Help a noob to setup subnets

Hey, I just got my Flint 2. And I need to create few separate networks. I am completely new to this networking thing. I know that Flint 2 by default has 2 guest networks ( 2.4 and 5 ), but I need additional 2:
1 completely isolated from other networks, NO ACCESS TO OTHER DIVECES , just access to internet ( this network will be infected )
2 network that does not have access to internet and other networks, but could be accessed by other networks (network for "smart" devices, don't want them to access internet or anything).

Can someone please post a link or help me do that? Watched many videos but I can't find what I need.
Thank You

Welcome

first of all: Additional subnets (VLAN in that case) won't be easy at all. It's a big change to the network topology, and you need to know what you are doing. Second: This will break the GL GUI at some point. So please notice that this isn't really officially supported. It will work, but comfort features might be unavailable.

The additional networks, are they wireless only or wired as well?

Guess @xize11 might be able to assist you, am I right?

Additional networks must be wireless

hey welcome

for isolated networks sure this is possible

• vlans are not needed we can just do something which is called a routed ap to make it as easy as it gets, there is also a CLI tutorial on openwrt here, though i gonna show it in luci since CLI looks much more advanced and itimidated for first users.

first lets start with the basic network first and later i'll explain ways to isolate, this highly depends in which way you want the isolation to work.

first lets begin entering luci like:

image327×782 20 KB

the login credentials of luci are:
username: root
password: password same as gl ui

then navigate here:

image1059×366 19.5 KB

now you likely get a warning message with the title: "Network ifname configuration migration" just click continue.

now scroll down and click the button like on the screenshot:

image1052×253 14.3 KB

please take a example from this image:

image975×295 13.2 KB

click on protocol and set this to static, leave device unspecified.

now it looks like this:

image964×772 28.2 KB

lets show you to make one network so you can proceed later with more

image945×752 27.2 KB

please take attention carefully, you should leave gateway and broadcast empty if you look very good you see these values are defaulted but not filled in.

now click on advanced tab:

image906×256 11.6 KB

and make sure we uncheck default gateway.

image930×235 13.4 KB

why is this needed you wonder?, to awnser that question: it is because otherwise this interface could also act as a gateway which is not what you want, because your connections should go through wwan or wan and not multiple interfaces, the gateway is basicly your internet or upstream router.

you also need a dhcp server set click on the tab DHCP Server you also have to click on a button first to have it shown like this:

image863×427 18.8 KB

now lets create the firewall zone for wlan0:

image910×216 11.7 KB

and create it like so and press enter:

image935×355 34.3 KB

now save and apply.

if we now go to:

image710×266 24.4 KB

you can see this:

10.234.53.3_cgi-bin_luci_admin_network_firewall846×357 24 KB

if you look into the row input you see it says reject, put this into accept only for the zone wlan0 then save and apply.

depending if you want this network to have internet, click on edit and configure it like so:

image848×692 35.6 KB

this effectively means this is a traditional firewall meaning everything your devices sent towards the internet automaticly allows the other end to respond back on the other side, however it will not accept traffic when the other side first iniated the communication, this will then be dropped if you look into the wan zone with input 'drop'.

congrats!, you got your first network created lets attach this one to wireless

lets navigate to here:

you will see something like this:

image925×607 38.9 KB

so i noticed ssids become unstable after having more than 2 per band on 2.4ghz or on 5ghz, this means you either have to sacrifice the guest wifi for the custom network you can trust me this is the easiest way, honestly i doubt guests need 5ghz

if you want it complicated this is possible but i won't recommend it now maybe when you feel more experienced with luci and openwrt you can try to make a multi psk environment this essentially means with firmware op24 you can have multiple psk phrases on wpa2 which then redirect you to a vlan network, but then you have to learn first how vlans function and then how multi psk is defined which also needs access to the CLI (a command prompt interface or shell), for this i wrote a simple script to do the wifi part of the vlans,but you still need to configure vlans, see here.

now lets say we edit on a guest wifi lets click edit:

image855×896 64.2 KB

you want to uncheck guest and check wlan0 the new interface you created

then save and click save and apply, then restart wifi as from the previous screenshot where you clicked on edit.

so there are multiple ways of isolation some apply and some are not to your setup

currently as how the firewall has been zoned, the zone is only allowed to talk to the internet, but not to the devices under the lan zone this can be a way of isolation you can call this zone isolation in where only network to network is isolated, this is often the most common approach for isolation.

but you can also have client to client isolation this means a client in the same network subnet cannot talk to a other client inside the same subnet and firewall zone.

currently there are two ways to reach the same goal but it can be complicated

you got hostapd's isolation, hostapd isolation is as far as i know only for wireless clients but the mistake most people make is when they have wifi + wired joined in one network, the wired clients likely can still talk to each other while the isolation is only for wireless clients, likely not a issue in your case since you want it to be fully on wifi but it is something to be aware of, it could be hostapd has been updated in the future and it now works on wired but just check this extra

to enable this you can go into the wireless settings in luci, then edit the network again as before when adding the wlan0 interface to the wireless network.

and then click here:

image845×787 39.4 KB

and then:

image820×588 34.3 KB

but what if you want also to isolate wired clients?, can iptables or nftables work?

awnser: while they are the core firewall it is not possible, however there is a package called ebtables which can do bridge isolation, and through this it is possible to isolate also wired clients.

^ this however is more complex, requires cli and you need to use ebtables -A FORWARD --logical-in wlan0 -j DROP there might be ways to add this command at startup but I think this is the best solution once wired clients also need to be in this network then hostapds method is redurant since this blocks it on layer2 i believe (I think bridges are layer2 could be mistaken)

client to client blocking is actually a pretty unique feature because its hard for firewalls to do anything client to client

and as last advise I can give is:

the web ui hosts on 0.0.0.0, basicly that means every network starting like: 192.168.10.1 as what i have given up for wlan0 will show gl ui, if you want a dodgy network you might want to go to firewall then click here:

and make a rule like:

image864×551 23.4 KB

sorry for my late response i was not home , and sorry if message is so long if you got questions feel free to ask me!

I just woke up to this and WOW, I mean THANK YOU VERY MUCH, as soon as I have time I'll dive into this

Thank You again for this amazing guide and your time. I followed your instructions and I think I did everything right... I think But I used 2.4 guest network, because I'm using my VEEERY old laptop for that network, so it does not have ability to connect to 5ghz Is there any way to test if this? If network is truly isolated? Thanks

Oh, and yes, this is going to be completely wireless network for 1 laptop (dual boot Linux and Win).
Would it be possible to create another local network isolated from internet and other networks ( for "smart" devices? Or this would be too advanced for me?

Just make sure the laptop does not have the 5ghz wifi saved then it will not auto connect by accident

To test:

On the laptop hold win + r, and type cmd.exe this will start a cmd window, then type ping 192.168.8.5 note that you have to replace the ending 5 with a device on the lan network, ping can also be used when client to client is active then just ping a other device on 192.168.10.x or if guest was untouched 192.168.9.x you can see ip leases on luci

as for a another network my best advise is to just replace the non guest one for 2.4ghz and create like my tutorial the same interface but then with ip 192.168.11.1 , for more info about subnets and the variations of it you can google rfc1918 and check wikipedia this way you can also make more exotic ip addresses without it being accidental public ip

hmm... I think that there is something wrong. Ports are unreachable, except for 8.1 which is my main system (i think) connected through cable.
I thought that this whole network would be separated from everything

do you want to use the lan ports with these new networks?, in that case that is also possible.

Well yeah, I need LAN ports, but for main network, not this new one

This is rather strange , under normal circumstances lan should be unaffected, have you tried changing the device of interface lan?

then it will change for all ports, this can be fixed but then you need to edit the bridge device br-lan and remove the ports you don't want to be as part of lan.

Then under guest interface you can change the device to lan1 for port 1, if you removed that one from the bridge device.

You can do it by navigating under luci (advanced settings) -> network -> interfaces, then you click on the tab devices, when you edit br-lan you can see the ports, if you want to go back to the network interfaces you click the tab interfaces again.

Thanks for your reply and sorry for my late reply (been busy)
Actually I think it worked, I've just made a mistake when pinging IP.
Devices that are connected to all the networks could not be reached (Destination port unavailable) from my laptop. But it raised me question: I got feedback from unused ports and also I get respond from 192.168.8.1, is it normal?

BTW. For some reason I can't see my laptop in my clients list anymore (the one in isolated network), Is there's something that I'm missing?

And one more thing. I Have connected external drive to my router (network storage for media and stuff). Sadly, my laptop (isolated network) can reach that. How can I fix that?

And once again THANK YOU for your help and your time

I have problems understanding what you mean , a device only connects to one network at a time, where to did you ping and from where?

This is normal as expected, the gl ui has alot of functionality hardcoded to lan and guest this often affects vpn policies to, one option is to use guest network a other option is to figure out the script and change it, currently i only know how to do it with vpn policies, in the future gl-inet has plans to support this but that can take some while.

in this case you can download winscp, then connect to it with gateway ip, make sure protocol is set to scp username root, password same as ui.

Then navigate on the right dropdown to /etc/config and edit samba4

Add this on the bottom of the file:

       option interface 'lan guest'

Now filesharing only listens to these interfaces.

Thanks for your reply

So my main rig IP is 192.168.8.134 ,my phone is ..8.194, and so on. So from isolated network (from my old laptop) when i'm trying to ping these IPs I get negative result (Destination port unavailable), which is good, but when I accidentally made an error, and then tried different ports like 192.168.8.1 , ...8.10 , ...8.25 etc. even though they are unused (I think) I do get positive respond from pinging

Isn't there an option from router to block it? Like firewall rule or something?

EDIT: I think I made rule, but I want to make sure that I'm right here (i'm noob here )

Source zone: wlan0
Destination zone: Device Input
Destination address: 192.168.8.1
Destination port: 445 21
Action: reject

After this "add network location" freezes and get error that folder is not valid but I don't really know how else to check it

Ah, this is likely because the gl ui hosts on 0.0.0.0 (or 127.0.0.1), so when you ping 192.168.8.1 from 192.168.10.78 for example then it likely allows it because the router NAT translates it from 192.168.10.1 the solution can be very easy:

You can try removing the remote ports and set protocol to any, i think this also automaticly blocks the file sharing too but test if you still have internet i think it will😉

You can also make the same traffic rule and add destination ports 445,137-139

Tried removing ports, but yes, like you warned me - no internet

EDIT:: Shit, sorry, I didn't put protocols to Any! There is internet, and I think it works

Ah then use the extra ports i mentioned below

Thanks got working with removing ports and putting protocols to Any.
Doesn't putting protocols to Any change anything security wise? I mean I don't know sh*t at this point and next week i'm going to start learning cybersecurity, so i'm trying to prep my network and devices for it. So I definitely going to infect my laptop and that isolated network with some nasty nasty stuff, so I'm just trying to be sure that I'm safe here

Well it does block icmp replies, which with udp+tcp does not block ping thats why any is more usefuller.

Now you surely are secured since your laptop only is allowed to talk to firewall zone wan, and has no lan leakage from the nat translation of the gateway ip to lan since the router listens on 0.0.0.0, the router doesn't exist basicly for the isolated network

Got it THANK YOU SO MUCH for all your effort to help a newbie like me