I'm redoing my home network as I'm about to add a few IoT devices (WiFi/ESP8266 light switches and the like). Currently I'm running the usual out of the box LAN/WAN setup, all my devices coexisting in LAN. This of course is no longer optimal as I'd like to isolate the IoT stuff while not providing any Internet access to it.
I'll be implementing VLANs to do this, in addition to going all in with network segmentation (management, home, work, IoT, guest networks) while we're at it.
Current setup:
I have two devices which are TP-Link Archer C7 v4s, running OpenWrt 19.07.7. One is currently doing all the heavy lifting (PPPoE WAN, SQM on a symmetric 50Mbps fiber link, firewalling) while the other is mostly used as a dumb AP that provides further wireless coverage and more wired connectivity off the main router.
Both devices are connected with Cat5e at opposite ends of the house.
There is a Raspberry Pi 3B that runs Pihole as DNS, a Wireguard server, and a SMB server for some quick and easy small file sharing across my devices. I'll be integrating this later in the new setup, I'm not concerned with these features at the moment.
New setup:
I just have both routers side by side at the moment on my desk, doing the initial new setup.
Switches and VLANs:
As you can see I'm using port 4 of the main router as a trunk port, and the WAN port in the secondary router as the other trunk port. I'll assign untagged ports to each VLAN as required later. All are management for ease of use at the moment.
Interfaces are defined in the main router as:
- VLAN 1 - LAN/management - static address - 192.168.10.1/24 - firewall zone LAN
- VLAN 10 - WAN - PPPoE - firewall zone WAN
- VLAN 20 - Home - static address - 192.168.20.1/24 - firewall zone HOME
- VLAN 30 - IoT - static address - 192.168.30.1/24 - firewall zone IOT
- VLAN 40 - Work - static address - 192.168.40.1/24 - firewall zone WORK
- VLAN 50 - Guest - static address - 192.168.50.1/24 - firewall zone GUEST
Interfaces in the secondary router:
- VLAN 1 - LAN/management - static address - 192.168.10.2/24 - firewall zone LAN
- VLAN 20 - Home - unmanaged - firewall zone HOME
- VLAN 30 - IoT - unmanaged - firewall zone IOT
- VLAN 40 - Work - unmanaged - firewall zone WORK
- VLAN 50 - Guest - unmanaged - firewall zone GUEST
Details:
- The ISP's all in one HGU box uses VLAN 10 for the PPPoE Internet service, so I'm using it too for the WAN.
- Home (VLAN 20) in both routers is bridged with the 11bgn and 11ac radios as the main SSIDs.
- LAN (VLAN 1), Home (VLAN 20), IoT (VLAN 30), Work (VLAN 40) and Guest (VLAN 50) all have their DHCP servers configured.
- I'll setup SSIDs for each VLAN as required later.
- Firewall zones have the same color in LuCI in both routers, for what it's worth.
This is currently working as expected: If I assign untagged ports to each VLAN on either the primary or secondary router, whatever I plug in there gets assigned an IP in the correct range through DHCP. As far as I can see, VLANs are correctly setup and the secondary router is properly "extending" the VLANs defined in the main router as static addresses with the unmanaged interfaces.
My concern is with the firewall setup.
This is how things are at the moment:
General settings are input accept, output accept, forward reject.
So... looking at the main device. This is what I need:
- LAN/management shouldn't have any connectivity to any other zone, it is isolated.
- WAN is setup just as it is out of the box, no changes.
- HOME should have access to both WAN and IOT zones, nothing else.
- IOT shouldn't have WAN conectivity and it should only accept traffic from HOME, nothing else.
- WORK should have WAN connectivity, nothing else.
- GUEST should have WAN connectivity, nothing else.
I'm not quite so sure how to configure input/output and forwarding on each zone in the main device to achieve this (apart from reading the guest guide for the general steps), so what's in the screenshot is most likely completely wrong.
I'm also not sure how to replicate this configuration and rules in the secondary router. For example I have no WAN interface/zone in the secondary device as it is a glorified dumb AP. Just having them defined in the main router and having the VLANs extended in the secondary router is enough?
How would you set this up? Is there anything that you would change in the rest of my setup?
Thank you.