I've searched around, but I'm having a hard time finding a similar scenario. Hoping for some advice on my setup.
I plan to add a Netgear R6080 (with v23.05 installed) to an existing network to hopefully create an isolated "guest" network, separate from the existing network. Ethernet from WAN port on R6080 will be connected to LAN port on main network's router/switch for internet connectivity. I'd like to prohibit any guest client connected to the secondary network from communicating with any client on the main network, but still would still need internet access.
I figured VLANs would be the way to go, but it seems a simple VLAN setup only isolates VLANs from each other, not from the main network.
Ideally for scalability, this would be a drop-in deal without having to config the main network.
Open to other suggestions as well, if VLANs aren't the best option.
Is the main router running OpenWrt? If so, you can create the guest network on the main router directly which is usually preferable from a network topology and administrative perspective.
But, if you want/need to create this guest network on the R6080, that's no problem. That said, you've mentioned the use of the wan port on the R6080, which typically means that it will be a separate subnet relative to the upstream... this, on its own, gets you most of the way to a guest network (a simple firewall rule is all that's needed to prevent the guest network from accessing your trusted lan), unless you wish to use the R6080 as a basic bridged AP and/or as a router for your main lan (i.e. not connecting devices to the upstream network).
So, with all of that said, is the R6080 purely going to be used for the guest network, or did you want to do other things with it?
The main router wouldn't be running OpenWrt in most cases. It definitely needs to be handled on the R6080. I already have these routers in place at several locations and I need them to be a separate subnet from the main network for another purpose any way.
Basically, the R6080 will only be used for a guest network which should provide internet access (via the main network) and access to another machine connected to the R6080 for network file transfers.
Ok... so if you are running a guest network only on the R6080, it's pretty simple.
Make sure that the OpenWrt router's lan is a unique and non-overlapping subnet relative to the upstream network. You can change the lan address as shown here: https://openwrt.org/faq/change_lan_ip
Then, you'll add a single firewall rule that:
drops or rejects traffic
all protocols
source zone lan
destination zone wan
destination address < upstream subnet >
So for example, if you have an upstream network of 192.168.1.0/24, you could make your OpenWrt router's lan IP address something like 192.168.7.1 (192.168.7.0/24).
In the above firewall rule, your desitination address would be 192.168.1.0/24.
That's all you need to do, but obviously make sure to customize for the upstream network.
Probably a dumb question, but any way you can think of to achieve this without inputting the upstream network address? Just trying to streamline as much as possible for scalability.
For the lan IP address on the OpenWrt device, it's critical that it doesn't overlap the upstream (wan) subnet, otherwise routing will not work. To achieve this, try to select a very unlikely subnet... maybe 192.168.117.0/24. There's no guarantee that this won't conflict, but it's fairly unlikely.
If you need it to be even more robust, you could write a script that detects the upstream subnet and then changes between 2 known networks on the lan if there is an overlap detected (so maybe 192.168.117.0/24 and 10.142.231.0/24 as completely made-up, hopefully uncommon subnets).