Hello, I am having a difficult time creating a home network setup that would seem fairly simple. My goal is to have a separate home WLAN and IOT WLAN that are connected to a main router. The main router is connected to the ISP via cable modem. I would like to use the WAN port on each secondary router for connecting back to the main router.
I'm able to get this to work with the OpenWRT default configuration, but I end up with a less desired double-NAT for each WLAN. I would rather not have NAT or firewall on these secondary routers and instead have simple static routes that forward traffic between the LAN ports and the WAN port. I have tried every example I can find and nothing will work unless I leave masquerading on.
Does the WAN port only work with NAT/Masquerading?
If its possible to move traffic between the LAN ports and the WAN port without firewalling, NAT, or Masquerading, how do I do it?
Here is a diagram of what I would like to get working:
I'd suggest making VLANs instead. You can probably do this on your MikroTik router to centralize your configuration, but I can't help you with any specifics there since I'm not familiar with 'Tik (unless you've got OpenWrt on it).
The other way to do this would be to configure an OpenWrt router as a dumb AP and then add a guest network (this can be done wirelessly as well as wired). There is a a guide for that here that focuses on the Wifi use case (but fairly easily extended to add wired ports to that setup, if needed). If you need two physical APs (for coverage, for example), you can setup the second one as a dumb AP that has 2 VLANs and SSIDs (but no firewall functions enabled on that unit, since the other OpenWrt router or the 'Tik would handle the VLAN routing/firewall functions).
@Hegabo, thanks for your suggestion. I could very well set things up that way.
One reason for the multiple wireless routers connected to a main router is that as far as I understand it is the only way to completely isolate the IOT devices from my home LAN. I also want to use client-to-client isolation for the IOT WLAN, but allow clients in the home LAN to communicate with each other.
I don't really want to remove the MikroTik device, the RouterOS is very capable as it is (don't need OpenWRT).
That is what the firewall is for, when combined with multiple networks/VLANs - and you can, if you choose, make very specific allowances and restrictions, all managed by a single device.
Typically here you make the AP's "dumb" and simply bridge each class of user back at layer 2 to the main router on separate VLANs.
The A7 has a 6 port switch where all ports are equal, so you can make the WAN port (or any other one) the uplink with hardware switching. The WR841 has only the LAN ports on the hardware switch, the "WAN" port is a separate path direct to the CPU. Thus you'd have to set up kernel bridges to use the WAN port for different networks. If there is heavy use on a wired port on the WR841 you should use one of the other LAN ports as the uplink so that hardware switching can be utilized.
