Request for information or a direction to where to find such

Greetings

A, shall we say, networking idiot here, (know very little and am physically located (rural) where it is extremely difficult to find mentors) so I find myself needing to ask for support.

I'm told that what I want to do is very very common - - - - so common almost no one talks about the how and then any possible issues.

What I'm trying to do is use routers in series for two reasons:

1. for increased security
2. to have a functioning lan when my isp goes down

As a rural people I use high-speed (a total misnomer) wireless internet access provided by my isp. This means that the equipment used by said isp is different than for cable or fiber or the vast majority of connections by individuals to the internet.

This equipment provided by the isp, which they call a radio, is most likely a product by Ubiquiti Networks for which I am only given an IP address (they insist on doing the setup in fact) and have no real physical access as the 'radio' is about 120' away from where I sit and it up about 10' over the top of the roof of the building the mast sits upon (sort of hard to check out model numbers etc in any case).

What I want is perhaps best laid out in a drawing made by someone who helped me get to that point. (please see attached - - - assuming I can attach something - - - grin.)(Cannot attach the drawing - - - hopefully the description is adequate!)

ISP radio receives and is wired to router #1.
Router #1 (192.168.1.1) has routers connected to its lan ports, router #1 WAN port is connected to isp radio.
Router #1 has wireless shut off.

Router #2 (maybe 192.168.3.1) has a unmanaged switch (16 port) after it and all connections are wired. Router #2 is connected to router #1 which sees it as 192.168.1.6 .

Router #3 (maybe 192.168.4.1) is my wireless connection point. Router #1 sees router #3 as 192.168.1.7 .

My problem(s):

1. how do I use my server which is used largely just for my uses (connected to the unmanaged switch) but that does occasionally need to be accessed from outside my environment?
2. how do I access router #1 when my main use system (also connected to the unmanaged switch) has another router between itself and my main use computer?

I have been thinking of using wireguard (which it seems is somewhat known to the openwrt world) as a way of allowing highly controlled connection(s) from either the server or my main computer to router #1.

As an overall question - - - mayber there is a better way of doing what I'm trying to do? If so - - - please - - - destructions and I will work on that. If this proposed method is solid then what might I do in openwrt to achieve my desired goal(s)? (Sorry - - - the directions I'm finding aren't help me understand what I should do, what I shouldn't do and what I can't do - - - and as I've become real anal about my computer security - - - well I really don't want to make a mountain of mistakes so I thought to ask those that do KNOW networking for advice.)

TIA

What is the function of router 2 and 3? It seems like more what you want is bridging. Why have different subnets?

There is not a need for multiple routers. This can be done by setting up multiple networks, with independent routing and firewall rules, all inside one OpenWrt box. There can also be a VPN server installed there.

If most of your users are wired, managed switches and VLANs can be used to send different networks around the house.

Additional OpenWrt routers can be configured as "dumb APs" to provide wifi coverage where needed. They trunk the wifi users back to the main router. It is possible to have multiple networks inside one AP, for example for private LAN users and guests. These networks could be carried by VLANs to the main router which then routes and firewalls them differently.

The wireless ISP hardware can be considered the same as a cable or DSL modem: it is a box you don't have much control over which offers access to the Internet on one Ethernet port.

I was looking for maximum security. What I found suggested that different subnets would effectively lock off access from the wireless side onto my wired side. That I thought would give me what I want. When one is fairly non-educated when it comes to networking easy is good - - - especially when it gives very high security - - - therefore my plan (originally at least - - - it may be changing though because of the assistance here - - - grin!).

There is not a need for multiple routers. This can be done by setting up multiple networks, with independent >routing and firewall rules, all inside one OpenWrt box. There can also be a VPN server installed there.

Will an Asus Rt-n12d2 have enough horsepower to do all of that?

If most of your users are wired, managed switches and VLANs can be used to send different networks >around the house.

