Can anyone show me how to configure this simple network? I'm sure it's straightforward for someone who is familiar with OpenWrt and networking. But I've been struggling with this for days and just can't get it right.
Router 1:
Always on
Static IPs?
Device 1 (ethernet):
Router 1 admin (local only--no remote)
Modem admin
WAN access
No access to other devices
Device 2 (ethernet):
WAN access only
No access to router
No access to modem
No access to other devices
Device 3 (ethernet):
Router 1 admin (local only--no remote)
No WAN access
No access to other devices
Router 2:
Only powered on as needed
Static IPs? Or DHCP if advised
Device 4 (Wi-Fi):
WAN access only
No access to router
No access to modem
No access to other devices
Device 5 (ethernet):
Router 2 admin (local only--no remote)
No WAN access
No access to any device from WAN
You’ve got a reasonable amount of information here, but still some missing things:
Are there literally just 5 devices (plus the two routers) in your network, or are you describing 5 categories of devices?
Why is there a second router? Why not just use the one? Why is it only powered on when needed?
Most importantly, we need to see the config of the existing router to understand what it is that we’re working with and what you’ve got so far.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
There are literally 5 devices. The second router is in a location close to where it's needed, which isn't very often. It's more convenient and secure to have a separate access point.
The settings have been reset so there isn't anything to share. The router is a TP-Link Archer C7, which should be capable of being configured to meet our requirements. If it falls short I can get another router, but I'd think that the configuration is generic enough that it'll work for most routers.
The second router, which I have not set up yet, will be running OpenWrt. I was thinking of connecting port 4 on router 1 to port 1 on router 2. I know very little about networking so please let me know if there's a better option.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option channel '36'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option channel '1'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-upd
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
As @brada4 said, you will use a guest network as the initial recipe. Each one will be customized a bit, but those differences are fairly simple to implement.
This is the guest network wiki:
For any network(s) that don’t need wifi, you can skip the part about creating a new SSID. Eventually, you’ll be making a change to the switch configuration:
The config stanza above creates eth0.1 which is used in br-lan. Ports 2-5 above are the logical ports that corrrespond to the physical lan ports, and 0t is the CPU — you’ll remove one of the logical lan ports and create a new VLAN on the switch for each network… something like this, where VLAN 3 uses logical port 5 (which has been removed from VLAN 1):
The first VLAN should have WAN and LuCi access.
So I tried to create this:
VLAN: port 1
id 10
Interface: 192.168.10.1
Firewall: input 'ACCEPT'
output 'ACCEPT'
forward to WAN
With my IP address of 192.168.10.2 and connected to port 1, I get "Destination port unreachable" when I ping 192.168.10.1 and can't connect to LuCi. Here's my configuration:
In the guide why is Output set to accept when we don't want the guest network to be able to access the router? What happens if I change it to reject or drop?
Is the bridge device only needed for wireless? For wired can I select eth0.X as the device instead of the bridge?
If I specify DNS servers do the clients need to specify the router as the DNS server? If they specify a different DNS server in their network settings does it bypass the router's DNS server?
Output controls the traffic as it comes out of the firewall towards the zone/network. It needs to be accept in the vast majority of cases.
A bridge is required for WiFi on two radios or WiFi + Ethernet. If you are using Ethernet only on a swconfig based device, a bridge is not required.
What is your desired situation here? You can specify public dns (or some alternate dns) servers via dhcp option 6 and many clients will use that. Some clients may have hardcoded preferred dns servers. You can utilize dns hijacking if you want to force the use of specific dns servers or the router itself.
Unless you have a large network, dnsmasq doesn't add significant load to the system. Same is true with NTP, although it's not terribly common for users to even run an NTP server (as compared to NTP client).
dnsmasq is responsible for both DHCP services and DNS. You can easily offload DNS to a public DNS server, but it won't make a significant difference. Alternatively, if you have another device such as a pihole, you can use that for both DHCP and DNS... again, not necessary from a resource perspective.
To be clear, the routing and firewall services are far more significant in terms of the resource utilization, and you need those for your router (an AP doesn't use the features).
