Improving my network topology

There were some Netgear switches that were actually cheaper than the TP-Link ones not long ago. This many or may not be true anymore for a variety of reasons. Although I really don't like the Netgear UI on certain switches, the functional aspects are better than the entry level TP-Link ones.

EDIT: looking at Amazon now, I see a Netgear switch for $35 and a DLink one for $30. I haven't used those devices, so I can't say how good or bad they are, but there are numerous inexpensive options. Also, I have a USW Flex Mini ($29) that is actually pretty good, although it has a few other limitations (2 in particluar: 1) ports can only be configured as a trunk with all configured VLANs or as access ports; 2) you must use the Unifi software to configure it -- works for me since I already use Unifi equipment in my network, but not necessarily a good option for those not invested in Unifi).

Apparently the GS308E doesn't do LAG ... the D-Link looks like a solid device that has a proper manually assignable management vlan, DSCP based QoS, and such.

the manual is here: https://support.dlink.com/resource/PRODUCTS/DGS-1100-08V2/REVA/DGS-1100-08V2_REVA_MANUAL_v1.00_WW.pdf

Fair enough. But on small switches (especially 5 ports), I think the lack of LAG capabilities is usually not a big deal.

Back to the network topology questions and recommendations...

I would suggest the following:

• Designate one OpenWrt router as the main/core router.
  • On this main router, configure 2 (or more) internal networks: trusted LAN and IoT.
  • Designate one ethernet port on the router as a trunk port (carrying both networks) which will connect to your switch.
  • Setup an SSID for each network on the main router.
• Set the other OpenWrt router as a dumb AP.
  • This dumb AP will be configured with the same two SSIDs
  • You'll also setup an ethernet port as a trunk that carries both networks, just like the main router
• Replace your unmanaged switch with a small, inexpensive managed unit so that you can work with VLANs.
  • Set 2 ports on the switch as trunk ports -- these two ports will be connected to the main router and the dumb AP
  • Set 2 ports as access ports (one network, untagged) for the trusted LAN
  • Set 1 port as an access port for the IoT network (this will come in handy for testing)
• If possible, remove the ISP router all together, or if you can't remove it, maybe you can change the ISP gateway into a true bridge/pass-through mode such that it passes your ISP issued IP address directly to the WAN of the main OpenWrt router. (this helps avoid double NAT).

You main router will now be "in control" of the entire network. This means that the primary router can handle DHCP for all devices on both networks, and the firewall on that device can allow or restrict access from one network to the other and/or from either network to the internet. All of the real configuration and most general adjustments you'll make to your network will happen just on this one device.

The secondary router will serve only as an AP. Basically all it is doing is acting as a wired <-> wireless bridge device. Aside from the initial setup and tuning your wifi radios, you won't need to mess with this one much at all after things are working.

The port on the (managed) switch that I recommended making an access port for the IoT network will allow you to plug in a wired device easily so you can test things on that network to verify that everything is working correctly. It can be useful to do the same on each of the routers (1 port each), at least for initial testing, so that you can verify that the trunks are working properly.

Yes, that is more or less what I was having in mind as I read your (and others) several advices.

Putting all in one main router (the most powerfull one) would be easier to maintain.

But I can see two disadvantages:

• It puts all the load in one router. Being my routers not all that advanced (a FritzBox 4040 and for now a TL WR1043ND, altough I will probably buy another one) separating dhcp and dns would balance load.
• Having two DNS servers for two domains (.home and .iot) is not supported by default in openWRT. You have to twak it and there is no LUCI support for it, as long as I know. So it would difficult the tasks of maintaining it, having to use config files and commands (something I would like to avoid, as I would forget all about it after 3 months of not touching anything in the router).

I will try to prototype that solution with two old routers from ISPs and the tplink as switch.

For now I will not be able to eliminate the ISP router completly.
I could buy ONT and connect it to the fiber ans bridge all data to the main router through wan ethernet port.
But that comes with two problems:

• The support from the ISP would be null from that moment. Each time there is a problem, they would say that they can do nothing as the router is not its router.