Well - - - there are quite a number of wired systems/printers/+ but there are also a number of wireless connections like the tv streaming, cell phones, tablets and maybe more coming (you know how these things tend to multiply in the dark). So I need to keep these systems connected effectively but want to minimize those connection's access to the rest of my network. Netflix, crackbook et al really don't need to know what else is happening on my lan.

Additional OpenWrt routers can be configured as "dumb APs" to provide wifi coverage where needed. They >trunk the wifi users back to the main router. It is possible to have multiple networks inside one AP, for >example for private LAN users and guests. These networks could be carried by VLANs to the main router >which then routes and firewalls them differently.

I am interested in such and am wondering if I had a second router for just the wireless side of things and otherwise use vlans. One very important requirement is that I have a lan even when my isp is down. A few months ago my isp was down for 6 hours or so and I was also without a lan here. I need better lan uptime than this. In fact, over the last weekend, we were away so it wasn't an issue, the isp was down for about 16 hours. Lots of apologies and stuff but I'm looking to connect process monitoring and control systems and then downtime is going to have to run into the utility grade area - - - like where the lan is down for maybe minutes - - - in a year. When things have to work - - - - well I'm planning for a system that is capable of such uptime. Will the use of vlans on the initial router enable a working lan even when the isp is not connected? If not - - - would you have some other suggestions?

The wireless ISP hardware can be considered the same as a cable or DSL modem: it is a box you don't have >much control over which offers access to the Internet on one Ethernet port.

I mentioned exactly what it was because in previous attempts to find a system configuration I has my posterior savaged because I could not provide more than an IP address for the connection to the isp. I was supposed to know make model and software running on the isp's equipment and when I've asked for information from my isp (quite a while ago) I got the very long pause that is the sort of equivalent to 'why the !@#$% do you want that?' so I stopped asking them technical questions (they don't seem to like them).

Thanking you both for your ideas and suggestions!!

What doesn't work on LAN when the ISP goes down?

Right now your requirements seem a little nebulous. If you want an isolated network for all your phones and tablets etc. That is very doable. After that, what? A wired network for some kind of home automation? A separate wired network for trusted office LAN devices? Etc etc. Would be good to narrow down what you want to accomplish.

The device supplied by the wireless Internet service provider is called a CPE (Customer Premises Equipment). It's basically a 5 GHz wifi client with a big antenna.

Most CPEs have firmware to do rudimentary routing so the customer's side is a LAN supporting multiple users on private addresses with DHCP assignments from the CPE. These are then NATted inside the CPE to your one public (or semi-public) IP.

You don't really want that, what you would rather have is the CPE provide a public IP on the Ethernet cable so that incoming connections pass through. This assumes you will provide your own router, you have to have a router to connect more than one user since there is only one IP address available on the CPE network. The provider will usually make such a configuration upon request, though you need to find the right person and convince them that you know what you are doing.

What do you have now? Is there any routing inside the house or do you let the CPE run your LAN?

If you have your own router of any sort, the LAN will continue to work without the Internet. The only traffic on the CPE cable would be Internet requests, so even if the CPE is crashed / down or has no radio link to the provider, LAN-to-LAN traffic would be unaffected.

You should have at least 3 networks:
LAN -- for your own stuff, administration, file sharing, printing, etc.
Guest -- for family members and guests that only need a link to the Internet.
IoT -- for totally untrustworthy Internet of Things like TV players, refrigerators, etc.

It is possible to set up the firewall so that each network is unable to reach anything on the other two.

RT-N12 is not a good candidate for a main router. Memory sizes are too small.

While I may be wrong in this particular case, most 'wireless ISPs' don't allow any kind of user side configuration of the CPE. It usually does NAT and provides RFC1918 addresses via DHCP and that's it, no static routes, no portforwardings, maybe UPnP, but you're usually behind multiple layers of NAT and are bound to very restrictive terms and conditions regarding allowed services, data caps, "fair use", often even the number of clients in your own LAN. If you want to change anything, you can only put your own router behind it - but due to the CPE already doing NAT, there is little to improve in terms for incoming services.

One hopes at least maybe ipv6 would solve a lot of that at some point. And VPN can help.

What doesn't work on LAN when the ISP goes down?

