I’m installing a ubiquiti unifi ac lite ap for a project that needs to have two separate networks (wireless only). OpenWRT 18.06.1 is installed with LuCi.
I’m trying to achieve a static lan interface (192.168.1.2) and gateway (192.168.1.1, arcadyan vgv7519 with default firmware that has DMZ enabled for said static IP), and two separate interfaces (user and staff) with each a wireless network connected to them. I’m using two different subnets for these. 192.168.5.0/24 and 192.168.2.0/24. I did manage to get two wireless networks up and running, handing out addresses in the correct ranges, and I was able to ping the ‘gateways’ 192.168.5.1 and 192.168.2.1 and 192.168.1.2 but I can’t seem to communicate outside of that. What am I missing? Also is this the best way to go about when configuring two networks that aren’t allowed to talk to each other?
- Maybe I'm missing something here; but at no point did you actually describe the WAN connection in detail.
- Did you add a gateway and DNS to the WAN interface?
- Is your WAN also wireless?
- If so, is your WWAN up?
- You listed 3 "gateways"...which one is WAN (I'm guessing 192.168.1.2)?
- Can you ping the Arcadyan router at 192.168.1.1?
- So long as you place the new LAN in a different firewall zone, by default they cannot communicate to one another.
Your path out of the router to the Internet is the LAN network. Set up forwarding from each new network to the LAN. For this to work you need to enable masquerade and MTU fix on the LAN.
This should allow users of the two APs to access the Internet.
It is not secure though because they can also see everything on the LAN and the router itself. So add firewall rules to block them from all the 192.168.0.0/16 addresses, except for the router's DHCP server (ports 67 and 68 UDP) and the DNS server (port 53 UDP or TCP).
Thank you for the quick reply, I realize that I should indeed clarify a few things: the arcadyan router is an all-in-one that came from the service provider. It’s the typical lan-wlan-gateway arrangement, and I am not able to obtain the credentials to connect directly to the provider. It is a vdsl connection, but it’s all managed by the arcadyan. This arcadyan is actually supported by openwrt, if I could only use it... so I stripped down this default network; 192.168.1.0/24; disabled dhcp and put it on dmz/throughput mode to 192.168.1.2. This is a cable connection between one of the arcadyan switch ports and the unifi AP. The unify AP comes with only one ethernet port (eth0), both for power and data. I do indeed have unique firewall zones for all interfaces, and set them to inter-zone communication (this might be a problem or misconfiguration). I’m not on location right now but I can test this theory tomorrow. So right now I have 3 interfaces: lan (eth0, 192.168.1.2), staff (192.168.2.1) and user (192.168.5.1).
Attached is a quick doodle of the desired situation.
The DMZ into the LAN means that you have opened LuCI to the Internet, which is not considered secure. You should only open one port for SSH and later any others that may be required for special user applications. Or set up a WAN network that faces the DMZ and place the trusted local users (staff) on the router's LAN which allows logging into the router from there.
The only inter-zone forwards you need are Staff->Internet and User->Internet, with Internet being either LAN or WAN. Specifically you don not want to allow User<->Staff.
Your best bet is to set up the unifi device with out of the box settings, then plug the WAN into the arcadyan, use the LAN for staff, renumber the LAN 192.168.2.x, add another SSID for guest/user and place them into a separate firewall zone, number 192.168.3.x
It is basically just a guest Network for user network so you can use the howto for guest networks
Well that's what I thought first, but I want to learn how to do it myself the correct way, rather than set it up out of the box. The out of the box setup doesn't fully support my use case anyway. Thanks for your suggestion though, it helps to have other perspectives!
Yes I know this isn't a best practise, I mainly wanted to see if it made a difference, and I'd much rather have the arcadyan inbetween indeed! I'll try to get it to work with all the suggestions above and I'll post updates here, thank you so far!