• The ISP router provides TV signal and PHONE (voIP) using two VLANS that get separated at the router, directing TV to one of the ports (where the decoder should be connected) and directing the voIP to an internal analog phone port. I don't mind TV as I don't suscribe to ISP channels, and in the case I wanted to do it, with the managed switch it should be easy to direct the VLAN traffic to any port at the home routers to install the decoder there.
  But I need the phone signal, and at the moment I am not prepare to fight with a phone centralite configuration. It would be great to have it, and be able to answer phone from other devices or when you are away from home, but it is complex and at the moment I cannot take that path.

• The router lets you put it in bridge mode, but partially, directed only the internet VLAN traffic to the WAN port in the main router. That is what I will try to do. Other solution is using DMZ and static routes to solve double NAT problems, if the bridge mode does not work as expected.

@dlakelan and @slh thanks both for your suggestions.

The zyxel in USA may be 35$ but here in amazon spain or germany, it is about 105, here: Zyxel Conmutador Gigabit de 8 Puertos | Smart Managed | Montaje en Pared y sin Ventilador | VLAN, IGMP, QoS | Garantía de por Vida [GS1900-8] : Amazon.es: Informática

There is this other zyxel Zyxel Gigabit Switch de 5 puertos - web configurable [GS1200-5] : Zyxel: Amazon.es: Informática
It says that it has VLAN and IGMP, but do not know more about it.

Even not being openWRT compatible, if you can configure the vlans it would do the task, not need of too much other config or installing other modules.
I would prefer using openWRT if possible, in order to use just one interface and being confident of whoe openWRT works.

tplink has this other TP-Link TL-SG105E Unmanaged PRO Switch, 5 Puertos Gigabit Inteligente, Plug and Play, Gigabit Puerto, Caso Metal VLAN, QoS, Software de Gestión Inteligente Fácil, Negro : Amazon.es: Informática that supports igmp, and vlans, says it is managed.

And netgear NETGEAR Switch Ethernet de 8 puertos GS308E, Switch Gigabit Smart Plus, hub Ethernet metálico de sobremesa, negro : Netgear: Amazon.es: Informática
This one says that has smart managed (not sure if that makes it a managed switch) and VLANs and QoS. Does not mentions IGMP (not suere if I need IGMP, I don't have TV from the ISP, but the nas provides streaming of video).
This one is not in the compatibility list, but GS108T is. Don't know if it can work whit the same firmware.
I could not find the GS108T.
There is this other two, whic seems to be similar: GS108E with a 8 or 5 ports model. Has the advantage of having 2 Gb ethernet.
Netgear GS108E-300PES - Switch conmutador de red gestionable de 8 puertos Gigabit RJ-45 (2000 Mbps de ancho de banda, con control de red, QoS y VLAN, carcasa metálica) : Netgear: Amazon.es: Informática

They have basic VLANs and QoS, but not completly managed (and , it seems that that is the inteligent for a full VLAN managment with voice traffic, I don't know what is exactly the difference).

I don't think this is necessary at all. When talking about IoT networks, most of these types of devices have relatively low bandwidth requirements and are not likely to significantly increase the load on your network. And unless there is significant inter-VLAN traffic (very unlikely), chances are that you will not have enough differential load to justify the additional complexity of trying to split the routing. Besides, something has to absorb all of the internet load anyway -- be it your primary router or the ISP router.

I haven't tried this and I don't know if OpenWrt can handle this easily or not. But I'd recommend trying something like PiHole instead of trying to split the routing and DNS handling. You'll find that it won't be any easier if you have 2 different devices (routers in this case) doing different things.

I understand your reasoning.

Pure bridge mode will pass your ISP issued IP address to the WAN of your downstream router. If you can't do this, you'll have a NAT layer there. You could use static routes (if the ISP router supports it) to prevent double-NAT (masquerading), but this may or may not be necessary anyway. Cross that bridge when you get there.

All managed switches will be able to be configured to handle VLANs using their standard firmware. The user interface differences between each vendor/firmware mean that some will have better UIs that others, and some of the details about how to configure the switches could be a bit different... but all of them are standards compliant and they'll all do the job.

OpenWrt support on managed switches is actually quite new, and it may or may not be easier to use than the stock firmware. There may even be major differences between the way you work with OpenWrt on your routers vs switches (i.e. swconfig vs DSA), so you may not find it as similar as you expect.

This is the one I personally dislike (see my comments earlier in the thread). It will do the trick, but if there are other options in the price range, I'd recommend looking at those instead.

