cayvman wrote

However, when I connect the router to the modem and then the cpe210 to port 3 of the router, it's showing ip192.168.0.xx as the address. So, I tried other ports on the router, knowing that sometimes port 3 in telenet can be port 4 or port 2 or port x. So, I plugged the cpe210 into each of the 4 ports and tested it and they all indicated 192.168.0.x as the ip address. I must be missing something in turning on the vlan3 to port 3.

Did you ask in the DD-WRT forum already? They seem to have strange conventions.

Usually, under Linux the interface name defines the VLAN ID. So, ath1.1 would be VLAN ID 1, ath1.2 VLAN ID 2 and so on. Names (e.g. VLAN3) are irrelevant, but NVRAM assignments could matter unless they obey the standard LINUX conventions. I can show you my setup for a guest network, maybe you can transfer the principle to DD-WRT. See http://forum.tp-link.com/showthread.php?94159-Status-LEDs-on-active-ports-always-flashing-synchronously-SOLVED&p=194548&viewfull=1#post194548 for the following setup (ignore the part re trunking):

(Sorry for formatting, no tables possible here):

Network LAN:
Interface: eth0.1
VLAN ID: 1
IP: 192.168.1.0
Ports: 3, 4 (port 0 is the internal CPU port with my WDR4300 under OpenWRT)

Network WAN:
Interface eth0.2
VLAN ID: 2
IP: (DHCP)
Port: 5 (internal port 5 is external port labeled "Internet")

Network GUEST:
Interface: eth0.3
VLAN ID: 3
IP: 192.168.7.0
Ports: 1, 2


Bridges (bridge for guest LAN only needed for port and WiFi interface, see note below) :

Interface for network LAN & WiFi: br0
Members: eth0.1, wlan0, wlan1 (wlan0 is 2.4 GHz, wlan 1 is 5 GHz, SSID is "private")

Interface for network GUEST & WiFi: br1
Members: eth0.3, wlan0-1, wlan1-1 (wlanN-1 is the convention of OpenWRT for an additional wireless interface)

If you don't use the WiFi of your main router, you don't need a bridge. In this case the GUEST VLAN is only accessible on ports 1 and 2, not by WiFi. These ports in network eth0.3 are the ones I connect the guest CPE to. Setup is pretty straight-forward, but DD-WRT uses another terminology (which seems much more complicated if you ask me).

RTouris wrote

While we're still at it and looking for a moment back to the KISS principle as I outlined in page 1 of the current thread, could someone explain to me why following a much simpler approach would potentially "expose the personal network to the guest network when using the same router" (which btw is how things are done most of the time in that all are conected to a same modem/router) given that the CPE supports AP isolation for the Guest WiFi network SSID?

AP isolation is done in the WiFi chip. It prevents wireless clients from connecting to each other, although they are in the same subnet.

Note that any client still can receive all wireless frames if he uses monitor mode on his WiFi adapter. Radio waves can't be "isolated", they are receivable by every receiver. So in monitor mode one can still spy on wireless frames being exchanged between any client and the AP, regardless of AP isolation. That's the reason why one should use WPA2 encryption in addition to AP isolation if the latter is applicable.

AP isolation does not prevent routing in the kernel. It's just a restriction in respect to packet forwarding of the WiFi chip itself. So, if you have a private network (LAN) and a guest network (GUEST) sharing an Internet connection (WAN), routing and forwarding comes into play. SInce the kernel has routes for each subnet and needs IP forwarding turned on to be able to reach the WAN, every packet from the GUEST network finds its way to the WAN, but also to the LAN if no firewall rules prevent this. Therefore, clients in the LAN are exposed to the GUEST network and vice versa. However, this applies only to setups where both wireless radios are tied to networks on the same router, e.g. on a WiFi router such as the Linksys WRT or TP-Link WR/WDR.

If you connect a CPE, things are slightly different in so far that LAN devices are still reachable by clients in the GUEST network (b/c of the default route in the CPE), but not the other way around, since there is no subnet route pointing to the CPE as the gateway in charge. But LAN clients can still reach the CPE through its LAN IP b/c of the subnet route on the router.

In both cases you have to ensure that the LAN and GUEST networks are isolated frome ach other. To do so, you create firewall rules for those networks. But to be able to access two isolated networks through a shared NIC, you need VLANs. The alternative would be to have two separate NICs, one for each network. VLAN are usually used to separate networks from each other b/c on most routers all ports (e.g. 1-4 "LAN" ports and 5 "Internet" port) are using the same (shared) NIC. There are devices using two NICs such as some routers from Bufallo and Netgear IIRC, but if you want to use two local networks, you need to create VLANs on those routers, too.

This does in no way contradict the Keep it small & simple (KISS) principle (which often is translated as Keep it simple, stupid, but this is bullshit and was never meant with the original KISS principle as emphasized by Brian Kernighan and Ken Thompson, the inventors of UNIX).

The fact that most people use a simpler setup is not related to KISS, but to the fact that they just don't care about security nowadays.

Switch Documentation

cayvman wrote

Not sure where and how to configure the VLAN and where to establish the SSID and IP Address for the VLAN. There doesn't seem to be any video tutorials on OpenWRT, except for the installation. If you could point me in the direction of the specifics I'd appreciate it.

It's easy. There is a config file /etc/config/networks for networks (e.g. LAN), ethernet interfaces (e.g. eth0.1) and VLANs (e.g. the switch's port assignments to a network). That's all regarding the networks.

Wireless settings are in /etc/config/wireless. There are the definitions for the WiFi adapters (e.g. radio0 defining its characteristics such as channel, tx power etc.) and WiFi interfaces (e.g. radio0.network0 defining an SSID and assignments to networks in the config file above). For each network there can be a wireless interface and therefore an own SSID (e.g. SSID private for network LAN, SSID guest for network GUEST and so on). Very straightforward.

See following docs:
Network configuration: https://wiki.openwrt.org/doc/uci/network
Switch Documentation: https://wiki.openwrt.org/doc/uci/network/switch
Wireless Documentation: https://wiki.openwrt.org/doc/uci/wireless
Recipe: Configuration of a guest WLAN: https://wiki.openwrt.org/doc/recipes/guest-wlan

You don't need to study each option in detail, but it should tell you enough about the interconnections between a network, the switch, VLANs and WLANs. Since this is basic Linux structure, everything also applies in principle to DD-WRT, although the latter uses NVRAM syntax to achieve the same.

cayvman wrote

Have managed to set up the router however when it came to the swconfig file. have come to an impasse. I'm using WinSCP to view it, however,in its present form it is gibberish.

swconfig is a command, not a config file. What do you want to do with swconfig? It's actually not needed to setup anything and danger is that you make easy things very complicated by using low-level commands such as swconfig or ifconfig.