Lock Down Firewall, VLAN setup, VPN killswitch

I have 3 routers to set up, one will be a TOR gateway and others VPN.
I will deal with tor later.
So I use GL-AR150 and AR750s routers, I flashed the new OpenWRT everything works fine.
Installed wireguard, set up interfaces and firewall using the guide from Mullvad's website. Working fine.
One router is considered "dirty" that uses vpn, and the other one is "clean" has no vpn.
Here is what I need to do, combine them in one router. I need to have two 5Ghz wifi connections, one goes through the VPN and probably separate zone, and the other LAN/wifi should just be secure without using VPN. No one will hack into my wifi so that is not a concern. Only 3 devices connect to the VPN. So the question is: how to achieve high security, lock it down as much as possible, and then "punch holes" for what I need. I've been reading OpenWRT docs, and tutorials about networking, cause obviously I don't understand the basics, but it will take time to learn all that, so I would appreciate if you can help me to set it up, for example I need to understand why something is set to accept, reject, or drop, when I need to use mss clamping and masquerading etc. Some things are explained well but I still do not understand how do they relate to security / privacy. It would actually be simpler to draw it instead of trying to explain lol. Thank you!!!

EDIT
Seems that I was trying to do the impossible, that is to have two wifi networks on a single RADIO, in my case 5Ghz. Tell me if I am wrong? But solution is to use both bands, but in the case I need both to be 5G I would have to attach another router.

1 Like

Yes, you can have two networks (means two SSIDs bridged to different VLANs) on a single Radio.

2 Likes

2 Likes

Something does not work. I am trying to setup different DNS servers per vlan is that ok?
LAN uses Cloudflare and connects directly. And guest is routed through VPN uses it's own DNS.

Options:

2 Likes

Thank you for help!
Now I'm not sure if I really need 2 DNS.
Does it compromise privacy if I use only one DNS for both vpn and non-vpn connection?

1 Like

The first option is easy to implement and helps to avoid DNS leak and geolocation leak, as some services refuse to work if your DNS traffic is routed differently.
Use the second option if you need Adblock.

1 Like