OpenWrt Forum Archive

Topic: Best router setup?

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'm not as system admin and therefor unsure if my ideas of the router setup really work.

The objectives I have are:

  1. Normal access via ethernet to the LAN resources, no special restrictions accessing my server etc.

  2. Restricted access of the internet. The device should be known/configured to have internet access. Neither my printer nor my TV or any other device should be able to access the internet by default.

  3. The devices that should have access could be enabled/disabled easily. I also want to be able to block certain ports for a device, e.g. block whattsapp if the kids should learn for shool.

  4. Router configuration is only possible vial ethernet, for security reasons.

Since we have ferro concrete ceilings, I need a router for each floor. Connected via ethernet.

My idea was to configure three interfaces
- WAN (one RJ45 port)
- LAN (four RJ45 ports)
- WIFI (2.5 and 5GHz)

The WAN should get a static IP from the DSL modem (192.168.0.1) range, e.g. (WAN=192.168.0.2). The zero network.
The LAN should get static IP 192.168.1.1, the one network.
The WIFI should get a static IP 192.168.2.1, the two network.

I would like to configure DHCP static leases for the known devices, MAC -> IP from the one or two network, depending on LAN or WIFI.

That's the point where I got lost. I have 3 different networks. From my understanding they should not be able to communicate between each other. What I do need are routes between the networks and rules to block traffic for certain IPs/ports. How to configure that? Is it al way to complicated for a home lan? Are there similar setups documented somewere?

I don't have a "turn key" solution, but some ideas:

Regarding WiFi APs, I recommend the TL-WA801ND : good price, POE, OpenWRT, external antennas.

HomeNet Control Protocol ( http://wiki.openwrt.org/doc/howto/hncp ) could be useful.  I haven't tried it.

Dunno about the filtering & routing questions.  You might look at the CeroWRT config files : they are big fans of routing.  Filtering sounds painful.

Search for "Wireless networks David Lang".  He has good ideas for routed WiFi nets.

The three different networks... what you really want is to restrict/allow access by client... I think you should focus your effort there, rather than dividing your network into different subnets and solving the problems that come from it.

I guess you can have a master router connected to the DSL modem that does most everything.
On every floor you can have just an access point with no routing/filtering. Perhaps you are better off with tree different WLANs, perhaps it is better to use the same SSID and password for all floors.

In my network I deny all internet access by default. I make dhcp-entries for every known client, and then I allow all traffic I want explicitely as firewall rules (i find it more useful to define that on MAC level rather than IP level).

Perhaps you can run privoxy to allow restricted/controlled internet access to some devices (your children). Then they have no internet access - just access via the proxy.

I dont know if it is very useful to distrust your WiFi network. But you can of course disallow all router access by default, and enable it only from trusted IPs if you want. Just be aware that you can easily lock yourself out from your own router.

The discussion might have continued from here.