Hello,
I'm setting up small office network on a TP-Link TL-WR1043ND (I believe it's version 2.x) on which I want to have two different WiFis on two different networks which resolve to different public IPs. For example:
- Network 1 (primary) - internal network 10.1.0.0/24 - resolves to public IP A.B.C.D (for people working in company)
- Network 2 (secondary) - internal network 192.168.1.0/24 - resolves to public IP E.F.G.H (for other people which come by sometimes - meant as guest network which has isolated option enabled)
So to start with the network to which router is connected. Basically it's a private network 192.168.254.0/24 where we have (agreed with maintainers) one static IP 192.168.254.12 which then resolves to A.B.C.D and we can also connect via DHCP where all IPs in pool resolve to E.F.G.H. The idea is to separate traffic between Network 1 and 2 because our static IP is primarily meant for office server which will have specific ports forwarded on router (thus, available from internet) and I don't want anything creepy (in case someone from outside people would be connected to our primary network) from this IP to be sent elsewhere.
Network 1 is meant as a network for office server, which will host several virtual machines. VMs will be connected to this network via DHCP and only people working in company should have access to them.
Network 2 is meant as guest network where all people which are sometimes in our office (external partners) can be connected. There will be also isolated option enabled.
I think that I came pretty close to what I want achieve - I currently have two different networks (interfaces on separated VLANs) where each has its own WiFi. Clients on each WiFi are separated and at least those on Network 2 don't have access to the Network 1 (didn't test in another way). I have also created another WAN (in addition to the precreated WAN where I assigned static IP 192.168.254.12) which have DHCP connection set. In the LuCi I see it has address fetched from DHCP pool. But the problem which I have is that even though private networks and devices connected to them are successfully separated, all traffic still goes only through static IP 192.168.254.12 (assigned to precreated WAN) instead of also being separated from where it comes. I tried to handle this via zones and set up everything as it was for precreated WAN, but seems that it didn't help.
Here are configs which are currently in use and results in what I described above:
/etc/config/network
interface 'lan' + interface 'wan' => Network 1
interface 'languest' + interface 'wanguest' => Network 2
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ip6assign '60'
option ipaddr '10.1.0.1'
option netmask '255.255.255.0'
config interface 'languest'
option type 'bridge'
option ifname 'eth1.3'
option proto 'static'
option ip6assign '60'
option ipaddr '192.168.1.0'
option netmask '255.255.255.0'
config interface 'wan'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.254.12'
option netmask '255.255.255.0'
option gateway '192.168.254.1'
option dns '8.8.8.8 8.8.4.4'
config interface 'wanguest'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '1 2 0t'
/etc/config/wireless (private data cleared from config)
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'network1'
option encryption 'psk2+ccmp'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'network2'
option network 'languest'
option isolate '1'
option encryption 'psk2+ccmp'
/etc/config/firewall (ommited out default rules from config)
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
option network 'wan wan6'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'wanguest'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wanguest'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'languest'
option forward 'ACCEPT'
option network 'languest'
config forwarding
option dest 'wanguest'
option src 'languest'
What have I also tried to do to achieve expected working? Added static IPv4 rule from wanguest to target the IP assigned to it from DHCP server, but nothing changed (just tried, don't really understand what it is meant for). Also if possible I'd like to see this would be automatically, because I wouldn't like to lock wanguest to static IP because anyone else in the same network can receive it meanwhile via DHCP (I don't know if actually possible - but if our lease expires and there is outage in our office ... you know, the edge cases which will never happen, but are possible).
I hope I described well what I want to achieve and you didn't have any problems understanding it - in case anything is not covered please reply and I will answer ASAP. I know it's a bit long post, but otherwise it probably wouldn't describe everything I want to achieve with my config.
Thanks in advance for any suggestion/comment/help/...!