Posted: Mon Dec 02, 2019 21:43 Post subject: networking topology recommendations?
I have an (overly?) complex design right now:
5 switches for, effectively, 4 vlans:
Core: XX.XX.10.0 -- connected to cable modem
IoT: XX.XX.20.0 -- IoT devices, e.g. thermometer, garage, etc.
guest: XX.XX.30.0 -- public, low security
Local: XX.XX.40.0 -- internal, MacPro file server and all family devices
All but the core have an SSID associated with them.
All switches are running DD-WRT and are various platforms (TP-LINK, Motorola, etc.)
I would like 2 things:
1) add OpenVPN to the architecture so I can VPN to my internal LAN, probably the Core, so can manage all three VLANs, but that may be more of a security risk....
2) simplified physical structure: I would like to have all three SSIDs sent from the same router/switch, a TP-Link Archer C9 device.
I get DD-WRT enough to use the UI and to apply commands via SSH, but I just don't know how best to do so (what commands, etc.).
Let me know if I left any gaps in my explanation... and...
Posted: Wed Dec 04, 2019 2:47 Post subject: Add'l info
All good points and well taken. I assumed far more than I thought.
1 & 2) All devices are supported w/in DD-WRT and have been running for several years. (they just need updated for consistency)
3) I don't _think_ this is router specific, hence this forum, but I am happy to re-post if you all think otherwise.
4) After re-thinking my original request, I am initially looking for topology recommendations, not specific command recommendations. They may come later in device-specific fora. --> No device specifics in this post.
1) where in the network should I place the OpenVPN "server"?
--a) On one of the routers/switches?
--b) On the file server (MacOS 10.x)
--c) On an additional/separate router/switch running DD-WRT
2) Is it _feasible_ to run this on one router, assuming it has the resources/power and ability to run multiple VLANs? The router I am thinking of using is:
Router Model -- TP-Link Archer C9
Firmware Version -- DD-WRT v3.0-r40559 std (08/06/19)
Kernel Version -- Linux 4.4.187 #652 SMP PREEMPT Tue Aug 6 11:52:33 +04 2019 armv7l
Joined: 18 Mar 2014 Posts: 5914 Location: Netherlands
Posted: Wed Dec 04, 2019 8:32 Post subject:
Build 40559 is probably from the router database, it is not the best build (see my pointers)
OpenVPN is not running very fast on lower end ARM CPU's, your C9 is equivalent to my R6400v2 and that will give you about 35 - 40 Mb/s VPN speed, if you are satisfied with this then that is fine, I am running my VPN server on the R6400v2 without problems.
If you want faster, you can run it on your file server which should easily get you hundreds of Mb/s.
A faster router can also help, my R7800 does about 90 Mb/s
An alternative is Wireguard, a new VPN protocol which is almost 3 times faster, but it is new and immature but I am using it at the moment without problems.
It does not matter where you place the VPN server in your Network as long as it is reachable through port forward and you can reach the rest of your network from the VPN server.
Regarding your network setup I attach some personal notes for linking multiple subnets, maybe they are helpful.
I want three (3) VLANs w/ their own subnets:
1) Secure VLAN: home devices, e.g. PCs, phones, file server
2) Guest VLAN: friends and family
3) IoT devices, e.g. ecobee thermostat, cameras, etc.
4) Media: TV's, Smart speakers.
I want 2 and 3 to have no access to 1, but 1 should be able to access all devices on 2 & 3 (unless this is not recommended for security reasons). Ideally, any devices on 1 or 2 should be able to see and communicate with devices on 4.
All physical ports can be on VLAN 1 (assuming I can change down the road if I need to, via the Setup >> Switch Config page).
Each VLAN would have it's own SSIDs (w/ a 2.4 Ghz and 5Ghz variant)
I want all of this on a single DD-WRT router (happens to be a TP-Link Archer C9)
I found this article (https://blog.flashrouters.com/2015/04/06/what-is-a-vlan-how-to-setup-vlan-ddwrt/) that talks about setting the phys. ports and setting up the DHCP scopes, but what do I need to do to make sure the SSID's are associated correctly?
In the attached image,
* Green arrows are REQUIRED
* Yellow arrows are 1st priority
* Red arrows are questionable based on security recommendations.
I *think* this is more generic to DD-WRT than specific to my router, but if I really need to move this to the Broadcom thread or a model-specific thread, I can...