I have a home net of 2 routers (2xArcher C7 with openwrt Barrier Braker, last version) behind a cable modem. The main router is connected with the secondary with cat5e. The LAN network can see all the connected devices (eth1, radio0, radio1) on both routers. Tha WAN is reachable.

The goal is to create a wireless SEC network, which is on the secondary router and reachable from the main router LAN (but pls not bridge, I would like to manage firewall).

I created SEC network with own IP range, DHCP controlled from secondary router - but can't make it seen from LAN. What do you need, to help me? Thanks in advance!

This information is not enough to understand your network topology.

Bear in mind that the WAN / LAN terminology can be really confusing when describing a network topology to someone else. The "WAN" of the "main router" (presumably one of the Archer C7s?) can be the "LAN" of the cable modem, if the cable modem has an in-built router. Or it might be the "WAN" of the cable modem, if the cable modem is acting as a bridge device towards the network provided by your ISP.

Similarly, the "WAN" of the "secondary router" might be the "LAN" of the "main router". But it may also be the "LAN" of the cable modem, if the "main router" is acting as a bridge and the cable modem has an in-built router. And if both the "main router" and the cable modem are acting as a bridge, then the "WAN" side of the "secondary router" is actually the network provided by your ISP.

And if the "secondary router" is acting as a bridge, then the new wireless network you are trying to create might actually be a bridged network whose DHCP services are provided by your ISP.

Confusing, isn't it?

Stupid question, but what does the SEC abbreviation mean?

Having a bridge, and having a firewall are two different things. Most bridges usually have some sort of a firewall service.

It sounds like you need to check the firewall rules of the secondary router. Do they allow traffic to flow back and forth between the new "SEC" network and all other networks in your topology?

First of all, thank you for your kind answer, I really appreciate you are taking care of my problem!
At the end of my post I asked the question, because I was aware of the lack of information - I was just not sure enough, what to share to get you closer to the solution.

Network topology: unable to post link to the forum. It's in my google photos storage: goo.gl photos sEn68G948jScmAz66 (spaces must be changed to slashes)

I named the new network created SEC, as it is handling surveillance cameras, so it is the security network (and should be secured, to let nothing in and out except some LAN devices and my smartphones from the internet).

The cable modem is giving internet network to the main router WAN port. The secondary router is connected to the main router with LAN ports (WAN port unused/unplugged on the secondary router).

Firewall and bridge is understood (or at least I hope so) - just wanted to make sure, that with a click I could make LAN and SEC networks see each others with bridging them together, but I feel it least secure then solving it with routing through firewall.

For the last question, I am not sure I can answer well How to tell it?

This is a guest Network, with the addition that you open some ports to let the cameras be accessed from the internet.

On the primary router, set up sec network with it's own firewall to / from the Internet.  Distribute this network to the second router by using VLANs on the cable.

You should not have to bridge or forward the lan to sec. To see the cameras from the LAN, use the Internet address.

Thank you, i will try it in the afternoon!

I was thinking about your suggestion. Problem is (or I am just confused):
- wireless access must be arranged at secondary router
- internet (WAN) is on main router
- only one cable between main router and secondary router

How do you "distribute" the network? (sorry for the beginner questions)

Can someone help me with this sentence "distribute network to the secondary router"? Thanks!

What I could manage is a partial solution, which works perfectly - but I need a step more.

Setup:
ISP --- main router --- secondary router

There are 3 networks on main router:
- wan
- lan
- sec

The "sec" network is for the security cameras and it has 192.168.3.x (dhcp). The 2.4G radio is bridged here together with this interface and firewall is set, that it can't open communication to anywhere, although the "lan" network can communicate with this.

What I want to achieve, is the same setup on the secondary router: homogenous network for the security cameras, with extended range wireless. Exact questions:
- what to set on main router to let secondary router see the "sec" network?
- how to bridge secondary router's radio with the "sec" network?

I am not very familiar with vlans, but I am afraid, it can't be reached without it...

Thank you in advance!

Are the two routers connected by Ethernet?  If so, it is where you use VLANs.  Go to the switch configuration and add a VLAN.  Change the switch configuration of the one port that goes to the other router to be 'tagged' in two VLANs.  Also I think with the C7 you need to change the CPU to tagged in both the lan and sec VLAN.  Then change in the network configuration using the vlan numbers instead of just eth0.

Do this while logged into the router by wifi because you would lose your ethernet connection if you set something wrong.

Thank you for your answer, that is what I also thought. I tried it, but I messed my network completely and reverted the changes.

Here is, what I thought:
- on main router, the cable is in Port 4 (switch port #5)
- on secondary router, the cable comes in WAN (switch port #1)

I have found a good post, which explains the idea behind tagging: https://forum.openwrt.org/viewtopic.php?id=57944

So what I have to do is on main router, (1) create a new VLAN, (2) tag CPU (eth0) ports on the VLANs, except the internet. On secondary router, (1) create the same VLAN and (2) tag the CPU on the ports.
After it, I can create on the secondary router a WLAN and bridge it together with the newly created VLAN and set the firewall to let the traffic flow.

Is it correct?

Yes.  You will need to create a network interface (could call it "sec") to make the bridge.  It should have protocol "Unmanaged".  It's only function is to link the camera network wifi AP to the Ethernet VLAN in the kernel.

If you want to connect cameras to Ethernet ports on the secondary router, make them untagged in the sec VLAN and off in all the others.

(Last edited by mk24 on 21 Aug 2017, 22:13)

One clarification: should the ports all (main router CPU=eth1=0, downlink switch port4=5; secondary router CPU=eth1=0, uplink wan port=1) be "tagged"? And the trick afterwards is to carefully set the new networks (eth1.1 and eth1.2) instead of eth1?

The default configuration does not tag eth1 because it only carries one network, the LAN.  You have to change that. 

You don't have to change anything with eth0 and wan.  The switch needs a VLAN assigned internally to link them.  You can't use the same VLAN number for your sec network.  You can change the wan link VLAN number to something arbitrary, because it never appears outside the switch.

The external ports that you connect to ordinary devices like PCs and cameras must not be tagged because those devices don't understand tags.  The cable linking the two routers is tagged.

(Last edited by mk24 on 22 Aug 2017, 12:45)

OK, now it's clear - thank you! I will try it.
Another question (now that a vpn is configured to reach the cams): how can it be, that the web page of the camera is visible after successful login, but the camera software (which is tricky enough I think) can't see it? Does someone experienced something similar? Any suggestions for onvif camera manager software on android?

Something went wrong and I spent almost an hour to restore original state with help of failsafe boot / telnet / mount_root /etc. I think I will think about it and start it over another day! Thanks for the help, I must rethink it...