I was wondering if I could get some guidance or a slap on the head for sense abdout my network setup. I am moving to a new house so taking this opportunity to try “lock” things down, or setup things right.
Here is a diagram of my thoughts, but am still a little unsure of how or if I should do things like this.
Router 1 is from the ISP, and this would be the modem that would forward only those ports I want up the chain to Router 2
Thinking 192.168.0.1
Also has WIFI, so was thinking of leaving this on for IP CAMS and guest network. It means would be seperated from “main” router.
Downstairs
Router 2 is my main router running OpenWRT 22. Used to run things like mwan3 on it for load balancing etc. but never messed with subnets and stuff like that.
192.168.1.1
Upstairs
LAN Port 1: would connect to Switch 1
PC’s connected to this as the “main” network with the power.
192.168.1.x? Not sure if this would need a subnet.
LAN Port 2: Connect to Switch 2
This would be the server section.
TrueNAS
BackupNAS
etc.
192.168.10.x
LAN Port 3: Connect to Switch 3
This is the IOT section
Smart TV’s and other wired IOT devices on the network.
192.168.20.x
LAN Port 4: Unknown, was thinking a place for the OrangePi running PiHole for DNS and maybe DHCP
Router 2, would have its own WIFI that would be part of Switch1 network.
Am I thinking this through correctly or should I do things differently? Also, would the best way to set this up be via VLAN’s or some other method. On the servers I might run some game servers, so ports would be forward through there. My OrangePI runs Pihole, Tailscale, Swag and Searxng. Currently pihole runs my DHCP service as well, but unsure how this will work in a multi subnet network. Also, Should it go in the server section instead or connected to ISP router? Again, really not sure how this will hang together
Also, most of my servers have 2 ethernet ports, so Would it be advisable to maybe connect the TrueNAS one to the main network as well to “shorten” the route for maybe using iSCSI connections?
For the WIFI was originally thinking of only using Router2 wifi and then connecting another AP for downstairs or seeing if I can turn the ISP router to a WIFI AP. This would mean all that stuff could be routed through the PiHole.
Any advice or how to’s would be greatly appreciated.
Thanks
The way I see this is in general, no. In general you probably shouldn’t trust your ISP router with your cameras, or your cameras with your ISP router. (or most of your things with your ISP router or your cameras web UIs)
Other stuff sounds good, basically VLAN per port … I assume DSA works fine on that router on OpenWRT?
Nah, these are security cams. Something my brother-in-law installed. DMSS or something like that. Don’t trust em, but not as blatant as RING. lol
I definitely want to prevent WiFi from hitting main network. So those rules will be setup. This Wifi will probably also be used for guests.
My line of thinking is leaving that WiFi as it is, and then upstairs a different wifi. Otherwise, going to have to think about getting 2 networks to go via a single cable so I can setup an AP downstairs.
Separating Network into subnets is a whole new thing to me… everything else should be fine and running like that for years with port forwards etc.
I don’t have that old switch interface as in openwrt 18, so I believe this means I have the DSA update. I have done some tests currently separating one of the ports to to a 10.xxx network while all other ports on 192.168.1.x network and it works fine.
So I think the subnetting should be fine. Setting up correct rules to make everything use the pihole and the wifi seems to be the tricky one.
Looks like I will have to endure a lot of “why won’t my netflix work” from the wife until I get it right… lol
I never use DMZ, I generally only ever forward the ports that I need to. Kinda like having a double firewall.
The forwarding thing has never been a problem and run a number game servers and other servers through this setup. Again for me the only real change is the VLANS and figuring that stuff out.