Noob here and I just installed OpenWRT for the first time. I'm not utilizing any external firewalls, switches, etc on my router. I just have a vanilla setup with my router plugged into my modem (might have a direct line on eth port 1 into my laptop occassionally).
I want 3 WiFi networks that all have their own subnet: Subnet 1: 192.168.1.1/24 Subnet 2: 192.168.2.1/24 Subnet 3: 192.168.3.1/24
Subnet 1 should be able to talk to 2 and 3.
Subnet 2 and 3 shouldn't be able to see any devices outside their subnet range, but all 3 should be able to access the public internet.
For some reason I can't get this working. I thought I got close by creating a bridge device, assigning an interface to that bridge with a firewall rule that allowed access to the wan. I added a manual traffic rule blocking access to the other subnets, but it subnet 2 could still access subnet 1.
For my setup, what type of devices should I be creating here? Bridge or vLan? I'm a bit confused by the setup for this topology.
If you are only using wifi on one physical
Wifi router/ap device, you don’t need to use VLANs. You will need to use a bridge if you are using more than one physical radio (I.e 2g and 5g).
If you have a non-working config that you would like to fix, we can do that. Otherwise you can follow the guest WiFi guide and make a few minor modifications once that is done.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
When I create a bridge, since I'm not using any of the ports (eth1-eth4 in this case), would I select WAN as one of the ports? I guess I see this in clear text on the page:
.... In order to attach wireless networks, choose the associated interface as network in the wireless settings.
Does that mean I just leave bridge ports blank in this case? What if I want to use a mix of one ethernet port and wireless?
Most certainly not the wan. A bridge is the software equivalent of an unmanaged switch. If the driver in question is a router where the wan port is connected to the internet, you do not want to bridge that with anything.
You can create an empty bridge. If you do plan to use those subnets with Ethernet, you need to define how this will be done (what ports carry what networks).
Ok, makes sense. So I have an empty bridge (let's call it EmptyBridge). I created an interface assigned to the empty bridge with an SSID attached to that network.
The last piece I think that I'm trying to understand is the iptables rules. Just using Luci right now. Do I create a zone that allows all traffic from EmptyBridge -> WAN with a traffic rule that blocks all traffic leaving EmptyBridge with IP 0.0.0.0/0 to InternalSubnet with Reject?