TP-Link has muddied the waters with their naming "unmanaged pro switch" -- which makes it sound like it is a simple unmanaged switch, despite the fact that it is configurable/VLAN aware/manageable. Anyway, there are nuances (and often marketing words) that differentiate different classes of "managed" switches -- you'll see words like smart, VLAN aware, managed, fully managed, L2+, L3. etc.. There are differences between these switches (for example: L2+ and L3 features often include some basic routing support -- typically only useful for really large and complex networks), and the features available do vary depending on the intended market/application as you move from home networks up to enterprise. But all switches that have VLAN support will work for your needs and can be called "smart" or "managed" in this context.

This is getting difficult. Thanks for all the guidance.

What about Netgear GS108E-300PS? there is an 8 and 5 port version, at very reasonable prices (35€) and seem not big.
It is sais to be managed and has VLAN, QoS and 2Gb (some of my computers have 2Gb, but for now it won't be a must, as most of the infraestructure is 1Gb).
It strange that the 8 port costs a little bit than the 5 ports.

It is a plus series, not intelligent o fully managed, I don't understand the differences, nor know if I am going to need all that management. Jus need vlans and may be igmp snooping (may be for streaming?) and QoS (I don't managed that by myshelf, but may be some apps do in order to get a continues stream).

Netgear GS108E-300PES - Switch conmutador de red gestionable de 8 puertos Gigabit RJ-45 (2000 Mbps de ancho de banda, con control de red, QoS y VLAN, carcasa metálica) : Netgear: Amazon.es: Informática

I have tried to configure two routers with the two vlans and direct conection (no switch).
But it does not work. Home lan works as expected, and I can ping the interface of the iot lan in the main router, but not the interface iot of the sencodary router.
A¡Something I am doing wrong.

After revising I will put captures of the configuration of both routers.

Yes, this should be fine. I should have added "plus" to my list of terms above.

Yes, these are standard features of any switch that is configurable and supports VLANs.
The 2Gb thing is a bit or a marketing ploy: it is actually 1Gbps Tx + 1Gbps Rx. All gigabit connections have this capability (called full duplex).

IGMP snooping is not likely to help you here... it is useful for "containing" high bandwidth streams that should not be forwarded to the upstream network.

now they count full duplex as 2Gb... There are 10 Gb cards, probably not giving that speed, I thought they were being honest and saying the real speed the switch can achive.
But no, they are being dishonest, what a surprise, nowadays.

Ok, then that switch will do.

Let me concentrate in the configuration to see if I can get it to work.

If I understand it well, I have to create the 15 VLAN in the switch and mark it tagged in the port that connects between routers and in eth0 (will be eth0.15)

Then create a bridge device (br-iot) and add as base device eth0.15 (or is it eth0?).

Create an iot interface andassign br-iot as device (iot interface)

Create a new wireless network (iot) and assign it the iot interface.

In one router (main router) it works as expected and assignes the MAC addresses to all the devices.
But the other one the bridge br-iot does not seem to work, it does not get a MAC address, and cannot ping the IP of that router in the iot interface from the other router.

But if I change the iot interface and assign it the eth0.15 VLAN device insteal of the br-iot bridge, it works, and I can ping it from the other router or a PC connected to the home LAN in the other router.

So the VLANS seem to be working and it is a problem with the bridge. But the other bridge in the main router works correctly, as the iot interface in it is connected to the br-iot bridge, not the eth0.15 VLAN device.

How should I put my configuration here?
I can capture images from lucid and put them here...
Or use the text configuration and put them here.
But don't know exactly where do the config files reside for switch, devices, interfaces, wireless AP and firewall.

I have it working now in the test environmente with the two routers.
It was a strange error, seems that there was a deleted br-iot device in previous tests that was not completly deleted.
I had to recreate a couple of times everything, but now it shows the MAC correctly and I can ping from a computer connected to the home lan in main router, the IP in the iot lan of the secondary router.

Now I have to test among devices connected using wifi and see if they can connect from home lan to iot but not the other way, from iot to lan, just among iot devices.

For now I have set the secondary router as the DHCP server and name server for the iot lan, in order to not have DNS conflicts (don't know how to create two dns servers in one openwrt router).

But when I have learned to do that, I will centralize DHCP and DNS in the main router (I need a new router too).

Do you think that TP-link Archer 2600 will be a good router?
It has Wifi AC beamforming, usb 3.0 ... and

It does not have wifi 6e, or ACx, but I have no devices compatible with that for now. It costs about 115€ and is compatible with openWRT.
[OpenWrt Wiki] Techdata: TP-Link Archer C2600 v1.0, v1.1

And investing too much in being the most quick wifi does not pay back here, as 2,4 GHz and 5 Ghz are quite crowded with no channel available with the broad bands, nothing like 160 MHz contiguous is free of interference, so I suppose you cannot get that speeds, and main computers are wired.

Well I have been testing the configuration.

And it seems to work EVEN with the unmanaged and not VLAN aware switch in between.

I have configured to test routers connected by a wire with a lan and vlan IOT in it through the switch. And I can ping between two devices connected to the IOT wifi of each router, so it seems to work OK.
Anyway I will upgrade the switch to a managed switch (and maybe POe to be able to provide some access point to one room without having to add an electrical cable, as there are some wall APs with POe that seem just an ethernet plug).

But I am not sure of having configured all things OK.
And there remain some problems with DHCP and DNS that I could not solve yet.

This is the switch configuration of the main router:

the 1 vlan is the one that transport the main traffic, the lan with no internet connection restrictions.
the vlan 2 is for the wan port to route traffic to the isp provider, as this router has the wan port integrated in the switch.
the 4 vlan is the one I created to the iot network for iot device interconnection with no internet connection.

The port one is the one that connects to the other router via ethernet cable (with the unmaged switch in the middle).

The other router has the same config with no wan vlan or interfaces.

Then I created a bridge device for interconnection of the iot WIFI and the vlan # 4 (iot) in both routers:

The other tabs are left as they are by default.

Then I created the IOT interface, with the iot bridge as base device.

An I created a firewall zone:

And configured dhcp server in the main router (in the other router it is disabled for both, lan and iot networks):

The other router the same, but with differente static address (of course) and dhcp disable.

And lastly, I created the wifi SSID and assigned it the IOT interface:

The other router has identical wirless config.

And to end with, the firewall rules, just dropping all outbound traffic from the iot zone, and accpting only traffic from lan zone (same fro both):

Is this correct?

You told me that in iot zone input should be "reject". But won't that drop incoming connection from lan network?
Or the reject option is just the default for all other zones not explicitly listed as source for iot zone?

It seem to be working (I have to test it more and see if the isolations is working correctly).

But I have some problems.
As it is now the main router provides DHCP to both networks and DNS.
But it cannot provide DNS registering for the IOT network, as there is only one domain you can configure in dnsmasq LUCI interface.

You have provided an advance mode to install two dnsmasq instances in the main router, but then it seems that you cannot configure dns through LUCI interface, something I would like to avoid.

The dns for IOT domain could be assigned to the other router, but in order to get proper registration of devices that are given a lease, the DHCP should be running in that router.
I could activate it and assign IPs to the iot devices just in the IOT interface of the secondary router, and to the lan interface in the main router.

But even if only one of the router is assignen IPs to one net, when you activate both, there is a conflict and one of them stops assigning IPs.
I have tried to use the "listen interface option" in the DNS config panel, but it does not seem to work as I had expected.

Is it possible for a dhcp instance to register the devices that have been otrogued a lease in a DNS instance that is running in other openWRT router?

Input means packets destined for the router.

From where, from an unknown zone or external?

So I should stablish it reject and yet let lan devices connected even to the other router connect to devices in iot network in this router?

From any zone, as defined in the firewall. So your IoT network has input = accept. This means that if a device on the IoT network wants to connect directly to the router (i.e. the administration features, or any other services running on the router itself), it will be able to do so without restriction. The reason that input should be set to reject (or drop) for the untrusted zones (wan, iot) is because you don't want devices on those networks to be able to make any connections to the router itself in except what is explicitly allowed. Usually you'll want to setup firewall rules with the corresponding source zone (iot in this case) that accepts DHCP (UDP+TCP ports 67-68) and often DNS (UDP+TCP port 53) so that the devices will have normal network/internet connectivity automatically.

Thanks a lot. I had completly misunderstood the meaning of input.