Hi together,
first of all i want say thanks for this great community support.
im already feeling i have a great setup for me.
I have 2x EAP245
And Raspberry4 with current OpenWRT Snapshot and EthernetAdapter.
Managed Switch Zyxcel GS1900
thx @dlakelan @anon50098793
I want know if my current settings safe and secure and/or if there are some improvements.
Rp4 Router => Switch PORT1
EAP245 => Switch PORT 2
Switch
VLAN 1 (default) all untagged
VLAN 30 (guest) PORT 1 & 2 tagged, rest excluded
OpenWRT Settings
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
list dns '192.168.0.10'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'GUEST'
option type 'bridge'
option proto 'static'
option delegate '0'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
list dns '9.9.9.9'
option ifname 'eth0.30'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
/etc/config/firewall (idont know can i post all of the settings, or is this secret???)
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan GUEST'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
everything else is almost default settings...
For me it works. if i switch from my mobilephone to guest WLAN i have no acces on my router or anything else but internet works. with own dhcp and dns.
Now i want setup a third wlan (how many wlan can i setup?)
people wich connected to this wlan should controll my sonos system.
sonos is in my default wlan 192.168.0.x
is it possible to just give acces to sonos but reject anything else (except internet)
same question for my dns, i use pihole on 192.168.0.10
is it possible to use this dns for my current guests too?
Thank you for some tipps if my project is possible