Posted: Tue Jan 26, 2021 19:53 Post subject: 2 routers and vlan for iot
Hello,
I have the following network setup:
a cable modem with lan port with ip 192.169.178.1 connected to a netgear N7000 wan port with ip 192.168.178.2.
I have given the internal ip range 192.168.15.x to this main router and turned on dhcp. With this I can connect to my wifi and ethernet devices and get a 192.168.15.3 or higher ip and can just use the internet. So far everything works fine.
I have installed a 2nd netgear N7000 routers with dd-wrt that I want to use to connect all my IOT devices.
I gave this router the internal ip 192.168.30.2 and linked a lan port to a lan port of my main router and linked this port to a vlan with the ip number 192.168.30.1. Then I set the IOT router to issue dhcp ip numbers with 192.168.30.3 or higher. This all seemed to work fine until yesterday. then suddenly I had no internet from the IOT network anymore. I feel like this accidentally worked. After searching the internet for separate networks for iot and normal internet use. I have tried a few things but can't get it working anymore.
tried links:
https://www.youtube.com/watch?v=43rM6OI_Y4w https://www.youtube.com/watch?v=0ds4o2RxHAc (I thought this was what I needed)
Ultimately, I want my IoT devices to be on a separate network with wifi and ethernet on the IoT router. These devices are allowed to see each other and they are allowed to access the internet via a road. but not allowed to see devices on my main router's network. But it must be possible to operate the devices on the IOT router with my phone and laptop that are connected to my main router.
I hope it is clear enough and that someone can help me with this.
If more information is needed, please let me know.
Me thinks you've made this overly complex. Why not just patch the IOT router over its WAN to a LAN port on the first R7000 router and use firewall rules on the IOT router to prevent access to the upstream local IP network of the R7000?
IOW, using this configuration, you are using a separate VLAN for the IOT network, but one which already exists. There's no need to create a LAN to LAN configuration and deal w/ the creation and management of yet another VLAN.
I now have it connected as you indicated. However, I still can't manage to connect from my main router to my devices connected to my IoT router. It works the other way around, but I don't want that. I have tried the following iptable lines:
main router;
iptables -I FORWARD -i br0 -o eth0 -j ACCEPT (iot router is connected to eth0 but this did not work)
on the iot router;
iptables –A INPUT –m iprange ––src – range 192.168.15.1–192.168.15.255 -j ACCEPT
and a few more, but I don't remember them. and also combinations of rules.
I want to be able to connect from devices connected to my main router to devices connected to my iot router but not the other way around.
I threw together a quick-n-dirty firewall script for the IOT router to limit its LAN devices to the internet and only the most essential router services, while allowing the upstream (primary) router to initiate access into the IOT router (e.g., for administrative purposes) or any of its LAN devices.
# allow all connections initiated from primary router into iot router/network
iptables -I INPUT -i $WAN_IF -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $WAN_IF -m state --state NEW -j ACCEPT
# deny access to any upstream private networks by iot devices
iptables -I FORWARD -i br0 -d 192.168.0.0/16 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -d 172.16.0.0/12 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -d 10.0.0.0/8 -m state --state NEW -j REJECT
# force established rule back to top of input chain
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# force established rule back to top of forward chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
You'll also want to add a static route to the primary router that points to the WAN ip of the IOT router as the gateway to the network behind it.
Thanks for your help. I expected it could be done with fewer rules. I will study them so that I understand what is happening. I don't understand one thing in the section "# deny access to any upstream private networks by iot devices" here are ip numbers that do not exist in my network, should I change these so that they match my network?
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jan 28, 2021 8:10 Post subject:
11MeG wrote:
Thanks for your help. I expected it could be done with fewer rules. I will study them so that I understand what is happening. I don't understand one thing in the section "# deny access to any upstream private networks by iot devices" here are ip numbers that do not exist in my network, should I change these so that they match my network?
11MeG those rules are for your IT router connected to your main router that is presumed to have an 192.168. or any of those private addresses..
this script is not for your main router as it will limit its connectivity a lot...
eibgrad i do have few of those rules in my IoT and un-trusted devices router, but your approach seams more legit...
once again big thanks to eibgrad for enlighten us the 'mortals' _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thanks for your help. I expected it could be done with fewer rules. I will study them so that I understand what is happening. I don't understand one thing in the section "# deny access to any upstream private networks by iot devices" here are ip numbers that do not exist in my network, should I change these so that they match my network?
The reason I deny access to 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12 (the entire private IP space) rather than just the actual upstream network is because there's always the chance you could later introduce another private network, something otherwise unknown to the IOT network but still reachable (if only by guessing), such as the tunnel from an OpenVPN or WireGuard client. But if you're willing to take that risk (and only YOU can make that judgement), the following would minimally protect the immediate, known upstream network.
Code:
iptables -I FORWARD -i br0 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT
I also added rules to prevent IOT devices from accessing any router-based services except those it actually needs. But if you don't mind having potentially rouge IOT devices banging away all day trying to access the GUI, SSH, etc, you can eliminate them.
Finally, the established rules typically get pushed down by having all these rules added, and it's just more *efficient* to push them back to the top of the chain. But it certainly won't do any harm to leave them as is.
So the following should minimally do the job.
Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I INPUT -i $WAN_IF -m state --state NEW -j ACCEPT
iptables -I FORWARD -i $WAN_IF -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT
Hello,
I have one more question I have now set it up so that it seems to work. However, for all ip addresses of my iot network (192.168.30.x) that i want to access from my main network (192.168.15.x) I now have to give the same ip number (192.168.15.3 WAN ip of iot network). Next I have to set a port forward on my iot router to get to the correct device. Or have I still not set something up correctly?
I would like to be able to enter an ip of my iot network like 192.168.30.x while i am connected to my main network with an ip 192.168.15.x. is this posible?
Hello,
I have one more question I have now set it up so that it seems to work. However, for all ip addresses of my iot network (192.168.30.x) that i want to access from my main network (192.168.15.x) I now have to give the same ip number (192.168.15.3 WAN ip of iot network). Next I have to set a port forward on my iot router to get to the correct device. Or have I still not set something up correctly?
Any help is welcome.
thanks in advance
The purpose of adding the INPUT and FORWARD rules based on the WAN network interface, plus adding a static route to the primary router that points to the WAN ip of the IOT router as the gateway to the 192.168.30.x network, is precisely so you do NOT have to use port forwarding. You should be able to access any device on the IOT network (or the IOT router itself) directly from the 192.168.15.x network (provided, of course, those IOT devices do NOT have firewalls of their own that would prevent it).
