Create isolated IoT Network

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
brunex_1026
DD-WRT Novice


Joined: 08 Jun 2021
Posts: 1

PostPosted: Tue Jun 08, 2021 10:23    Post subject: Create isolated IoT Network Reply with quote
Hello there, I'm having some trouble accomplishing this one.

I'm thinking of adding some IoT devices to my home, but as far as I know, it's a good pratica to have a separated network for those devices. So currently I have my ISP router and an old TP-Link WR841Nv9 with DD-WRT on it, working as an extender to my ISP Router.

I've created two VAP, one to wireless extend my private network and the other one for the IoT devices. As it is right now I can access Internet on both SSID's, but as I said earlier I want to isolate the IoT devices from my private network and control them even when I'm connected on main router or the extender.

How can I achieve this with DD-WRT? I will leave some details about my current setup below.

Main Router
-------------
IP: 192.168.1.1
DHCP Pool Start: 192.168.1.100

Extender
------------
IP: 192.168.1.2
DHCP Server: 192.168.1.1

IoT Network
------------
IP: 192.168.100.1
DHCP Server: 192.168.1.1

The schematic of my network is attached.
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1084

PostPosted: Tue Jun 08, 2021 22:18    Post subject: Reply with quote
Do you have an error in typing... you have the IoT Network as IP 192.168.100.1, but the server is 192.168.1.1? this could happen if you are using a /16 netmask instead of /24, but just checking.

Read:
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

that is essentially what you are doing.

Then you can always add an iptables rule:
#Prevent Wireless from talking to each other
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j DROP

if you are using bridging... this will ensure than none of your bridges talk to each other (which is basically like unbridging)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8719

PostPosted: Wed Jun 09, 2021 1:25    Post subject: Reply with quote
Based on the OP's description, I assume the extender is patched LAN to LAN wrt the primary router. And as such, the IoT network should be configured by the extender, NOT the primary router. IOW, if the IoT network is 192.168.100.0/24, and the IP assigned to ath0.1 on the extender is 192.168.100.1, then clients of the IoT network should be configured by the DHCP server on the extender and have a default gateway of 192.168.100.1. You'll then need to either NAT the IoT network over the private network …

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.1.2


… or else define a static route on the primary router that points to the extender's IP (192.168.1.2) as the gateway to the 192.168.100.0/24 network.

Finally, IoT devices need access to the private network in order to reach the WAN of the primary router for internet access, but denied access to specific resources on that private network.

Code:
iptables -I FORWARD -i ath0.1 -o br0 -j ACCEPT
iptables -I FORWARD -i ath0.1 -d 192.168.1.0/24 -j REJECT

_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-kill-switch.sh (new) * ddwrt-ovpn-watchdog.sh (new) * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1084

PostPosted: Thu Jun 10, 2021 0:29    Post subject: Reply with quote
true it could be set up as:
https://wiki.dd-wrt.com/wiki/index.php/Repeater_Bridge

it depends on what the OP wants to do.

But either way there are multiple ways to accomplish what the OP wants to do.

So hope we have helped.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum