I've made a lot of progress as an OpenWrt newbie thanks to all the help I've gotten in this forum. I hope this is the last issue I have with regards to getting set up.
My primary goal is to separate the various computers on my home network as much as possible. I set up VLANs for each router port and did firewall rules so they can't talk to each other. As mentioned in several other threads I started I have the WiFi separated, and it is only used with one computer, and I don't want it to be able to communicate with the others, or vice versa.
Here's what I have done, and what my questions are so I can finish up. I unbridged the radios from the lan, as I don't want the wireless associated with any physical router ports. I created a network, let's say 'WiFi', and added the 2.4 GHz radio to this network and created a firewall zone for this. I also have a 5.0 GHz radio, but I do not plan on using this. I might some day down the line, but it's unlikely (super slow Internet connection, so no real need to). Right now the 5.0 GHz is disabled.
Here are the things I am trying to sort out.
Is there any benefit to creating another network for the second radio, or should I just put it in the same network as the 2.4 GHz radio? Right now I have different SSIDs for each (wifi24 and wifi50, for example). I think in the same network they need the same SSIDs? And if I put them in the same network, will I have to bridge them?
I came to OpenWrt so I could do VLANs. But as I am currently set up, I don't have the wireless in a VLAN, like the default bridged to lan configuration. If I set up a VLAN and do not link it to any physical router port, can it be used with the wireless, or is that a nonsensical question? Would it even be beneficial? I was under the impression I wanted everything in a VLAN, and now I have the wireless not in a VLAN. Or can this only be done by bridging to a physical port on the router? If so, then I would basically just 'sacrifice' a port for this purpose, and not use it so I have the isolation I want.
Anything here that would help me understand this would really be appreciated. I've read all the documentation and forum posts I could, but something this simple and it is just eluding me...
A bridge connects two physical networks into one logical layer 2 network (ie. MAC address network). When you bridge an SSID and a VLAN you get any wired device able to directly send a packet to a wireless device and vice versa.
If you have no need for wired devices on some particular network, you can stick to an SSID only... if you have no need for wireless, you can stick to VLAN only... you only need a bridge if you need both wired and wireless on the same layer 2 network.
Thanks for the very detailed reply. I am still a bit unclear but I think with your help I will understand what I need to know shortly. Let me first say I have set up VLANs already and I created a topic on this here: [SOLVED] VLAN isolation and router access questions I posted what my VLAN setup looked like there, and here it is:
Let me clarify what my goals are. I want to isolate three Ethernet wired desktops and one wireless 2.4 GHz desktop from each other and from access to the router. The idea is that if one computer gets compromised, say from a malicious website, I do not want it to be able to spread beyond that computer. Each wired computer has its own VLAN and router port, except the wireless which will not be tied to any router physical port. I also have a VLAN for router management, with a dedicated computer I only wire in when Internet access is disconnected, and all other computers are disconnected from the router. This is the only router port that can access the router for management. No WiFi router access, and no remote WAN access. There are no other devices on this system.
In the above VLAN setup image VLAN 40 has no LAN 1, LAN 2 etc. router ports set as untagged, like the others. I created this for the wireless. My questions came up when I seemed to read that you don't tie a radio to a VLAN unless it is also tied to a wired connection e.g. the default connection with the lan port. This seemed to align with what @dlakelan said above. So, I'm confused about this.
What I most wanted to know was if I want to isolate like I describe above, is it better to tie this to VLAN40 or not. What I meant when I asked if it would be beneficial was more: if I want theoretically improved security via maximum isolation of computers, should my wireless be in VLAN40, or does that add nothing to the security.
I think I just need to tie the two radios to VLAN40 and I'll be done. I really wasn't sure if this was even something that made sense. I was getting the feeling, and then @dlakelan seemed to confirm, that VLANs were just for wired connections. So I misunderstood this aspect. I think @dlakelan meant if I want more than one wireless connection on the same network you use different SSIDs, and if you want more than one wired computer on a network you use a VLAN for that.
I also do not really understand bridging very well, so that's why I asked if I would need to bridge. When I added the second radio to the same network just now it bridged it for me (I am working in Luci). I was just hoping to understand that process better before I told it to bridge them if that was the wrong thing to do.
Thanks for any additional clarity here. I think I am almost there.
You answered this before I got done with my last post. This is exactly the meaning I took from what you said. I did clarify in my last post that my goal was maximum isolation and the perceived security from that. Is there any security/isolation advantage to tie an SSID to a VLAN that is not attached itself to any physical router port e.g. my VLAN40 above? I suspect not, but this is what I am trying to sort out.
There is absolutely no reason to have a VLAN which isn't tied to any physical port. In the worst case, it could become tied somehow later after configs are changed and now someone plugs something in and gets access to wifi clients that they shouldn't.
I think you can bridge two wifis without a VLAN involved. for example bridge(wlan0,wlan1) would work fine, you don't need bridge(wlan0,wlan1,eth0.40) with eth0.40 being swallowed up by the switch chip anyway.
This is yet another question that I have. All my 'practice' routers only had one 2.4GHz radio. I now have my actual router I am setting up, and it has two radios, so I have to do something more than I am practiced at. Our Internet is painfully slow, so I see no advantage to 5.0 GHz. There will only be the one desktop computer on wireless.
I didn't know if I should just bridge both radios in my 'WiFi' network and disable the 5.0, or separate them, or something else. In typical noob fashion I was just wondering what the best approach would be so later on I don't say 'If I'd have only had some clue what I was doing I would have set this up differently'.
This is exactly where I'm at right now. I did bridge the first two together as you show here, and the plan was to then attach it to the VLAN if there was any good reason to do that. I have not tested this as it is now with the two radios bridged, and I don't even have a 5.0 adapter to test that radio, but it seems to me that is how it was configured out of the box (all three) and I just removed the lan from the three together.
on possible advantage for someone with security concerns is that 5GHz is generally shorter range, so someone trying to crack your wifi has to be closer to your house. In this sense, if the device you want to connect to wifi supports 5GHz you might want to disable 2.4GHz and use 5 only.
Yes, I'm aware of the wiki. I have tried to read pretty much every section in there are least two to three times. I think I understand assigning switch ports, since I created all my interfaces and assigned them to the VLANs in the image I posted. I also bridged the two SSIDs together and temporarily attached that to VLAN40, after unbridging them from the default lan configuration. I understand the difference between the two, I think. So if what you were saying is what I just described then no need for a reference. It seemed to me, probably because I am struggling with all this, that you were maybe talking about a more deeper understanding of networking so I wondered if you had some reference you thought was decent for someone like myself to grasp the fundamentals better. But likely it was just me not reading what you said correctly. Sorry for that.
Thanks for the reference. It's not that I couldn't do my own searching (I have), it's more that I was hoping those that have more networking experience than me (that's pretty much everyone) could point me to something they found to be accurate and simple enough for someone with weak networking skills. I am trying not to just figure out how to configure OpenWrt by reading instructions without knowing why I am doing any of what I am doing. My computer skills are fairly good, but my networking knowledge and understanding is barely rudimentary. I find the people in this forum generally have mad skills in networking, so I thought I'd ask.
As an aside, I have had OpenWrt up and running now on my entire system since I got the answers I asked for above, and all is well. No glitches so far. So thanks once again to everyone for all the help.