Isolating devices on openwrt - advice needed

On my network I want to accomplish the following setup:

Currently:

Modem -> Wired router with openwrt (handling dhcp) -> wireless router with openwrt as an access point -> single SSID

In this configuration all devices in the network can ping each other.

What I want:

The same hardware configuration as above, but with the following changes:

Two SSIDS from the wireless access point, a guest SSID and a regular SSID. They should be completely isolated from each other.

Additionally, I want all ethernet connected devices to be inaccessible from devices on the guest SSID.

So in short, I want to add another SSID that's isolated from the rest of the network. I've been browsing the documentation on guest networks and vlans, but they assume a single router/ap setup. Also, the behavior of openwrt out of the box looks like it doesn't isolate vlans from one another.

So my question is, what's the best way to accomplish guest ssid isolation from the entirety of the rest of the system, assuming a primary wired router connected to the modem and providing dhcp, and a secondary wireless access point providing both the guest ssid and the main ssid.

There are two ways you can do this:

• preferably, set up the guest network on the main router, use VLANs to connect it to the ap. This requires either a direct connection from the router to the ap. Or a managed switch between the two devices (an unmanaged switch will not be suitable).
• alternatively, you can setup the guest network on the ap only. This is less optimal because you have two different devices handling the routing, but is still possible.

What do you want to do?

Probably the former. The AP and router already are directly connected.

use VLANs to connect it to the ap.

This part is confusing to me as I'm not sure where the documentation is for it

There isn’t a great guide for VLANs because there is nuance. But start with the guest WiFi guide - skip the parts about the WiFi stuff, but create the new network and firewall rules. Then we will connect it to the Ethernet port with VLANs. And finally we will configure your ap.

Post your configs once done.

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

skip the parts about the WiFi stuff, but create the new network and firewall rules. Then we will connect it to the Ethernet port with VLANs. And finally we will configure your ap.

Thanks, to be clear, I do all of this on the wired router, not the AP?

Yes. Exactly. We will get to the ap after.

great, thank you. give me a few minutes.

I already have some (probably dumb) questions:

1. and fill out your chosen IPv4 address.

Chosen how? should this be in the existing range of ips used by the dhcp server? or outside of it?

2. you will also need to enable dhcp

I see so dhcp will be handled separately for each lan and over a separate set of ipv4 local addresses?

here's what I have so far, the traffic rules step is confusing me and I don't want to mess it up:

Finished the rules

image944×212 27.6 KB

One thing that isn't clear to me is what device guestlan should be connected to, if any.

On the surface, this looks good and we'll connect it to ethernet shortly.

I need to know which port the AP connects to, and then I need to see the config to verify everything and then make the appropriate changes:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

 ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "TP-Link ER605 v2",
        "board_name": "tplink,er605-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

 cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'PREFIX'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config device
        option name 'eth1'
        option macaddr 'MACADDR'

config device
        option name 'eth2'
        option macaddr 'MACADDR'

config device
        option name 'eth3'
        option macaddr 'MACADDR'

config device
        option name 'eth4'
        option macaddr 'MACADDR'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '0'
        list dns 'DNSSERVER'

config device
        option name 'eth0'
        option macaddr 'MACADDR'

config interface 'wan'
        option proto 'PROTO'
        option device 'DEVICE'
        option username 'USERNAME'
        option password 'PASSWORD'
        option ipv6 'auto'
        option peerdns '0'
        list dns '192.168.0.2'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid 'VID'
        option name 'PROTO.VID'

config interface 'guestlan'
        option proto 'static'
        option force_link '0'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guestlan'
        option interface 'guestlan'
        option start '100'
        option limit '150'
        option leasetime '12h'

 cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guestlan'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

I have overwritten information in ALLCAPS as needed

Thanks for the info. I'll let you know if I see any issues with the config or if I have any questions.

But the other thing I need to know is this:

• what port connects to the AP?
• will the guest network be needed on any of the other ethernet ports on the main router? If so, which one(s)?

• what port connects to the AP?

4

• will the guest network be needed on any of the other ethernet ports on the main router? If so, which one(s)?

no

Ok... so we're going to create some bridge-VLANs:

Add this to the /etc/config/network file:

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:u*'
        list ports 'eth2:u*'
        list ports 'eth3:u*'
        list ports 'eth4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth4:t'

Now, we'll edit the lan interface to use br-lan.1 (we can also remove the force link and dns lines -- the dns server doesn't do anything here):

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

And we'll edit the guestlan to use the device br-lan.3:

config interface 'guestlan'
        option device 'br-lan.3'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

Once these changes are in place, restart your router. the rest looks good.

Next, we will discuss the AP. I need:

• the port on the AP that connects back to the router
• The same config files as requested for the router, this time from the AP.

working on it. do you mind explaining what the u* and t mean here?

can you clarify where I should set my custom dns server instead then? it can be for everything except the guest network

• :u* designates a VLAN as untagged + PVID on the port.
• :t means that the VLAN is tagged on that port

LMK if you need me to expand this with more detail.

If you set DHCP option 6, it will advertise the desired DNS server to the clients on the respective network. Or, you can set it as the system resolver in dnsmasq.