Hello, I would like to setup the following where 2 access points connect to the main router:
- Main router: Linksys WRT3200ACM (wireless off)
- AP1 for humans: Archer A7
- AP2 for IOT: Archer A7
Currently the system is setup with two "dumb" APs. How can I keep the traffic separate on the two APs? Would a setup similar to guest wifi work if I use wifi only for the IOT?
Thanks in advance for your help.
Edit: all 3 are currently running OpenWrt 19.07.7
Are the two APs directly connected to the wrt3200acm or is there an additonal (unmanaged) switch inbetween?
The APs are directly connected to the WRT3200ACM. I will also connect an unmanaged switch to the router if I run out of lan ports on the router. The APs are mounted in rooms away from the router but the switch will be in the same room.
Edit: If I put AP2 (IOT) on a separate subnet, I understand that I will need to set up a VLAN and tie the port to it. Do I need to change any rules in the firewall? I will change the dumb AP2 to smart so it can run a DHCP server.
You'd have to add a new firewall zone covering the iot interface. Allow forwarding only towards the wan zone to achieve isolation from lan. If needed add forwarding from lan to iot.
There is a guest wlan guide in the wiki, you can do the same for your IoT network (just omitting the wireless part on the wrt3200acm), so basically creating a new network on a dedicated wrt3200acm LAN port (vlan) and according firewall rules.
You can segregate one port on the router, and assign that to the IoT network. Whatever dumb AP you connect to that port, will give access to the IoT network.
Or you can trunk both networks on one or two ports on the router, and two (or more) not-so-dumb APs could give access to both networks, while maintaining then separated.
Thank you all. Sorry about the delay in replying. Will work on it in the next week or two and will post my solution here so that it may help someone down the line.
If your 2 access points also run openwrt you can also use the description for dump ap with guest wifi, use the guest wifi as a iot wifi and have your iot-zone only on the dump ap. This way you do not need vlans on your wired network. So your complete wired network would belong to the lan zone then. The description for dump ap with guest net explains how to prevent access from the iot network to the wired lan.
I have done it that way, because my main router (fritz box) does not support vlans, and the unmanaged switch in between this one and the dump aps also does not.
What you cannot do then without vlan support is to have the same iot network on both aps. So each of the aps would need to have its own iot wifi if needed. But if the iot devices do not talk to each other but only to a server in the internet, this should not be a problem.
Thank you all again for your help. The system is working extremely well as far as I can tell. Here's an outline of the process I used to create the system (2 questions are in bold below). I ended up creating a VLAN for IOT and put it on it's own subnet. All of the routing is done by the WRT3200ACM. Here's the general procedure using LUCI (pardon any incorrect terminology):
- Create the "dumb" APs as per this guide. I used 2 Archer A7v5. I also chose to turn off IPv6 in various places. My main router used 192.168.1.1 and the PEOP AP is on 192.168.1.2. On the IOT AP, I used a different static IP (192.168.10.1). Tip: Make sure that wireless is running on the APs before you proceed.
- Define the IOT ports on the main router - WRT3200ACM in my case. Use Network->Switch and create VLAN ID 33 (33 is just to make it stand out). Change LAN1 to "untagged". Eth0 should be tagged. All others are "off" in that row. In VLAN1, change LAN1 to "off". Essentially, you've turned on port 1 and attached it to VLAN33. "Save and apply"
- Go to Network->Interfaces and click on "add new interface" to create the IOT interface. Use static IP address 192.168.10.1 (does it have to be the same as the AP or could you pick 192.168.1.2?). I used the router's gateway 192.168.1.1. Under tab "firewall settings", I created zone "iot". "Save and apply"
- Go to Network->Firewall. Click on "add" to create zone "iot=>wan". I left "accept" for all 3 - input, output, forward (is this correct?). Select IOT for "covered networks". For "forward to destination zones", pick "wan". For "forward from source destinations", pick "lan"
I'm sure I've forgotten to mention something, but the outline above is the gist of it. I had 2 questions as listed in bold above in #3 and #4. Any suggestions feedback on either would be great (obviously #4 is the critical one).
