Hello everyone! I came here because i need your advice. I recently bought a cudy wr3000 and i successfully installed openwrt. I have a basic network setup currently in my home and a home server. I want to add my cudy modem in a way that it is going to be more secure, especially for my home server.
In the picture below i am showing you my current network. I am living on the 1st floor and i am getting the internet from 2nd floor. 1st floor and 2nd floor are two different houses. In order to receive a good quality internet i have bought some deco x20 mesh wifi (v1) and are pretty reliable i can say, i have disabled isp router's wifi. But now i want to change that and enhance my network security as much as i can. Adding Ethernet cables is not so much of an option because is not very easy to do.
As you can see my server room getting internet from Deco (3) with ethernet cable.
Possible solutions that i have thought of with my limited experience:
- Put the cudy between deco (3) and server connecting to nat port. But from what i learned this would be a double nat and should be avoided.
- Use a cudy after the isp router but the deco x20 even if you put them in access point mode they have their own wifi, thats not an option because cudy would be useless.
- I saw a video with a guy turning deco x20 to openwrt. So i can try that and change all deco to openwrt mesh. But i am not sure if i want to go this way because it would be difficult and time consuming to fix any errors happening. Although i think it could a good solution(?)
If i choose the 1st one and go for double nat, is this so bad? If i go this way i am also considering to limit my wifi on my house (1st floor) to cudy's wifi only and not deco's. So i can have iot wifi, guests and lan and put firewall on them.
Also i read about making isp router not doing nat and let only openwrt but i don't think it fits in my situation.
I am asking for your help and advice on how should do my home network. I am looking for any ideas.
What exactly do you want to secure? Don't you trust the ISP router/firewall, or don't you trust the wifi implementations of the Deco's, or ...
2 Likes
Thank you for your answer and that is a fair question. I should have mention my goal before. I don't really trust the ISP, thats true. I would put a vpn on openwrt when everything is done.
- On my homeserver i have different services such as homeassistant, vaultwarden, immich etc. I would like to make them public these domains and access them from everywhere or better access them through wireguard. I was using cloudflare tunnels until recently but it came to my attention that is not secure to pass my passwords through cloudlfare.
- I have a pihole server for dns resolving which i would like everything to go through this.
- I want to create 3 wifi for iot, guests and lan where guests cannot have access to iot but lan which will be me i can have access. Also iot maybe will not have internet access ( i am not sure about that yet). All of the would go through pihole dns.
For starters i want to acomplish these kind of staff. My top priority is the 1st one, to access my services securely from outside.
Right. Well, if you want to run a wireguard server to access services on your server, it has to run either on your router, or on the server itself. (Unless you want to jump through many hoops).
When it runs on the server itself, you can only access the server. When it's on the router, you can access everything on it's LAN side.
About vlan and wifi, to get that running the AP's have to support vlan. Don't know about Deco. It is not in the list of supported devices, so you probably are dependent on the stock firmware.
Rules on vlan's (lan to iot allowed, reverse not, iot no internet, ...) can only be applied at the LAN side of the router.
Do you want a seperation of the networks on the 1st and 2nd floor? If yes, you can treat that Deco on your floor as WAN, and only connect it to the WAN side of your Cudy, and ignore the upstream configuration further. (With exception of needed port-forwards on the ISP modem, which have to point to the WAN ip of the Cudy). The double NAT, but that is not really a problem. You only have to configure port forwards twice, and it adds a few microseconds to your ping times. (But the wireless bridge adds more.)
If no, the most convenient place for your Cudy is directly on your internet entry, replacing your ISP router. When that is not possible, the next best thing is directly hereafter. Maybe you can put your ISP router in bridge mode, and else you'll have double NAT.
If the Deco's support vlans you also can separate the 1st and 2nd floor here, by just having one or more vlans for the 1st floor and one or more for the 2nd floor, and configure no connection between them.
