Separate Wifi does not work..solution to reconfigure?

Good evening everyone, my first topic on the forum, but I've been an Openwrt user for a long time. Without further ado, let's get to the problem.

I have a 4-port ISP modem only that transmits internet to an Archer C20 V4 via the Wan port. In this modem I have two Raspberries, one with DNS (pihole) and the other running a website and an xbox 360 connected to it.

1st problem: when I connect to this modem via wifi, I cannot access the Archer which has the IP 192.168.1.2, but otherwise everything is ok. The intention would be to remove Pihole from the website and place it behind Openwrt that runs on the Archer C20 (I haven't been able to do this so far)

2nd problem: on the Archer C20 which is on the 192.168.1.2 network, I have some devices that I illustrated in the image such as dvr, ip cameras, nas, tv and a duosat. In it I created 3 Vlan to separate the TV, the NAS and the Duosat (the connection that is illustrated in green at the moment is ok, just for illustration purposes), so far so good... however I wanted to create it in this Archer that is with Openwrt some wifi networks that didn't communicate with each other and perhaps a hidden network that I could access with Openwrt...however, I've read and reread a lot of things and I can't get the wifi network that I create to communicate on the internet to work, in this case If I created a port on the switch (IoT) "the name doesn't matter in this case" and I created a rule on the firewall for Wan and on the wifi network I associated this Vlan...nothing...the internet doesn't work, but if I assign the interface br- lan on wifi works, but I don't want that because any device will communicate with the router... and the intention here is to segregate everything due to any data leak or invasion... even if it is in my case.

3rd solution: correct the two steps above or reconfigure everything from scratch?

Note: if the best way is to reconfigure and you can help me via LuCi, it would be easier for me. The IP ranges can also be suggested to me... in this case there are no problems.

Thanks to everyone on the forum who can help.

Follow my configurations:

Modem ISP
192.168.0.1
255.255.255.0
dns: 192.168.0.4

DNS(PIHOLE 1)
192.168.0.4
255.255.255.0
192.168.0.1

Website (PIHOLE 2)
192.168.0.15
255.255.255.0
192.168.0.1

Wifi SSID (teste)

TP-LINK Archer C20

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 2 0'
        option description 'Vlan_02'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 3'
        option description 'Vlan_03'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 4'
        option description 'Vlan_04'

config interface 'Vlan_04'
        option proto 'static'
        option device 'eth0.4'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'

config interface 'Vlan_02'
        option proto 'static'
        option device 'eth0.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config interface 'Vlan_03'
        option proto 'static'
        option device 'eth0.3'
        option ipaddr '172.16.70.1'
        option netmask '255.255.255.0'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option description 'IoT'
        option ports '6t'

config interface 'IoT'
        option proto 'static'
        option device 'eth0.5'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option type 'bridge'
--------------------
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option band '2g'
        option htmode 'HT40'
        option channel 'auto'
        option country 'BR'
        option txpower '25'
        option cell_density '1'
        option noscan '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'BR'
        option cell_density '0'
        option txpower '17'
        option disabled '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IoT'
        option encryption 'psk2'
        option key '1001100110'
        option network 'IoT'

----------------------------
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        list server '1.1.1.1'
        option confdir '/tmp/dnsmasq.d'
        option ednspacket_max '1232'
        option strictorder '1'
        option allservers '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.0.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Cisco'
        option ip '192.168.1.179'
        option mac '00:C8:8B:02:A6:0C'

config domain
        option name 'Raspberry'
        option ip '192.168.0.4'

config domain
        option name 'Samsung_A22'
        option ip '192.168.1.199'

config domain
        option name 'Dell_CDF'
        option ip '192.168.1.181'

config domain
        option name 'OpenWrt'
        option ip '192.168.1.2'

config domain
        option name 'DVR_Intelbras'
        option ip '192.168.1.200'

config domain
        option name 'Camera_Rua'
        option ip '192.168.1.161'

config domain
        option name 'Camera_Sacada'
        option ip '192.168.1.216'

config host
        option name 'Samsung_A22'
        option ip '192.168.1.199'
        option mac '6A:06:4A:95:38:12'

config host
        option name 'Dell_CDF'
        option ip '192.168.1.181'
        option mac 'A8:6B:AD:FF:7D:B1'

config domain
        option name 'Yoosee_Cam'
        option ip '192.168.1.195'

config host
        option name 'raspberrypi'
        option ip '192.168.1.136'
        option mac 'B8:27:EB:4F:6D:B8'

config domain
        option name 'Raspsberry_2'
        option ip '192.168.1.136'

config host
        option name 'Chromecast'
        option ip '192.168.1.192'
        option mac '54:60:09:16:5D:96'

config dhcp 'Vlan_04'
        option interface 'Vlan_04'
        option start '2'
        option limit '5'
        option leasetime '12h'
        list dhcp_option '6,192.168.0.4'

config dhcp 'Vlan_02'
        option interface 'Vlan_02'
        option start '2'
        option limit '5'
        option leasetime '12h'
        list dhcp_option '6,192.168.0.4'

config dhcp 'Vlan_03'
        option interface 'Vlan_03'
        option start '2'
        option limit '3'
        option leasetime '12h'
        list dhcp_option '6,192.168.0.4'

config dhcp 'IoT'
        option interface 'IoT'
        option start '2'
        option limit '15'
        option leasetime '12h'
        list dhcp_option '6,192.168.0.4'

