This repository describes the configuration for my home network.
Build system used is defined in openwrt_build_wrapper repository.
A picture is worth more than a thousand words:
What's covered:
- reproducible OpenWRT builds using custom scripting (mostly wrappers over OpenWRT's build system) in openwrt_build_wrapper repo
- reproducible OpenWRT configuration, via
uci-defaults(with YAML based config) - basic monitoring enabled
- zero-touch bootstrap after the OpenWRT is flashed on a device
- automated obtaining of certificates for routers' UI via Let's Encrypt
- Internet connectivity monitoring (ping Google and Cloudflare DNS and check if they respond)
- Secure connectivity from outside the network via Wireguard
- Encrypted DNS queries sent out to Cloudflare
- DNS level ad-blocking
- applying custom patches
- bit-to-bit reproducible builds (there seem to be some issues with
libgccorlibgcc1being required, only the name differs though)
Allows the internet connectivity via ISP.
| Interface | CIDR | Internet access | Clients can communicate |
|---|---|---|---|
| LAN | 192.168.1.1/24 | yes | yes |
| Guest | 192.168.2.1/24 | yes | no |
| IoT | 192.168.3.1/24 | no | no |
| IoT Int | 192.168.5.1/24 | yes | no |
| Cluster | 192.168.4.1/24 | yes | yes |
| VPN Main | 192.168.69.1/24 | yes | yes |
| VPN Guest | 192.168.70.1/24 | no | yes |
| VPN Family | 192.168.71.1/24 | yes | yes |
| Admin | 192.168.80.1/24 | yes | yes |
| VLAN | ETH0 (labswitch) | ETH1 (mainswitch) |
|---|---|---|
| 20 (guest) | t | t |
| 30 (iot) | t | t |
| 31 (iot_int) | t | t |
| 40 (cluster) | t | t |
| 80 (admin) | t | t |
| 90 (wan) | t | |
| 99 (lan) | (t*) | t |
Currently Raspberry Pi 4 (8GB RAM variant) is used as a main router. It's paired with TP-Link UE300 USB-Ethernet adapter (RTL8153), used for mainswitch connection.
It does all the heavy lifting in this setup:
- routing
- DNS
- DHCP
- DNS-level adblock
- SQM
Look into its config for more details.
| VLAN | LAN1 (mainrouter) | LAN2 (WAN) | LAN3 (apfloor) | LAN4 | LAN5 | LAN6 | LAN7 | LAN8 |
|---|---|---|---|---|---|---|---|---|
| 20 (guest) | t | t | ||||||
| 30 (iot) | t | t | ||||||
| 31 (iot_int) | t | t | ||||||
| 40 (cluster) | t | |||||||
| 80 (admin) | t | t | ||||||
| 90 (wan) | t | u | ||||||
| 99 (lan) | t | t | u | u | u | u | u |
Netgear GS108T-300PES switching traffic with VLANs, located in the central infra cross point.
Look into its config for more details.
| VLAN | LAN1 (mainrouter) | LAN2 | LAN3 (apfloor) | LAN4 | LAN5 | LAN6 | LAN7 | LAN8 |
|---|---|---|---|---|---|---|---|---|
| 20 (guest) | t | t | ||||||
| 30 (iot) | t | t | ||||||
| 31 (iot_int) | t | t | ||||||
| 40 (cluster) | t | |||||||
| 80 (admin) | t | t | ||||||
| 90 (wan) | t | |||||||
| 99 (lan) | t | u | t | u | u | u | u | u |
Netgear GS108T-300PES switching traffic with VLANs, located in the path to central infra cross point.
This device should be dropped completely and replaced with proper cabling.
Look into its config for more details.
| VLAN | LAN1 (mainrouter) | LAN2 (aprouter) | LAN3 | LAN4 | LAN5 | LAN6 (fradio-server) | LAN7 | LAN8 |
|---|---|---|---|---|---|---|---|---|
| 20 (guest) | t | t | ||||||
| 30 (iot) | t | t | u | |||||
| 31 (iot_int) | t | t | ||||||
| 40 (cluster) | t | t | u | |||||
| 80 (admin) | t | t | ||||||
| 99 (lan) | t | t | u | u | u | u |
Zyxel GS1900-8 switching traffic with VLANs, located in the lab rack.
Look into its config for more details.
| VLAN | WAN | LAN1 | LAN2 | LAN3 |
|---|---|---|---|---|
| 20 (guest) | mainrouter (t) | |||
| 30 (iot) | mainrouter (t) | |||
| 31 (iot_int) | mainrouter (t) | |||
| 40 (cluster) | mainrouter (t) | |||
| 80 (admin) | mainrouter (t) | |||
| 99 (lan) | mainrouter (t) |
ASUS RT-AX53U, used as an AP for all the networks.
Look into its config for more details.
| VLAN | LAN1 |
|---|---|
| 20 (guest) | mainrouter (t) |
| 30 (iot) | mainrouter (t) |
| 31 (iot_int) | mainrouter (t) |
| 40 (cluster) | mainrouter (t) |
| 80 (admin) | mainrouter (t) |
| 99 (lan) | mainrouter (t) |
Ubiquiti U6+, used as an AP for all the networks.
Look into its config for more details.
Take a look at openwrt_build_wrapper repository for details.
General gist is to clone the repo with submodules (git submodule update --init --recursive) and run the build as follows:
time DEVICE=<device> ONLY_INITIALIZE_WORKSPACE=true ./openwrt_build_wrapper/scripts/core/entrypointtime DEVICE=<device> SKIP_DOWNLOADS=true ./openwrt_build_wrapper/scripts/core/entrypoint
All the devices configured here are set to use admin network for management.
This network is run on VLAN 80 and in most cases requires you to provide a DHCP server on the emergency device (e.g.
a laptop that's connected directly to the device being recovered).
The only exception from this rule is mainrouter that is set to a static IP of 192.168.80.1 on the same VLAN.
In it's case it's recommended to rely on DHCP in VLAN 99 and obtain IP in the 192.168.1.1 subnet, as it is the only
one that allows incoming SSH traffic.