# OpenWRT Router Config

Version-controlled configuration for a home network running OpenWRT, managed from this repo rather than the router directly.

## Hardware

| Device                                   | Role            | IP         | SSH              |
|------------------------------------------|-----------------|------------|------------------|
| TP-Link Archer AX23 v1 (OpenWRT 24.10.2) | Primary router  | 10.0.0.1   | `ssh openwrt`    |
| GL-XE300 Puli (GL.iNet 4.3.27)           | 4G WAN failover | 10.0.100.1 | `ssh openwrtwan` |

WAN: full fibre, 1 Gbps down / 100 Mbps up. Failover via 4G LTE handled by `mwan3`.

## Repository Layout

```
config/      UCI config files pulled from /etc/config/ on the router
scripts/     Backup, push, and safe-apply helpers
docs/        Network map, VLAN plan, change log
files/       Supporting config files (e.g. avahi-daemon.conf)
```

## Workflow

**Never edit the router directly for anything non-trivial.** The pattern is:

1. Run `scripts/backup.sh` at the start of any work session
2. Edit files in `config/`
3. Push with `scripts/safe-apply.sh` - this sets an auto-revert window so a bad config can't permanently lock you out
4. Confirm the change at the prompt to cancel the revert
5. Commit - the git log is the change history

```bash
# Pull current config from the router and optionally commit
./scripts/backup.sh

# Edit a config file, then push it with a 5-minute revert window
./scripts/safe-apply.sh network 5

# Push all configs (low-risk bulk changes only)
./scripts/push-all.sh
```

## Config Files

| File       | Controls                        |
|------------|---------------------------------|
| `network`  | Interfaces, VLANs, WAN, bridges |
| `wireless` | SSIDs, radios, encryption       |
| `firewall` | Zones, rules, forwarding, NAT   |
| `dhcp`     | DHCP pools, static leases, DNS  |
| `system`   | Hostname, timezone, logging     |
| `dropbear` | SSH daemon                      |

## Network

See [`docs/network-map.md`](docs/network-map.md) for the full topology, IP allocations, port forwards and planned VLAN layout.

### Planned VLANs (not yet implemented)

| VLAN | Name    | Subnet       | SSID            |
|------|---------|--------------|-----------------|
| 1    | trusted | 10.0.1.0/24  | Moonshield      |
| 10   | servers | 10.0.10.0/24 | wired only      |
| 20   | iot     | 10.0.20.0/24 | Cloud Connected |
| 30   | media   | 10.0.30.0/24 | Pinball Map     |
| 40   | guest   | 10.0.40.0/24 | Passenger       |

Full device inventory, static DHCP leases and cross-VLAN firewall rules are in [`docs/vlan-requirements.md`](docs/vlan-requirements.md). The implementation plan is in [`docs/implementation-plan.md`](docs/implementation-plan.md).