How to isolate my OpenWrt LAN from my actual LAN?

I have a series of devices on my home network that I don't control/trust: IOT stuff and a managed corporate laptop for example. I'd like to place these on a separate network that can only go through my home router to reach the internet without getting to the other devices on my LAN. A crude diagram may be more helpful:

Crude Network Diagram960×720 23.3 KB

As things currently stand, the Corporate Laptop can ssh into Local NAS, but I'd rather that the NAS was entirely invisible/unreachable to everything behind the OpenWrt router. Is that even possible? If not, is there a better way to do this barring replacing the ISP router with OpenWrt?

Block all access to the .1. subnet, from the .6. subnet, except for the 192.168.1.1 IP, in the openwrt firewall.

Oooh, that sounds promising. How do I do that?

Actually, you can block the entire 192.168.1.0/24 subnet... just make a firewall rule that drops all traffic from the lan zone to 192.168.1.0/24 and you're done.

Wouldn't this block all outgoing traffic from the corporate LAN to the internet as that would have to go through 192.168.1.1?

no. It blocks the OpenWrt lan zone from having direct access to the upstream router, but it does not block the internet traffic. The reason is because the OpenWrt router itself is responsible for connecting to the upstream gateway (192.168.1.1).

Think of it like this: 192.168.6.3 > 192.168.6.1 (192.168.1.4 on the wan) > 192.168.1.1

Ah! That's excellent, thank you! It totally works!

you're welcome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.