I've got a WiFi bridge with OpenWrt (2x TP-Link CPE710v2) and I would like to use it to link two sites together (Ultimately, a third site will join, but let's start small; all networking equipment is powered by OpenWrt).
Hardware Setup
Site A:
BPI R3-Mini OpenWrt Main Router with WAN
CPE710v2 connected via a managed PoE switch
Site B:
ZyXEL WSM20 OpenWrt Main Router
CPE710v2 connected via LAN
Site B needs to be able to access the WAN connection of Site A - nothing more. In fact, the goal is to isolate the LANs.
There are quite a few options how to configure the bridge with regard to IP addressing and subnets and I'm looking for the best way to achieve my goal.
Currently, the setup is:
BPI R3-Mini: 172.29.31.1 configured as guest VLAN on a separate interface
CPE710 A: 172.29.31.10, WiFi AP
CPE710 B: 172.29.31.20, WiFi client, 172.29.32.1 DHCP server
WSM20 B: 172.29.32.2 dumb AP
This setup, together with a static route on the R3 Mini, allows access to the Internet, but the DHCP server is provided by the CPE710 B. While I can move it to the WSM20 and let the server hand out a different default gateway than the WSM20 itself, I was wondering if there are better options to structure the network?
Looking forward to your input!
NB: There are a few other requirements that I haven't mentioned on purpose. Site B does not only need access to WAN, but also needs to be able to access a different site via Wireguard. In my current setup, the Wireguard Peer is provided by the R3 Mini and I have two VLANs to the CPE and a GRETAP link between the CPEs, but it makes more sense to move it to the WSM20. This simplifies the network, removes the need for the GRETAP link and makes it even more secure as the CPEs are mounted outside and it's easy to connect an Ethernet cable there. I implemented it on the R3 in the first place since it's way more powerful than the WSM20.
If your goal is to isolate the LANs then having everything in the same subnet might not be a good idea.
Consider having site A and site B on different subnets, the Zyxel will be setup as router with a Wireless WAN connected to site A, that way the LANs can be separated
You're on the right track. You could add a firewall rule to CPE710 B which will prevent its .32.0 network from reaching anything in the .31.0 network. If you don't trust anyone at site B you could also as @egc said, move the firewalling to CPE710 A by having it route a different network dedicated for site B into its LAN.
Consider running Wireguard in the WSM20 and make it an additional peer of the "remote site." Then it can use any Internet connection to tunnel to that site.
Obviously, my OP wasn't clear enough. The Zyxel does not play a part in the bridge, its WiFi is only in AP mode.
I added a drawing to the OP!
Apart from that, this is exactly how it is set up. I tried to mention it in my first post:
172.29.31.0/24 is a separate VLAN on site A only for WAN access (like a guest network). My main subnets are completely different (192.168.17.0/24, 192.168.18.0/24 and 192.168.20.0/24).
The 172.29.31.0/24 subnet is only for the bridge, R3 <-> CPE A <-> CPE B. The WSM is yet on another subnet, 172.29.32.0/24.
The subnets are in place, but I think that I put everything into the same firewall zone. While I trust sites A and B, I cannot trust the bridge itself since the devices are outdoor.
Yeah, that's stated in the small text and this will be done.
This needs more subnets than expected (5, not counting the additional guest subnets at sites B and C), but in the end it simplifies the setup and improves security as all outdoor devices are basically untrusted.
Thanks for your input - I picked @mk24's answer as solution since it provided the most valuable input to me.