The IOT network is 192.168.10.0/24, so everything in it has an IP of 192.168.10.X.
You do not need to specify gateway for the IOT network. Just like the LAN it is implicit from the wan configuration, which is usually automatically obtained via dhcp or pppoe. In a standard router there is only one gateway. Any request directed to an IP address that is not locally known would be assumed to be part of the Internet and routed by default to the WAN port.
IOTs should not have general input permission on your router. Set up more restrictive rules so they only have DNS and DHCP. You do not want anything on the IOT network able to hack your router with http or ssh. This is covered in the wiki about guest networks.
Also for tight security the dumb APs should be administered out of band, using VLANs on the cable. They would have an IP on the administrative network (main router's LAN) which IOTs cannot see. The AP would not have an IP on the IOT network.
VLANs on the cable is a step toward offering multiple networks via different SSIDs on the same AP hardware.
Thank you for the feedback. As per your suggestions:
I removed the gateway for the IOT network.
I changed permissions to input:reject, output:accept, forward:reject
The guest wifi wiki used DHCP but did not state why. I wanted to use one machine for the routing so that APs can focus on the wireless. From your comment, it seems that is much less secure than enabling DHCP on the router only?
Your comment: "The AP would not have an IP on the IOT network". Does this mean it would NOT have any IP or do you mean it would have a DIFFERENT IP than that of the IP network. Sorry about the confusing verbiage on my part.
As a dumb AP, it forwards everything to the main router. It's a layer 2 wired to wifi converter, not running any process that interacts with the IOT clients other than take their packets off of wifi and put them on the wire for the main router's consideration.
This includes DHCP requests. The IOT network set up on the main router includes the DHCP server for guests or IOTs. The APs do not.
A dumb AP only needs to hold an IP address so that you can log in by ssh or http and administer it. The AP's IP address is not a necessary part of normal interaction with clients. It is however a potential security vulnerability when untrusted clients can reach it. If you configure the AP with an IP on the IOT network, its OpenWrt OS becomes an IOT. This is not as secure as having two networks within the AP one for untrusted IOTs and a separate one for administration.
Thank you for the detailed explanation @mk24. Just to be clear - from a security perspective, is it better to use the main router's DHCP vs activating the AP's DHCP? I suppose a better question would be: what are the pros/cons of each method?
What you also could do is have both APs serve both types of devices. You then need to tag the traffic for each wifi interface. I did something similar with two r7800: 802.1q tagging setup
In your case you need to setup the two zones on the linksys as well, as well as keep the tagging on the main router.
It is really complicated to have more than one DHCP server on a network. Any home network will have the DHCP server on the main router. The dumb APs are dumb.
Thanks @Ramon . I'm setting this up for a relative with a smaller home and it suits their needs. I may need the solution you described for a setup for a different relative that has a larger house and needs more coverage.
Thanks again @mk24. I'll stick with my original plan of using one router with multiple dumb APs.
Made the changes to the firewall and the system is working well. One glitch - I cannot access the IOT router's admin/login page from either wireless or wired connections on the IOT AP. Is there any way to get to it without resetting the router?
What did you configure for INPUT on the iot firewall zone? If you configured DROP/REJECT, then you'd need to add individual rules to allow the ssh or http. However iot zone should not be allowed to access the router administration.
Thanks @trendy. Here's the configuration:
LAN->IOT (also same for LAN->WAN)
As per the guest wifi wiki, I've also setup traffic rules for DHCP, DNS, block traffic IOT->LAN. The latter blocks access to the IOT AP from the IOT side (wired or wireless). Is there a way to access the AP from the LAN side? At least one issue is that I would be trying to access 192.168.10.1 (IOT) from the 192.168.1.X (LAN) network.
I may mount the IOT AP in a hard to reach place (raised ceiling) and would rather not pull out a ladder every time it needs to be updated