Reversing LAN and WAN

Hello!,

I've got a TPLink WDR3600 working with LEDE and i would like to configure it as follows (i will try to explain myself the best i can).

I want the WAN port and a virtual WiFi 5GHz interface on the same network (example 192.168.2.0) with a DHCP server enabled, they need internet access and they must be completly isolated, the reason about this is because i'm going to connect one of those small boxes for an european project to measure my internet connection and since i don't trust 100% what info they are going to collect i want some privacy (i don't want it to be on the same network as my main network since i have some open services on my home network like DLNA, file sharing etc). This small box uses an ethernet connection (the WAN port i want to configure) but also measures the speed using an available WiFi network.

The WDR3600 is wired connected to my main router using one of the 4 LAN ports (192.168.1.0).

With my amazing paint skills, this is an illustration about my network

If I understand your picture correctly it is your main (non-LEDE) router that does dhcp for your network (192.168.1.0/24). If so, running a second guest network on wdr3600 for the measuring equipment will not achieve the goal as any outgoing internet connection will still have to cross the 192.168.1.0/24 network and hence all equipment connected to it will be visible from the guest network.
If your main router is also LEDE or tomato etc the goal is achievable using vlans (dhcp for both networks running on the main router, the networks being isolated using firewall and the main router connected to wdr3600 using port you vlan tag and connect to both the main and guest network).

Yeah, my main router is a non LEDE router... sadly i can't use a router with LEDE because it is a FTTH router with an ONT integrated :frowning: , ofc i could double NAT with a second LEDE router and disable all the services on the FTTH router but that would be too many devices connected.

So bad then...

Is it possible to set DMZ on your main router?

Yes, my internet provider router has a DMZ option but i think it is the only port version DMZ and not a full DMZ that isolates from the lan network...

@quetzalin, would you mind sharing the make and model of your fiber router? If you have a link to the manual that would be great.

It's a ZTE H218N and i can't find any manual :frowning:

Then do this: connect the WAN of the WDR3600 to one of the LAN port of your provider router. The WAN will get the provider LAN router IP, on which you can set the DMZ. Then set a VLAN tagged on the WDR3600 LAN port to which you connect the WiFi measurement instrument. Add a VLAN zone to the firewall and assign the newly created VLAN interfece to it. Then set rule to drop traffic between VLAN and LAN, and allow only masquerading grom VLAN to WAN