Wanting to place a openwrt router for a seperate network (sort of like a guest network) where devices cannot connect or see anything on the main network. I figured out the firewall rules to block access to 192.168.1.0/24. But anyway to do this without causing much of a double NAT situation? Bascially having it in an AP like mode but having everything behind the wan blocked except the internet.
My current setup for having a seprate network is my provider gives out a 2nd IP which is nice, but its Carrier grade NAT which for some reason causes WiFi calling to not work on devices with some mobile carriers.
Hopefully thats understandable thanks!
Only if you manage to setup ebtables and allow only the mac of the ISP router to communicate with the clients of the OpenWrt.
Nah, dont implement that via nested routers.
best practice is:
the guest network doc is just an example, does not mean you are limited to doing it via WiFi. But its a good startin point of what you need,
you can use the same isolation of the guest wifi example for selected LAN ports as well, by moving some of the WAN-facing router switch ports to a manually created secondary interface object, and the interface then gets assigned to a separate firewall zone.
what additional interface practically means: with it you create additional „logically separated“ virtual routers.
I would follow the guest Wifi doc for the second interface part (it does not have to be called „guest wifi“),
additionally reassign 1 or more physical LAN cable port to the newly created interface
skip adding the extra guest wifi config item, if you dont need the wifi network
setup the 2nd router as bare switch(without dhcp) or access point.
then plug the second OpenWRT to that separates LAN cable port of the first router
note that all of this can also be done via Luci gui.
You may want to check first, whether your WAN-facing router supports DSA and/or VLAN. As the procedure to reassign a port from one interface to another interface is different in DSA and VLAN.