-----------------------
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        option input 'REJECT'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Intelbras DVR'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.200'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.0.1'
        option dest_port '80'
        option name 'DVR'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'OpenVpn'
        option src 'wan'
        option dest_ip '192.168.0.4'
        option src_dport '1194'
        option dest_port '1194'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'No-ip'
        option src 'wan'
        option dest_ip '192.168.1.136'
        option src_dport '9090'
        option dest_port '9090'

config rule
        option name 'DNS GOOGLE'
        option src 'lan'
        option dest 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list dest_ip '8.8.8.8'
        list dest_ip '8.8.4.4'

config zone
        option name 'Vlan_04'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'Vlan_04'

config forwarding
        option src 'Vlan_04'
        option dest 'wan'

config zone
        option name 'Vlan_02'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'Vlan_02'

config zone
        option name 'Vlan_03'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'Vlan_03'

config forwarding
        option src 'Vlan_03'
        option dest 'wan'

config forwarding
        option src 'Vlan_02'
        option dest 'Vlan_04'

config zone
        option name 'IoT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'IoT'
        option family 'ipv4'

config forwarding
        option src 'IoT'
        option dest 'wan'****strong text

First things first...

This device is not a modem-only. It is clearly a combo modem+router, otherwise it would not have wifi and it would not be using the 192.168.0.0/24 network.

What this means is that everything behind your TP-Link router is double-NAT'd.

This is expected behavior -- the ISP router's lan (including the wifi) is connected to the wan of the TP-Link router. The wan is firewalled, and it is also subject to NAT masquerading, so the network behind it is not directly accessable. Finally, the ISP router would need a static route in order to enable this to work since it doesn't currently know where to send those packets.

I'm not sure what you mean by the 'hidden network' but we can get to that later.

I see that you posted your config... I could go through it to understand what you've done and identify the issues. But I think the more relevant thing to do is to deal with the ISP router first...

  1. Is there a reason you're connecting multiple devices to the ISP router? Why not have everything behind the TP-Link router?
  2. Can that ISP router be put into modem only mode (sometimes called bridge mode). This will make the TP-Link router the only router in your network, which will make things easier.
  3. If you need to use the ISP router (in its router mode), we need to know what you expect for connectivity between the devices connected to the ISP router and those connected to the TP-Link router.
  4. We also need to know if your ISP router supports static routes.
1 Like

Hello psherman, thanks for the answers.

This is actually a Router or ISP, I didn't mention it correctly.

I use the ISP Router ports because seeing the drawing I made, the network that is in green is in another room, as if it were another house, and the ISP Router and Archer are in my living room, and as there are several devices I use both ports .
However, I can switch both Raspberry and Xbox to Wifi and leave it in Bridge as I had done previously.

However, if we follow this pattern, I would like to create different Wifi networks that do not communicate with each other for the devices that connect to them, then we would simplify everything.

If we could follow this reasoning, it would be great for me, since I don't have any problems with wired ports.

Thanks.

Ok... so there are a few things that need to be done in terms of clarification:

  1. Do you want to use the ISP router as a router, or purely as a modem device.

I personally would recommend co-locating your main router with your ISP device, and making the ISP device purely a modem. From there, you can use the existing wire(s) to connect to other rooms, possibly with the addition of one or more switches and/or wifi APs. Is this possible?

  1. How many sub-networks do you want, and what will they each do?
  • Specifically, let's call them by names -- for example: lan (for trusted lan), iot (for your untrusted and iot devices), guest (obviously for guests)
  • Then, what permissions will each have? For example, trusted lan can access iot but not the other way around, trusted lan and guest can reach the internet, but iot is isolated. You get the idea... I'm just giving examples.
  1. What is needed in terms of wifi and/or wired connections for each of these networks? A physical diagram including the rooms where equipment (modem, router, switches, APs, and the any associated wired hosts/devices) will be located can be helpful here to figure out what the configuration of all of your network hardware needs to look like. (the diagram can be as simple as a photo of a sketch on paper, or you can make it prettier like you did with your previous drawing -- whatever is fastest/easiest).

I am going to recommend a reset of your OpenWrt router, but we'll get to that once we have the whole plan defined.