How to isolate portion of the LAN and keep separate internet access?

Hi there,

I have a slightly modified setup where OpenWRT runs the DHCP server but not the APs, the APs themselves being two repurposed routers.

The effect is that any device on the network, either wired or wireless, gets its LAN IP from OpenWRT. I'm sharing the connection with a neighbour, so all my network shares are passworded of course, but I still would like to increase privacy by a notch. This isn't a question about setting up a guest wifi.

The neighbour has 3 devices that need to communicate together, and I assigned him a portion of the IP pool so I can readily know who's who.

What would be the simple way to keep all of his devices communicating together while making mine completely invisible from his side?

Why not? This sounds exactly like the right approach. Can you explain why you think that there should be some other method and/or what's wrong with the guest network recipe in your situation?

2 Likes

Because AFAIK devices cannot communicate together on a guest Wifi, and that this OpenWRT installation doesn't manage Wifi in the first place.

So you have a router/firewall (no wireless) and you have 3 dumb access points? VLANs is the way to go.

You need an additional SSID, possibly VLANs to the router and an additonal firewall zone for your neighbour. Keep in mind that you are possibly sharing the same public IP, registered to you.

1 Like

What APs are you using? Are they vlan aware? If not, is installing openwrt an option for these devices? (We can help determine if they are supported; you can tell us if you are willing/able to install openwrt if they are)

As said. Obviously my neighbour has the same public IP address. The OpenWRT main router doesn't manage any SSID, these are separately managed by each AP. Both APs theroretically support OpenWRT although one requires hacking (Xiaomi Mi 4A); the other already has it installed but boots read-only for a reason I have yet to understand (most probably a faulty config on my part when I tried to use a USB key as root partition) (D-Link DIR825). Only the Xiaomi manages the neighbour-connecting SSID, and given its crippled Chinese firmware, I'm not sure it is VLAN-aware.

I had a quick read about the VLAN, but documentation is still unclear on wether this would work when APs are not directly connected to any LAN port on the router.

I'm restating your requirements to ensure that I understand it properly (please correct me if I've misunderstood):

  • allow your own devices to communicate with each other
  • allow your neighbor's devices to communciate with each other
  • isolate the two sets of devices (yours, your neighbors) from each other

In order to achieve your goal, you must use a guest network type setup (or, a much more complicated WPA2-enterprise configuration with a RADIUS server). It is not possible to isolate your devices from your neighbor's devices when using a single subnet.

The ideal setup is fairly straight forward:

  1. setup a new subnet as a VLAN on your main router that allows routing to the internet, but not between the two LANs (i.e. isolate the two networks)
  2. Configure the APs with 2 SSIDs, each SSID linked to one of the VLANs.

For this to be possible, your APs must be VLAN aware and must be able to setup multiple SSIDs on each device. It sounds like your APs don't currently support those features, so you'll need to consider installing OpenWrt on them. Or you could replace your APs with ones that are already VLAN aware (or on which OpenWrt can be installed more easily).

Beyond that, I don't see a path for you to achieve your stated goals.

1 Like

Yes, those are the requirements. The other, unstated was to spend the least amount of money,. I chose the Xiaomi because it was at the time the only sub-$40 router with dual band and decent range. OpenWRT compatibility wasn't important. Seems there's an exploit to install OpenWRT on it, but the very first instruction isn't clear:
how would I set up a TFTP server on my computer in the first place?
"Setup a DHCP server and a static address"? Where, on my computer or on the router? WAN or LAN side?
Plus Python compatibility… Not necessarily straightforward.

Best as a weekend project, but not do-able in 30 min.

BTW… Would it be feasible to simply reset the Xiaomi as a regular router with its own LAN-side subnet, and create a DMZ on the OpenWRT router?

Yeah can just use the Xiaomi as a normal router, add some traffic rules to reject traffic from the ip of the xiaomi and/or the subnet of the xiaomi.

Should be OK with Double NAT or DMZ.

So should the Xiaomi's wifi provide access to both networks? Wouldn't it in this case still pass the L2 traffic if not offering multiple SSIDs? The Wifi is likely bridged, it also has a switch, so will do MAC-learning. Without an additional SSID and VLAN/dedicated cable, there should be some L2 firewalling as well. If it is only for the neighbour, just connect it to an untagged VLAN with a dedicated cable to the OpenWrt router. It should have second logical LAN interface and eventually its own firewall zone in this case.

If you as the Xiaomi as an, in essence, router there won't be no L2 traffic from the neighbor to your LAN. I mean, you're already trusting him in the extent you have him on your subnet, so anything better than this would be win. Whatever works to get you up and running.

If it's only for the neighbor, then you might not need vlan at all if you have one of the models that is DSA based.You could just that bridge that particular port on the OpenWrt to it's own network.(and if it's not DSA then you can just configure the port as untagged vlan and bridge it to it's own network)

In the end, the best way to achieve what you want, is to flash the xiaomi with OpenWrt and use vlan for proper isolation.

In an ideal scenario, yes. I can manage with only the 5GHz band (=SSID) and keep my neighbour on 2.4GHz, and still have two other SSIDs available for my usage. Connecting the Xiaomi AP directly to the OpenWRT router is indeed an option. However since this router (Let's call it by its name, TP-Link Archer A6, A6 for short) just replaced a previous unit (Cisco EA4500) that had an unsolved critical bug in OpenWRT, I didn't want to spend too much time configuring a router that may be replaced at a moment's notice.

