Seeking the Impossible? Network Separation

I am looking for advice for something that may not be possible.

I have not yet invested in a router as I am guessing the choice will be dependant on the answers I receive. I have a spare Archer C9 (Ver 5) but it is not possible to flash it with OpenWrt so I need something else to test out.

I would like to have an OpenWrt capable router that sits between my ISP router and my WiFi Mesh router (and extenders) on a DMZ network (currently TP-Link P7 and P9 units so fully ethernet and WiFi capable).

The P7 mesh router currently manages DHCP for its network ( and the ISP router uses fixed addresses (DHCP disabled) for its separate network The 192 range only has a couple of items, the DMZ on and a Digital to Analog IP telephone converter on

The DMZ P7/P9 Mesh runs 2.4 and 5 GHz WiFi networks split into Private and Public access networks, the Public network being the more restrictive.

I want to be able to route some devices and their (generally static) IP addresses in the DMZ via my company VPN server and the remainder via the open internet (which may include devices that on occasion access the VPN independently through their client software). The network split between private and Public access would only be on the open internet connection side.


  1. Is OpenWrt capable of structuring such a system?
  2. I assume the Wrt would need to offer DHCP and replace the P7 router unit so it could revert to an extender. Is this right?
  3. Can it be a software only solution or would additional (to the chosen router) hardware also be required?
  4. What would be the best router to use for this type of setup (as WiFi capability would not be needed on the router itself)?
  5. Will a change from ADSL to Fibre Optic have any impact on the solution (I am guessing no but would like confirmation).

Any and all advice welcomed.



1 Like

Your point 2 is the critical one-- indeed the mesh system needs to be a bridge not a NAT router like it is now, so that the OpenWrt router will see the LAN IP addresses of the clients to policy route them.

Though generally this is done with two separate networks (VPN users and direct to Internet users) since configuring by IP address is an administrative hassle and there is no security against an endpoint changing their IP address. True network separation like that requires the APs to pass the different user networks to the router on separate VLANs. OpenWrt can do that, but a consumer-oriented mesh system likely does not.

1 Like

Thank you for the rapid response. I am confident that I can get this done with the forum support. Much appreciated.


1 Like


You are not in Milton Keynes I hope! Appreciate your response and hope I can work my way through it with the support of the forum. I was looking at a xiimi M1 4A Gigabit as an initial testing machine. (Cheap and cheerful but with adequate power). Do you have any other suggestions?


Think a lesson in Routing and Switching maybe of help, provided by Cisco. Module 1 (CCNA)


Its just the basics, thought it might help.

Thank you. I am busy rebuilding an old stone barn that absorbs some time but I will find time to read through both of these. Hopefully it will stop naive questioning. This project may take some time to complete!


Sorry guys, I just gave up! I struggled with the courses which frankly were not very clear for a non IT person. Have instead just bought a router with openers installed and am trying to work through that. Posting separate questions as an when problems arise. This can be closed.

Thanks for your help.


Hi again,

I am not sure if this will get any response but if not I will repost elsewhere.

I am both elated and concerned. Elated because I have achieved what I wanted to do and concerned because to do it, I think I have opened myself to external attacks. So this addition is about checking my security settings.

Progress so far.

I invested in an MTK MT7621AT 802.11AC 1200Mbps 5G Wireless WiFi Router USB Gigabit Ethernet LEDE OPENWRT Router Padavan 512MB Memory /32MB Flash router preloaded with Openwrt 19.07.02 clean. Specs of machine are:

Brand Name: GL.iNet
With Modem Function: No
Type: Wireless
Wired Transfer Rate: 10/100/1000Mbps
WAN Ports: 1 x10/100/1000Mbps
Number of USB Interfaces: 1 x USB 3.0
Wi-Fi Supported Frequency: 2.4G & 5G
5G Wi-Fi Transmission Rate: 867Mbps
Package: No
Supports WDS: No
Max. LAN Data Rate: 867Mbps
Model Number: Newifi-D2
Standards And Protocols: Wi-Fi 802.11b,Wi-Fi 802.11n,Wi-Fi 802.11ac,Wi-Fi 802.11g
Wi-Fi Transmission Standard: 802.11ac
2.4G Wi-Fi Transmission Rate: 300 Mbps
LAN Ports: 4
Supports WPS: Yes
Function: Firewall,VPN,QoS
Application: Home
Flash: 32MB,512MB

So far it has worked fine. Took time to overcome the preset that clashed with my networks but trial and error got it sorted.

Having read lots of the documentation I have managed to get the WAN, LAN and wireless interfaces working with this router positioned between my ISP router/modem and my wifi mesh system (now all running as access points with the new router managing DHCP.

I have installed OpenVPN and imported my configuration and after confirming the existence of tun0 I have set the firewall to accept and forward everything and to forward to all other interfaces (i.e., both LAN and WAN). Herein lies my concern.

I am accepting all incoming, outgoing and forwarding requests on this interface and am not sure that is right.

Sorry it is a bit longwinded but I would appreciate any input on how to set the firewall so all my devices can access the internet over the VPN (which is what they are currently doing) without opening myself up to attacks from external geeks.

Have searched loads but generally solutions are aimed at commercial and not private VPNs so not sure I can just follow their settings for my setup.



I have managed to get this sorted through support on other forums. This can be closed.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.