I have some test bed systems and I run these headless using x2go.
When the isp went down these connections also died.
The machines were plugged into either a small unmanaged switch (wired connections) that is a client on the router or directly into the router. Don't know why but I would very much like to have a lan no matter what happens to the isp.

Right now your requirements seem a little nebulous. If you want an isolated network for all your phones and >tablets etc. That is very doable. After that, what? A wired network for some kind of home automation? A >separate wired network for trusted office LAN devices? Etc etc. Would be good to narrow down what you want >to accomplish.

1. wired network for office lan devices
2. sired network for process control and management/monitoring (this is stuff that is business related and is going to be be quite mission critical (nothing like a home refrigerator - - - grin) these are going to be business stuff - - - ie there is $$$$ involved. (Not regular home automation think more like factory automation but its not a regular 'factory'.)
3. isolated network for phones/tablets/+
4. may have a less critical IoT network added in but that would be after these first levels of stuff

Is that reasonably clear? (Order is by importance with the first 3 items needed asap.)

The device supplied by the wireless Internet service provider is called a CPE (Customer Premises Equipment). >It's basically a 5 GHz wifi client with a big antenna.

Most CPEs have firmware to do rudimentary routing so the customer's side is a LAN supporting multiple users on private addresses with DHCP assignments from the CPE. These are then NATted inside the CPE to your one public (or semi-public) IP.

You don't really want that, what you would rather have is the CPE provide a public IP on the Ethernet cable so that incoming connections pass through. This assumes you will provide your own router, you have to have a router to connect more than one user since there is only one IP address available on the CPE network. The provider will usually make such a configuration upon request, though you need to find the right person and convince them that you know what you are doing.

What do you have now? Is there any routing inside the house or do you let the CPE run your LAN?

The isp supplies the cable that connects into the WAN port on my router. Everything from the router is my responsibility.

If you have your own router of any sort, the LAN will continue to work without the Internet. The only traffic on the CPE cable would be Internet requests, so even if the CPE is crashed / down or has no radio link to the provider, LAN-to-LAN traffic would be unaffected.

You should have at least 3 networks:
LAN -- for your own stuff, administration, file sharing, printing, etc.
Guest -- for family members and guests that only need a link to the Internet.
IoT -- for totally untrustworthy Internet of Things like TV players, refrigerators, etc.

That's what I was thinking except I would like a 4th network that fits between your #2 and 3.

It is possible to set up the firewall so that each network is unable to reach anything on the other two.

I've only done a little bit of firewall stuff - - - mostly using ufw primarily following directions. I think if I had directions to what I was trying to do that I might be able to set up the rules but I would appreciate tips if possible.

RT-N12 is not a good candidate for a main router. Memory sizes are too small.

Oops - - - the budget has been spent already.
What might you be suggesting for a level of machine for the router?

While I may be wrong in this particular case, most 'wireless ISPs' don't allow any kind of user side configuration of the CPE. It usually does NAT and provides RFC1918 addresses via DHCP and that's it, no static routes, no portforwardings, maybe UPnP, but you're usually behind multiple layers of NAT and are bound to very restrictive terms and conditions regarding allowed services, data caps, "fair use", often even the number of clients in your own LAN. If you want to change anything, you can only put your own router behind it - but due to the CPE already doing NAT, there is little to improve in terms for incoming services.

If I understand things correctly this is exactly where I'm at.
That's why I'm looking at doing a 'less than standard' lan.

When I asked the isp about ipv6 I was told that maybe out about 18 months and likely longer.

There is a company pulling large bundle individual fiber only about 30 km (20 miles) away. There is a major
river separating us though but they were saying possibly in a couple years - - - - would absolutely 'love' that!!
That company is dreaming of linking an area a couple hundred miles wide and 60/70 wide to form a serious
business connectivity tool partly to push business development. I hope they continue but until then . . . .

The business component suggests you should step up above typical commercial routers, you want something like a low end x86 device and a managed switch. Particularly if you have a lot of wired devices. This will give you flexibility and upgrade path if you get a better connection.