I don't understand your note about
1 Like
Thank you very much for your detailed answer. That answers to me a lot of things.
Although i want to clear everything out with some follow up questions.
- You said that double NAT is not a problem but i keep seeing on some forums to avoid double NAT, so this is confusing. Why you think is not a problem.
Also you say:
But the wireless bridge adds more
You mean about the deco mesh? I already have a delayed ping?
-
ISP router on bridge mode that means that i need to create static route and pass all the connection to cudy? Maybe is a dump question but is it possible to pass it to multiple cudy, meaning can i have two cudies on front of isp router and use static routes on both of them?
-
The Deco's they have two modes, a wireless router mode and an access point mode. You download an app to make changes. On wireless router mode that i am using it right now, it has its own dhcp server and you can make 3 wifis guest, iot, and main none of them can communicate to each other(thats why i said its useles back then). I haven't try them yet on access point but they do have a VLAN setting from what i searched(not tested yet) but its called IPTV/VLAN and i am not sure how it works in connection with openwrt.
-
And a final question. What happens if i connect the internet cable to lan mode instead of wan on cudy? It can only be used as a switch like this?
Thank you very much for taking so much time to understand my problem and helping me out writing so many things that are very helpful to me. I really appreciate it a lot!
- You won't 'feel' double NAT. Of course it adds some extra ping time (a packet can only NATted if it is completely arrived, so the extra delay is at least the twice (one time for both directions) the duration of a single packet) but this is that low that you won't notice. (Duration time of a 1500 byte packet on a 100Mbit connection is 120 μsec. On 1Gbit only 12.
Many people are already tied to double NAT. As the IPv4 address space is exhausted, many ISP's provide 'Carrier grade NAT', which is just an extra NAT router upstream. Apart from the inability to create port-forwards on IPv4, this doesn't cause problems.
The only con you'll note is the necessity to configure port forwards twice. (Unless you're behind CGNAT, in which case port forwards are impossible anyway)
Yes. Just as NAT wifi can only pass a packet when it's completely arrived, so it adds at least twice the duration of a single packet. But because wifi is a shared resource (only one radio can be sending on a channel), you'll also have to wait for a slot. How long that takes depends on how congested 'the air' is.
2. No. Bridge mode means that the WAN connection is bridged to the LAN connection. The ISP modem behaves as a switch, and so topologically the Cudy is directly connected to the internet.
Not in bridge mode. You can connect 2 Cudy's to 2 ethernet ports of the ISP router as router, and both Cudy's can provide a private LAN. But a single Cudy running OpenWrt could do the same, providing different, isolated LAN's on different LAN ports.
3.
I don't know either. I think they will use default vlans (at least when communicating over an ethernet backhaul), in which case OpenWrt could join the party, but of course it's possible that TP-link has invented their own wheel.
Without ethernet backhaul vlans between the Deco's is impossible, as vlan over wifi doesn't exist. So in that case either some proprietary protocol is used, or the data is passed over the relevant SSID.
4. It can be used as a switch (and AP), but then you'll have to disable the DHCP server (2 DHCP servers on the same LAN is generally a Bad Idea™). And you'll have to configure the Cudy not to have the same LAN IP address as the upstream router.
1 Like
I did a little search about the two modes on deco and also about the iptv/vlan. So IPTV stands for Internet Protocol Television which is not very helpful for my situation.
The wifi router mode that i have set my deco's is already doing a double NAT, lol! So i need to change that to access point mode.
So i am thinking to use the cudy after the deco(3) so i will have what you called separation of networks for 1st and 2nd floor. I don't really mind doing double port forwarding. So on my home network (1st floor) i will need an access point that will extend my wifi networks (iot, guets, lan) from openwrt all over the floor(do you have something in mind? a second cudy could work?). The only problem with this plan is that the 2nd floor would not have access to my homeserver of the 1st floor especially for pihole dns resolver.
Thank you very much for all the information you gave to me!
