I currently have a Merlin RT-AX86U providing a main network, guest network, and IoT network. There are services like a pihole, a webcam (babycam) DVR server, etc. running as docker containers on a server hardwired to the router, and I've set up a number of iptables and ebtables rules for setting up access between those sub networks where required. Additionally, I am living overseas, so I have the whole network over a OpenVPN UDP connection to a dedicated IP provided by Nord. My router is downstream of an untrusted local ISP provided router (dual nat).
This all has worked fine! Life is good.
But now, I moved into a bigger apartment with ethernet wired to every room, and my one router can't reach the whole home. So understanding that I don't trust the local router, and I'll put on an even bigger tinfoil hat and say I don't even trust the ethernet runs between the rooms (!!! Yes I'm a crazy person), how do I set up an extra AP in the back of the apartment?
Now since this router doesn't need to extend all three sub networks (just guest), I figured I could set up an AP in the back (an old merlin RT-AC86U) and use an OpenVPN TUN connection to the main router with the untrusted local ISP router as the hub of this hub and spoke topology of ethernet spiderwebbing through the home. After a few extra iptables rules, I can get this to work. If I have the same guest SSID, I can even get it to handoff nicely as I walk from the front to the back of the apartment and vice versa with a roaming assistant setting. However, with a TUN connection, that means my device is getting a new IP when it changes APs, meaning video streams, video calls, etc drop out during the handoff. So to fix that I would need a TAP connection, right?
But then how do I have a TAP connection and have the various sub networks? I keep saying sub networks because they seem like VLANs to me and they are separate bridge interfaces, but I believe that doesn't necessarily mean they are VLANs (I think; I don't know too much about this stuff).
So after all that... am I on the right track? Is there an easier solution that I'm missing? I'm also considering switching the internal VPN connection from openvpn to wireguard, but I'm not sure that wireguard can do the sort of layer 2 stuff that I might need.
This all has worked fine! Life is good.
But now, I moved into a bigger apartment with ethernet wired to every room, and my one router can't reach the whole home. So understanding that I don't trust the local router, and I'll put on an even bigger tinfoil hat and say I don't even trust the ethernet runs between the rooms (!!! Yes I'm a crazy person), how do I set up an extra AP in the back of the apartment?
Now since this router doesn't need to extend all three sub networks (just guest), I figured I could set up an AP in the back (an old merlin RT-AC86U) and use an OpenVPN TUN connection to the main router with the untrusted local ISP router as the hub of this hub and spoke topology of ethernet spiderwebbing through the home. After a few extra iptables rules, I can get this to work. If I have the same guest SSID, I can even get it to handoff nicely as I walk from the front to the back of the apartment and vice versa with a roaming assistant setting. However, with a TUN connection, that means my device is getting a new IP when it changes APs, meaning video streams, video calls, etc drop out during the handoff. So to fix that I would need a TAP connection, right?
But then how do I have a TAP connection and have the various sub networks? I keep saying sub networks because they seem like VLANs to me and they are separate bridge interfaces, but I believe that doesn't necessarily mean they are VLANs (I think; I don't know too much about this stuff).
So after all that... am I on the right track? Is there an easier solution that I'm missing? I'm also considering switching the internal VPN connection from openvpn to wireguard, but I'm not sure that wireguard can do the sort of layer 2 stuff that I might need.
