Overwhelmed by amount of options, need advice how to configure network

Installing and Using OpenWrt
1

Hello everyone!

I just began my journey with OpenWRT yesterday. I bought ASUS AX-1800U/RT AX-53U, properly installed OpenWRT by SSH (I am actually amazed by how quick and smooth this process was), and currently I am trying to figure out proper configuration for my setup. I read documentations, but the amount of topics, options and setting is quite overwhelming for me and I am stuck deciding what should I configure for my network setup. I will be really grateful for any advice or recommendations. I get the basics concepts of networking, but I am far away from calling myself an expert.

So, first thing, here is my current setup which is, I believe almost the one I am aiming for (I did not set up Wireless yet however, still using one from ISP modem but I will turn it off after setup of one on Asus):

NETWORK.drawio
NETWORK.drawio755×348 141 KB

I have ISP modem which unfortunately I cant get rid of (it is something ZTE based and does not have bridge mode unfortunately), because it has ONT built in and making ISP change it for ONT is very difficult, also IPTV and VOIP phone are dependent on it. So I want to built a private, reasonably safe home network behind my new router, with only IPTV and VOIP being in "unsecured" zone.

What are the things that are most important for me in network setup?

  • I want my home network to be secure as much as it is possible, without affecting for example my parent phone or laptop in terms of ease of use of these devices (so that they do not need to regularly configure or change) and without greatly reducing speed of network (I have 1Gbps FTTH).

  • Top priority for security of network is my freshly set up Synology DS223 NAS, which safety is upmost priority for me (and is probably now the main reason of why I am doing changes to network). The catch is that I want to open it a little bit to internet, for example to use remote connection to it, or things like Synology Photos or Drive. I am often abroad and I would like to have possibility to access some files remotely on not-so-secure network like the ones in an hotels. So I am thinking about setting up some VPN or something, but I am still figuring it out.

So the main question is, considering all above, what should I configure, read about and try to set up to achieve it?

Thank you very much for your time in advance.

2

Does your zte support passthrough mode without nat?

1 Like
3

Firstly. Great block diagram!

You bought an mt7621 target. IDK whether this specific mt7621 can do NAT at 1gbps? Some are limited to 500mbps if I recall correctly?

SQM / software NAT will then limit performance if you want that rather than hardware NAT offload....

I think that should be solved by VPN and/or something like tailscale rather than trying to do port forwards directly. I'm not familiar whether synology tries to do upnp and open up ports or something?

Going back to performance. I think mt7621 will leave a little to be desired on the VPN front. Or port forwarding / nat for that matter. Perhaps your synology will have better methods?

There could be some more complicated options than double NAT by doing routing/arp proxy etc depending on what config options you have in the ISP modem.

But I think the best if you don't want to affect your parents phone/laptop is to just not mess with the ISP modem at all....

Simplest will be double nat and maybe a port forward for VPN. Or if you use tailscale that doesn't require a port forward so no config required on ISP modem at all.