I'm trying right now to setup VLAN that would have no internet access - to be used for connecting wifi home cameras ( Obv why I don't want these connected to internet xd )
I'll drop my network setup here - where there is router icon that's an actual router ( Orange field is where cameras go and router called guest is something else entirely - I wanna isolate that part of the network completely from everything else - just let it access internet )
Cameras will connect via wifi 2.4ghz only
Guest router will be connected via cable to MAIN WRT router - then it passes connection to it's own DUMB AP via cable as well
I am complete newb when it comes to this... Didn't even setup guest network properly (xd ) for I wasn't sure if It would have to deviate from youtube videos due to my requirement of having another offline vlan (I am reffering to these videos for guest setup)
My server which gathers rtsp streams from these cameras would be on Main devices VLAN - which has access to the internet so I can view cameras however I want once set up later on
I read up a bit on this and also found this - link- which looks like it could apply here? Again idk...
Would someone be kind enough to offer steps on how to do this via luci/ssh ? :z
Like how to setup firewall , interface and such... Ty
I am dropping below my current luci setup ( It's all default settings I just changed wifi name on 5GHZ and changed to PPPOE on WAN interface )
Your device does have a hardware switch, but it is now using using DSA instead of swconfig (so no more 'Switch' menu). Here's a tutoria for the new method, and you'll also find many threads on the topic if you use the forum search.
For your isolated camera network, if it is wifi only, you don't even need to worry about DSA, just create a new network and then setup a wifi network that is associated with that network. This new network should be placed in a new firewall zone (call it the camera zone) that does not allow forwarding to any other networks. You will, however, want to allow lan > camera forwarding.
Is the box labeled "Guest' running OpenWrt? What is that hardware (brand, model)? Is it a wifi router combo unit? Does the guest network need to be wired + wireless, or just wireless only? Does the guest network need to be broadcast by multiple APs? Does that device need to be able to broadcast the main network SSID, too?
What needs to be broadcast by the dumb ap at the bottom left of the picture?
At the end of my original post I have links to all 3 routers Im using:
Mi router 4 - v1
And Mi 4A Gigabit edition ( 2 of these for guest )
Guest networks are separate as in completely different wifi ssid grom my own network ( Main wrt ) I did try to make them as close to mesh as possible in between the dumb ap and main guest router ( I enabled fast roaming , disabled dhcp on dumb ap )
Dumb ap is there just to extend signal of guest router
All routers are on latest openwrt
I'll check your guide now to see if I can piece it all together
Sorry, I missed that detail when I was reading your OP. Thanks for clarifying.
This is required, so this is what I expected. But my question is if all 3 devices will broadcast the guest network?
What do you mean by this? A mesh network is defined by using a wireless backhaul... many times the term 'mesh' is incorrectly applied to refer to the ability for client devices to roam from one AP to another... mesh networks do enable roaming, but roaming can happen without mesh.
Does it need to broadcast both the guest and main SSIDs, or just guest?
Are the APs all wired together, or are any of them using a wireless backhaul?
Also, I'd recommend setting up the guest network on the main router -- it is easier to administer your network if the main router does all of the routing and firewall work, and then the other units simply operate as dumb APs.
Um the distance between routers makes it impossible to use one for all.
Internet is shared between multiple people too ( We don't need to see each other via network )
So I figured I'd buy Guest router and connect it to main wrt router ( Guest router gets internet via dhcp , cable plugged into it's wan port ) so they can have their own internet and I won't have to worry about what they are doing online.
Later on they wanted one more router for better wifi coverage.
So dumb ap would only transmit guest ssid. It shouldn't interact with main router at all.
Main guest router should only be able to get internet acces from Main WRT router , it shouldn't be able to use luci or even see other devices from Main WRT
The way you are proposing the setup of the guest network does not secure your main network from the guest network, nor does it offer a good way of securing the guest router itself from the users of that router.
The main router will be a better place to create a guest network, and then send that over the wire to the 2 devices that broadcast the guest SSID.
Will ask more after reading , but right now I really do not know HOW I'd create or pass it over cable to those 2 routers x:
I saw videos on youtube proposing guest setup and stuff - but the link i sent of my own findings for offline VLAN suggest using different subnets
Even moving my main network onto a VLAN so subnet could be setup... I didn't know how so I postponed guest until I can figure out offline VLAN first for cameras
It appears that you are getting confused about VLANs and subnets.
subnets are an aspect of VLANs, but VLANS are not technically required for different subnets to work. This explanation might help.
Using multiple subnets is the basis of the idea of having distinct networks in general (such as your main network, a guest network, and a camera network). VLANs are a method of physically transporting multiple subnets over a single cable.
You will ultimately want 3 subnets in your configuration... one each for your LAN, cameras, and guest network. The cameras are all wifi (from your description), so you don't need to do anything with the wired network configuration... it should be the easiest one to setup. I'd start there.
when you setup your guest network, you'll want to make a VLAN configuration that carries both your main LAN and the guest network over a single wire to the dumb APs. On the dumb APs, you'll also setup VLANs and you'll put the dumb ap device itself in the main LAN (for management purposes) and the guest network will simply function as a dumb AP. You'll isolate and protect the networks by means of the firewall.
You can use this guide to create your camera network (despite the fact that it is for a 'guest network' -- the idea is the same except you'll isolate it from the internet, too). The screenshots are a bit out of date, but they should be sufficient for you to understand the general flow.
That all looks good so far. Go into the lan firewall zone and allow forwarding to the camera zone.
Later, we can talk about preventing the camera network from accessing the router itself, but this should already prevent the cameras from accessing the internet and your lan.
This was your goal for the camera network, correct? if so, that's good.
looks fine. If you want to prevent the camera network from accessing the router itself, you'll do 2 things:
change the input rule on the camera zone to reject.
create a traffic rule that accepts TCP & UDP for ports 67-68 (this is for DHCP) from source: camera zone.
Regarding your power levels and ping times -- it may be related, or maybe not.
Many devices try to save power by not having the wifi radio kept on at all times. They will power down the radio for short periods, then wake it up and do stuff, and then power down again. At a human scale, it appears to be on at all times, but it when there isn't a lot of network activity, it is actually off for enough time that it saves energy. This causes ping responses to be slow on those devices.
However, if your radio power is too low, that can affect things. Also, keep in mind that the power levels for the radio are the same for all SSIDs that run on that network... so you may also be reducing the power of your main LAN's SSID, too. This is okay (and in some cases, preferred), as long as the power is sufficient to cover the desired area/range.
