Posted: Sun May 23, 2021 22:41 Post subject: Is it possible to set up a VLAN independent of the ports?
I'm interested in setting up a VLAN for my IoT stuff (thermostat, a few switches, smartlights, etc.) to give it access to the internet but otherwise separate it from the rest of my home network.
In reading up on this I've found a few articles that walk through it, but they talk about assigning one of the ethernet ports to this new VLAN. I don't want to mess with the ethernet ports: those should all stay on my main network.
I'm trying to figure out if it's possible to set up a VLAN that's "wifi only" without having to move a physical ethernet port over to IoT VLAN. Any pointers how how to do this?
Corollary questions:
My main router is running DD-WRT, and I have a single Ubiquity UniFi access point connected to it. When setting up a VLAN is it likely I'd need to make changes in the access point as well?
Best practice question: should I put the Amazon Echo device on the main network or on the IoT vlan? Trying to figure out if it needs to be on the same network as the IoT devices for me to say "Alexa, turn off the lights" - Wondering if the echo communicates directly with the device over the local network, or if it goes out to the could and back down to the device (in which case perhaps it doesn't matter if they're on the same VLAN). _________________ Router: Netgear R7800
Firmware: DD-WRT v3.0-r53130 std (06/29/23)
Joined: 18 Mar 2014 Posts: 12908 Location: Netherlands
Posted: Mon May 24, 2021 6:15 Post subject:
I do not have an Amazon Echo so cannot answer that.
What you are looking for is a VAP (Virtual Access Point) a second SSID (radio) which is separate from your regular SSID, It is also called a Guest Network, something most of us have
Normally you fully isolate the guest network from the main network but it is possible to make exceptions for certain devices and it also can be very handy that you have access from your main network to the IoT devices to monitor them but not the other way around, that is all possible with the help of some firewall rules see this example:
https://pastebin.com/r4u62P0B
Joined: 30 Jul 2007 Posts: 33 Location: Melbourne, Australia
Posted: Sat May 29, 2021 13:57 Post subject: Re: Is it possible to set up a VLAN independent of the ports
dwt12777 wrote:
I'm interested in setting up a VLAN for my IoT stuff (thermostat, a few switches, smartlights, etc.) to give it access to the internet but otherwise separate it from the rest of my home network.
..snip..
For info..
I have configured my Asus RT-68U currently running r46446-std with Virtual Access Points (VAP) for my IoT devices - however, it did involve reconfiguring Ethernet ports.
The IoT VAPs map to their own VLAN which has no access to the other devices on my home network (on other VLANs). The VAPs are also configured with 'AP isolation' so the IoT devices shouldn't be able to communicate with each other peer-to-peer.
I'm running a number of Amazon devices on the IoT VAP and I can confirm Alexa commands do get through to devices irrespective of the network they're on - there's no need to be on the same network (if you use Alexa on your smartphone when it's only connected to a cellular network it can still control home network-connected devices - which I guess you could consider kind of similar).
I have 2 SSIDs set up (1 for 2.4GHz, 1 for 5GHz bands) which map to individual VAP interfaces which are then both configured on the same VLAN (via bridge configuration).
I don't think you'll be able to achieve what you want without making changes to at least 1 Ethernet port - if just using the dd-wrt router - don't know about Ubiquity but am assuming it would plug into an Ethernet port - which would still need reconfiguration to accommodate a separate VLAN.
Good luck! _________________ Asus RT-AC87U - dd-wrt
Asus RT-AC68U - dd-wrt
Asus RT-N16 - dd-wrt
TP-Link TL-MR3020 - OpenWRT
VAPs / VLANs / PBR / Entware
Posted: Sat May 29, 2021 19:30 Post subject: Re: Is it possible to set up a VLAN independent of the ports
dwt12777 wrote:
I'm trying to figure out if it's possible to set up a VLAN that's "wifi only" without having to move a physical ethernet port over to IoT VLAN. Any pointers how how to do this?
No WiFi gear supports 802.1q/VLAN tagging over the air, not even enterprise grade stuff. 802.11 mac layer doesn't have support for the insertion of a vlan tag. Any solution that can support vlan tagging over wifi would be completely proprietary.
A lot of people have setup a wifi network plugged into a DIFFERENT vlan but the tag is stripped before it's sent over the wifi.
(I understand VLAN configuration is currently changing in later releases of dd-wrt so may be achieved from the web UI alone - I don't think that work is finished yet though - you would need to check).
I've only tested my vlan_check script on my Asus routers - but have found it helps in what can be quite a confusing manual configuration activity.
Making available here in case others find it useful. _________________ Asus RT-AC87U - dd-wrt
Asus RT-AC68U - dd-wrt
Asus RT-N16 - dd-wrt
TP-Link TL-MR3020 - OpenWRT
VAPs / VLANs / PBR / Entware
Last edited by msj100 on Sun May 30, 2021 10:49; edited 1 time in total
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun May 30, 2021 14:53 Post subject:
I had a go not long ago at writing up a more up-to-date guide to setting up a proper guest or IoT network, FWIW. Third post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
