accept the orange SFP?
I'm currently on vdsl but the fibre guys have been visiting the neighborhood and I'm looking at options...
I just managed to get a mikrotik router off amazon warehouse for like cheap

For now... haha planned to move

From what i've read on different post, it's kind of tricky to get rid of Livebox to continue to watch the TV. I don't want to spend my time to make it works (if there is an update on their soft: encryption, vlan requierment, other stuff i don't know).