On the managed switch define one vlan for each network you want, and one vlan for the wan. Plug x86 in and set it up to route between the vlans. Extend the network with APs that understand vlans. Ubiquiti or tp link eap devices...

The business component suggests you should step up above typical commercial routers, you want something like a low end x86 device and a managed switch. Particularly if you have a lot of wired devices. This will give you flexibility and upgrade path if you get a better connection.

On the managed switch define one vlan for each network you want, and one vlan for the wan. Plug x86 in and set it up to route between the vlans. Extend the network with APs that understand vlans. Ubiquiti or tp link eap devices...

OK - - - - in a perfect world I would do that. In process of modifying one business to a quite large extent and adding a new business - - well lots of things that I can't work without. Funds just aren't there for anything that doesn't absolutely have to be there so purchases of something like a managed switch (about 6 to 8 x the cost of the unmanaged one that I bought) and adding a dedicated system (non-arm type) router (likely about 2 to 3 times the cost of the 3 routers I have bought) are going to wait for when there is adequate cash flow.

Thanks for great ideas/suggestions.

The "factory" ought to have a dedicated router for reliability concerns. Something low end like the RT-N12 is OK for that, possibly even with stock firmware. Do those systems even need to see the Internet? The best security is an "air gap", i.e. no connection at all.

OpenWrt on low end devices allows their use as managed switches. The TP-Link TL-SG108E switch is good performance for the cost. There are a few other relatively inexpensive managed switches.

An old desktop PC can be pressed into service as an x86 router. They work well for that other than lack of Ethernet ports (making VLANning essential) and tendency to guzzle electricity. It is good for a proof of concept, but replacing with a $150 fanless low wattage system has a realizable payoff in energy savings alone.

To be relatively "future proof" you should not buy any new hardware that isn't gigabit Ethernet capable and at least 16/128 memory.

The "factory" ought to have a dedicated router for reliability concerns. Something low end like the RT-N12 is OK for that, possibly even with stock firmware. Do those systems even need to see the Internet? The best security is an "air gap", i.e. no connection at all.

It would seem that there needs to be some small servers be added into my overall system for just this reason.

OpenWrt on low end devices allows their use as managed switches. The TP-Link TL-SG108E switch is good performance for the cost. There are a few other relatively inexpensive managed switches.

Useful - - - thanks.

An old desktop PC can be pressed into service as an x86 router. They work well for that other than lack of Ethernet ports (making VLANning essential) and tendency to guzzle electricity. It is good for a proof of concept, but replacing with a $150 fanless low wattage system has a realizable payoff in energy savings alone.

Any suggestions as to a minimum horsepower for such uses?

To be relatively "future proof" you should not buy any new hardware that isn't gigabit Ethernet capable and at least 16/128 memory.

As my present isp is almost killing itself with the pats on the back (they call 9 M bit per sec fast) I won't be even thinking about gigabit ethernet except internally until there is a reasonable likelihood of getting such access. A likely time frame is at least 3 years out and trying to plan for that time frame in technology - - - - too many other things on my plate to take any time for that.

Thanks for the suggestions/ideas!!

I agree with all your points. The extra router for factory is a good idea and doesn't need much power.

These are great bang for the buck, but not a lot of ports. The ZyXel GS1900-24e is about $100 on amazon and more configurable. It's a great low cost high features per port. the zyxel as a main switch, plus a few of the tplink for adding ports in more remote locations is a good strategy. Make sure to upgrade firmware first thing out of the box for either switch.

Yes an older desktop can be repurposed to a router, and yes power consumption is an issue. If you've got an always on desktop you can add a virtual machine for the router to get started.

An x86 PC will be faster than every commercial consumer router you'll find, so minimum spec on PC Is really "still boots".

 ajoeiam:
Any suggestions as to a minimum horsepower for such uses?

An x86 PC will be faster than every commercial consumer router you'll find, so minimum spec on PC Is really "still boots".

What about some of the newer arm boards with quad or even octa core running at 1 GHz or so?