From what I read, a few solutions:

  • Connecting Xiaomi directly to the A6 would probably help in setting up a VLAN, but since VLAN is port-based, I'd lose two SSIDs out of four. I can live with it, though.
  • Or reconfigure Xiaomi as a regular router, put its WAN-facing IP in a DMZ on the A6 so as not to have to configure two firewalls
  • Or find the time and a way to properly install OpenWRT on the Xiaomi, configure it as a VLAN-aware AP with SSIDs managed by the A6, and build from there.

Maybe stock Xiaomi firmware allows for guest SSID, I've got to check…

Ok so if you have a A6v2 then the Xiaomi is going to perform better as a router whereas an A6v3 is going to perform about the same.

I don’t see any reason that you’d lose any SSIDs when using the Xiaomi (or the A6 is you switch them around, but I’ll just use the Xiaomi as an example from now on). You can basically have as many SSIDs as you want and attach them to various vlans.

If you want to use the Xiaomi as Router then it’d (probably) be limited to just guest SSIDs because the router would have it’s own subnet and you don’t want that for your private SSIDs.

If you do flash OpenWrt on the Xiaomi, you could even use it as a combined AP/Router. (AP for private SSIDs and bridged to the main router, and Router with own subnet for guest SSIDs). That way you don’t have to mess with VLAN at all. You might have to manually edit the MAC address of either the Router/AP so that they appear as 2 separate interfaces to the main router though.

Keep in mind that if you run a double-NAT for your neighbor's network, you will actually isolate in one direction, but maybe not the one you care about...

Your neighbor would be able to access your network, but you would not be able to access theirs.

That said, if you are considering setting one device up as a dedicated AP for your neighbor, you can use your OpenWrt router to set a port with a different subnet that is isolated from your network.

2 Likes

I think the idea was to use the Xiaomi in a "router" mode in order to break the L2 connectivity between the networks, and to use two subnets between the routers with firewall rules in order to prevent the L3 connectivity. This is not necessary to involve double NAT.

The Xiaomi also has gigabit ports and is likely to outperform the A6 as a main router, since dual core and likely to have some accelerations in place with the stock firmware, so there is another option — to physically swap the routers and to easily setup two SSIDs within different networks — The owner's SSID could be bridged to the WAN, NAT to be used for the neighbour's network (LAN) and firewall rules to permit the communication of the router's IP only to the gateway.

1 Like

Sorry I forgot to add, but this is the non-gigabit version, thus has a weaker CPU.

Because two of the four SSIDs are managed by the Xiaomi. The A6 isn't even aware of their existence.

I can't see a reason why, although for some reasons ports 80,23,22 are open on the Xiaomi but I can't access its web GUI or get a prompt from the terminal. If I can't check firmware version, I can't find the proper flashing instructions.

  • To set up guest SSIDs, I can either keep Xiaomi stock as a regular router, but would lose two SSIDs, and will need to configure the double-NAT properly; that wouldn't require any VLAN configuration
  • Or keep Xiaomi stock as an AP and connect it to a physical LAN port on the A6 so I can configure a VLAN that would apply to both SSIDs;
  • Or the cleanest solution: solve the login problem so OpenWRT can be flashed on Xiaomi. From what I understand this would allow broadcasting a guest SSID along side a private SSID, all while keeping each subnet isolated, given proper bridging/double-NAT. The A6 would still be unaware of the different APs, wouldn't it?

What I understand so far is that VLAN isn't possible without a direct connection.

An update:
As expected, I must have done something wrong when trying to use the acecilia exploit on the Xiaomi. It was successful in obtaining a root shell, but right after the wiki-described step where I'm supposed to write the downloaded firmware, the router failed to reboot and now displays an orange flashing light. Currently unsure if OpenWRT fails to boot or if it failed to install altogether.

Already tried:
following the debrick process linked in OpenWRT's wiki, to no avail. It may has something to do with my setup since I used a virtual Windows 7 with bridged NIC. TinyPXE loaded from Hoddys website doesn't show any scrolling or router-issued responses.

Xiaomi's own repair tool on the same virtual computer after disabling the antivirus (Trojan reportedly present), without result. Can't translate the interface since Chinese fonts aren't installed on this Windows, but I recognize a "Failed" icon when I see one.

Finally tried with manual IP assignment on Mac and TftpServer, but also failed since it claimed 192.168.1.2 was in use by another device (untrue).

Please correct me if I'm wrong, but I suspect there are two overlapping issues:

  1. PXE / TFTP and other low-level tasks are likely to fail when not using a hardware computer;
  2. 192.168.1.2 interferes with many default router configurations;

Side note on 1:
I wouldn't trust Xiaomi's tools on anything else than a "sacrificial" Windows install. While I have two "metal" Windows computers, only one has an Ethernet port and that's not one I'd be ready to format if needed.

I wouldn't say low-level if using IPs. The bridged NIC is more low-level than this.
If you are trying to do tftp and boot from it - you don't need Windows VMs, etc. I think it should be even possible to run it over the OpenWrt router if having sufficient memory/storage. You may try using some other device to verify if the TFTP and the DHCP server are working correctly and you have the options received.

It's likely doing ARP or there is already an ARP entry present. If bridged both the host and the guest OS will see the DHCP server. TinyPXE is likely providing its own DHCP server, so there should be no other DHCP server connected and the host PC should use some static (random) IP, not needed by the router and by the host with the TinyPXE.
You may monitor the connection with Wireshark to see if there's anything from the router.

If the bootloader is not damaged, you may connect it via the Serial/UART. If it's damaged the device page ( bootlog) shows the EEPROM being relatively easily programmable, so it wont be a complete brick.