Newbie here. I am trying to setup my home network where a switch is located between the ISP modem and a router.
modem <-> switch <-> openwrt router
This is because of the physical layout at my house which I cannot change (at least for now).
Please see the diagram.
The managed switch NETGEAR GS308EP does not have OpenWRT installed (I am not sure if it's necessary or if it's even possible because I couldn't find
the model on the device compliance list).
The end devices like PS4 and IPTV are directly connected to a 'dumb' switch (TP-LINK SG1005D) which then
connects to the managed NETGEAR switch on a single ethernet cable.
The router GL.iNet MT6000 has openwrt.
I suppose I have to separate WAN and LAN traffic between the router and the switch in order for the traffic to reach
the devices plugged to the switch. I have some vague idea how this should be done but it's quite lacking.
My assumptions / questions:
I define VLANs like e.g.
192.168.10.0 VLAN id 10 main lan
192.168.20.0 VLAN id 20 wan
I define static IPs for device management like e.g.
192.168.10.1 router
192.168.10.2 switch
I define static IPs for the end devices on LAN like e.g. (does that make sense)
192.168.10.5 - PS4
192.168.10.6 - IPtv
192.168.10.7 - NAS etc
devices connecting to the router via WIFI get their IPs by DHCP
the router WAN port and the switch port 8 should be tagged
the switch ports 2,3 and 7 should be untagged
what about port 1 connected to modem?
what devices/bridges/interfaces should be configured on the router OpenWRT and how? (this is the big question)
question of firewall setup (another big one)
does this topology mean that all traffic/packets betweeen devices plugged to the switch and the internet have
to go through the router or is there a way to avoid all data going through the router (minimize the load on the router) so the connection is more 'lean'
like so:
I do recommend that the wan is tagged at the router, but the tag status at the modem (port 1) depends on the ISP’s requirements. If they don’t require tagging, this should be untagged at port 1 and tagged at port 8.
They should almost certainly be untagged for the respective VLAN that you wish to have for the devices on the lans because most of those devices will not be VLAN aware.
Port 3 connects to an unmanaged switch which means that there must only be a single network, untagged, assigned to that port. No tagged VLANs allowed on that port.
As mentioned above, this will be either tagged or untagged, depending on what the ISP requires.
Well, typically you’ll use DSA syntax and bridge VLANs and then create the two networks you’ve defined for your lans. Your wan port will need to be added to the lan bridge.
Depends on your goals. The wan and lan zones should already be well defined. The new lan you add may be different, depending on the goals/reasons for the additional VLAN.
Packets between devices on the same subnet will pass through the switch from port-to-port and will not need to go through the router. Inter-VLAN (i.e. between the two subnets) and internet traffic must go through the router. This is not a problem and this is the best design for your network. The switch is not capable of L3 routing, and even if it was, the performance would be so incredibly slow that it would be problematic for you. The router you have is very capable.
Importantly, though — are you running GL-Inet’s vendor firmware on your GL-MT6000, or is it official OpenWrt (obtained from openwrt.org)?
To extend on this as an example. Some ISP's require tagged into the modem in bridge mode. For example VLAN2 tagged. So that would require changing the swsitch port to output vlan2. (given you're PPPoE rather than just a DHCP on the bridge modem it's more likely to need a VLAN) You would then need to have vlan2 not be used for anything else other than input into your router.
It's handy to trunk a VDSL bridge or an ISP provided fibre media converter into a main networking cabinet, as well as for HA router purposes.
If you need untagged, you can then select an arbitrary VLAN and untag/tag at the switch, setting the PVID etc.
If you have more complex requirements you could get a switch that does vlan translation. Another option is QinQ if the switch does that.
I am a noob with OpenWRT but the OP has a similar setup idea to what I need too. The only difference might be that I will have a dedicated WLAN (VLAN) for my TVs and Cameras, and two more WLAN (VLAN) for guests as part of a mesh network.
My questions:
I plan on using a OpenWRT A7 router as my switch. I wish to use it as a hardware firewall with enabled network hardening (what packages would you suggest?), I currently use Unbound and Pi-hole with a separate pi device but was wondering if I should integrate it into this switch.
I seen many use different subnets between users and devices such as IOT and TVs, is this the correct practice?
For my mesh network I plan on using the 5G with the same SSID across the mesh routers but can I still use the 2.4G capabilities for each router with different SSIDs? For more background I plan on using the MX4300 (WIFI6) for my mesh network.
Again any package recommendations and guides/tutorials that you all would recommend?
Similarly to "what is the performance of your device" and how much performance do you need? Storage ? For example Firebox m300 has 4GB of ram, 4 cores and 8 threads. Fortinet 50e/51e/52e have 2gb of ram and 51e/52e have onboard ssd storage, but they are only 2 cortex A9's.
Subnet != layer 2 network but I get the point. Put them on different VLAN's / networks to isolate them is a reasonable idea. Issue becomes when you WANT broadcast/multicast behaviour such as mdns and/or chromecast / apple tv working. Then you are doing multicast bridges etc. People will complain they can't get their phone to talk to the TV etc. or you have your TV on your guest network too.
Thanks for the swift reply. I wasn't aware this would be resource intensive; such as using my A7 router as a switch and configuring as a "firewall" and using select OpenWRT packages to harden my network. I guess the things I have in mind is using NAT IP tables, blocklists, etc. I could later setup a old pc if I do need more resources to achieve what I am looking for.
I am a noob but you make a good point that devices and TVs won't connect with different subnets.
As far as why I want a "mesh" may just more of I want there to be seemless connection throughout the home. I guess by keeping the same 5G SSID between separate routers isn't a true mesh network??? Again I am a noob.
Do you have any recommendations for a noob? Any packages, guides, or tutorials to get me setup?
~J
Make a new post please. It will bring more eyes to your questions. Start with the exact model info of your hardware. The current topology. The new topology you want to do etc.
It's not that it can be resource intensive. It's just that I don't know what your existing hardware is at all. Nor do i know what raspberry pi you have. That couldb be anything from 256MiB to 8gb ram. ARM11 through A73. Similarly with CPU power and networking speed. Especially if you aren't using the switch part but using the CPU.
From what I can tell ISP doesn't require tagging because I have never used tagging when setting up my router connection to the modem. All I got from them as a requirement were:
static ip address 84...*
netmask 255.255.255.252
gateway 84...*
dns1 and dns2
