Posted: Mon Oct 10, 2022 18:37 Post subject: Main network talk to VLAN for IoT device.
I have a Linksys WRT3200ACM router. I recently went through the steps to create a VLAN for my IoT devices (VLAN 3), as well as changing ethernet port 4 on the back to be on this VLAN as well. I set up my virtual APs / multiple DHCP so I have WiFi too on this VLAN.
My network is fairly simple. I just wanted my main network (192.168.1.1) and a IoT/Guest network (192.168.99.1) -- which is on VLAN3. My startup script is below, and aside from that I had to so some bridge work in the GUI, and my current bridge table looks like this:
Code:
Name STP Interface
br0 no eth1 wlan0 wlan1 wlan2
br1 no vlan3 wlan0.1 wlan1.1
I have attempted this about 10 different times, finally this last time it working properly. My success was only after following the additional tips found in the later posts of this thread:
swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4"
swconfig dev switch0 vlan 3 set ports "6t 0"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 3
ifconfig vlan3 up
brctl addif br1 vlan3
I did NOT enable Net Isolation on the bridge network settings nor did I change any of the default settings for the VAP's.
When I currently ping from my desktop (192.168.1.114) to my laptop on the VAP VLAN3 (192.168.99.134) it times out... when I ping from my laptop to the desktop it also times out.
I believe this is good (as far as security goes) -- HOWEVER, I did not turn on net isolation or add any fire wall settings to create a seperation of the VLANs.
So here are my questions and what I want to do:
1) What do I need to do (either in GUI and/or adding Fire Wall commands) to properly isolate my IoT network so it can not access my main network?
2) How can I allow access between my main network and IoT network ONLY IF the request comes from my main network. i.e. I am on my phone connected to my main network, I want to use the Roku remote app - but my Roku is on my IoT network.
Thank you in advance. I will be happy to post my current firewall settings if that will help. (can someone remind me the command in Telnet to display my current firewall settings?)
I am running:
Firmware: DD-WRT v3.0-r50308 std (10/01/22)
Below is my current firewall:
... Yes, I named my router Velociraptor
So if @ecg or anyone can first help me understand why I cant ping one vlan from the other, that would be great. AFAIK I didn't add anything to block pings/traffic between vlans - so now I am even more confused. Thank you!!