How to isolate IOT devices from the home network using vlan?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
whitebeard
DD-WRT User


Joined: 26 Jul 2013
Posts: 52
Location: Canada

PostPosted: Sat Aug 27, 2022 13:08    Post subject: How to isolate IOT devices from the home network using vlan? Reply with quote
To isolate regular guest traffic i've been using unbridged/isolated VAPs but i'm at a loss how you'd use the CLI to created isolated vlans for IOT devices. Since these devices connect via Wifi do you attach the vlan according to their MAC address? Everything i'm seeing tags according to the physical router port. If it helps my devices are basically all ESP8266/Tasmota driven.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10788
Location: Netherlands

PostPosted: Sat Aug 27, 2022 13:42    Post subject: Reply with quote
If the IoT devices are all using Wifi you create an other VAP for the IoT devices (with another password of course)

So you have the normal wifi for yourself one VAP for Guests and another VAP for IoT

Note the the VAP's are only isolated from br0 (if you enable "Net Isolation") but not from each other, you have to do that manually

I am assuming you are running the latest build otherwise more manual isolation could be necessary
(Latest as of today is 49866, but probably wait for 49909 which is imminent)

P.S As some things are router specific we can help better if you state buildnumber and router model!

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
whitebeard
DD-WRT User


Joined: 26 Jul 2013
Posts: 52
Location: Canada

PostPosted: Sat Aug 27, 2022 13:59    Post subject: Reply with quote
Yes i'm on the latest (49866). The confusing part for me is that if the IOTs are on a different subnet (because of the VAP), how do I get in to manage the devices?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10788
Location: Netherlands

PostPosted: Sat Aug 27, 2022 14:22    Post subject: Reply with quote
either connect to the VAP (if you are using wireless) or make an exception firewall rule either for the whole br0 subnet so that everybody on br0 can manage or for a particular client e.g your own desktop.

If you use the standard Net isolation that isolates with state NEW (I think) so a simple override should be enough, I use br2 for your IoT network but choose the one you need and choose the IP address of your client which you manage with
Code:
iptables -I FORWARD -s <ip-address-of-client> -o br2 -m state --state NEW -j ACCEPT

If you want everybody on your main subnet to manage
Code:
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j ACCEPT

@eibgrad has some nice write up
https://pastebin.com/r4u62P0B

I moved this to the Advanced networking forum, the General forum is not the appropriate forum for these questions.

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
whitebeard
DD-WRT User


Joined: 26 Jul 2013
Posts: 52
Location: Canada

PostPosted: Sat Aug 27, 2022 14:57    Post subject: Reply with quote
Pardon the noob question but if I did want to keep the IOTs on a separate bridge and forward by main PC to the IOT network I'd have to:

- create a new bridge: br2
- add "wlan0.1" to br2
- add the FORWARD rule

but wouldn't I be able to have the FORWARD rule with the output direct to wlan0.1 (ie. -o wlan0.1)? What are the advantages of using the bridge?

EDIT: Oh, is the bridge needed in order to allow the response of the IOTs to make it's way back to the originator?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10788
Location: Netherlands

PostPosted: Sat Aug 27, 2022 15:24    Post subject: Reply with quote
Oh no that was just an example.

Instead of the bridge br2 use wlan0.1 or whatever the IoT stuff is on

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum