Advice IoT Devices, Dumb AP with separate Router/DHCP

Hi everyone,

I've been using OpenWrt for some time now but as someone who knows a little it gets me into trouble as I'm not a network expert :smiley:

My current setup;

  • 2x OpenWrt Dump AP's (wired backbone)
  • OpenWrt DSL Router//Firewall/DHCP (connecting to service provider and provisions all IP's and access)

I'm looking to find the best way to create a new AP for IoT devices. Each of the Dumb AP's has 2 wifi networks (2.4gh and 5ghz) and uses the separate DHCP server for allocating IP addresses. I've followed multiple guides but maybe I'm a bit dumb like my AP.

Essentially I'd like to have the IoT devices running on a different IP range and have those IP's served by the main DHCP;

Trusted Devices: 10.0.0.x
Untrusted Devices: 10.0.1.x

I've tried creating a interface on the main Router (IoT) and allocated it as a DHCP server and then setup a new WifiAP on the Dumb AP called "SmartDevs" and then put in a static IP along with the gateway which is the new DHCP server but doesn't seem to work.

Is there a better way to achieve this using VLAN maybe? Things to consider all OpenWrt devices are linked together via cable (PoE) I would like to achieve this without additional wiring. I'm using a BTHH5a which supports VLAN.

Is this even possbile?

Create a VLAN for each isolated segment on each of the routers (being consistent with numbering, for example, TP-Link smart switches are always segregated on VLAN 123). Enable DHCP on the "main" router.

Put each VLAN on each router into its own firewall zone. Adjust rules to isolate and limit outside-world access as you desire. This is something of personal preference combined with the devices' operational needs. I "spoof" DNS on several of my IoT VLANs to control things like NTP to my own services and, in many cases, to make them unable to "phone home" by not returning a valid IP address for their home servers.

Set that VLAN as tagged on your Ethernet trunk.

Create a specific AP/SSID and have it associate with a bridge over the appropriate VLAN sub-interface on each box.

1 Like

Ok makes sense thank you! I understand the firewall rules but I always mess up on VLAN config.

Each router will need to have the same setup ok :slightly_smiling_face: but when tagging ports etc what is the right way to do this or do I simply pop in a VLAN number? I know this is basic but I guess the I just don't get VLAN setup I'm sure it can't be difficult just me.

Oh and one other thing because I'm running a DumbAP I have FW disabled on that because everything is routed through the main OpenWrt FW.

VLANs with tags greater than the number of "table entries" (often limited to 16 or 128) require explicit setting of the vid parameter and perhaps the pvid for ports -- see

You can determine the limit with something like (from a different device)

$ swconfig dev switch0 help
switch0: 90000.mdio(QCA AR40xx), ports: 6 (cpu @ 0), vlans: 128

In addition to configuring the switch, you need an interface on the VLAN as well, such as eth0.1234, or the packets won't get past the "raw" interface (and then the firewall zones).

1 Like

Ok I've setup the VLAN and I get an IP address from the main DHCP server but even though I've configured the INTERFACE and setup a FW rule to IoT>LAN following this guide seems I can't access the internet. I have the FW rule IoT>LAN (ACCEPT, ACCEPT, ACCEPT - just to test) but to no avail what am I missing? Masquerading is setup on the LAN too. If I access the from the LAN Wifi I can access the internet.

I'm not sure why that would want to be set. The subnet that is attached is on the same as that of the router's interface. Typically masquerade is only set on the WAN (to NAT internal, non-public IP addresses to the public IP assigned to your router). That may be your issue.


Brilliant! Ok I now have VLAN connected and assigning IP to WIFI devices on separate LAN final piece to the puzzle how do I prevent access to VLAN1 from VLAN5? If I log on to my IoT WiFi I can still access the router using the 10.0.0.x network rather than the IP 10.0.x.0 which is what the DHCP server is assigned on VLAN5. Do I need a FW rule to specifically block access to the LAN(VLAN1) interface?

To make sense of this, a diagram of netfilter hooks can help.

There are some packets that are headed to your routers themselves ("INPUT") and some that would be forwarded through it ("FORWARD").

I generally start out with denying everything, then permitting what I desire.

So, for example (never trust anyone's firewall rules as being "right" for you!):

  • Allow DHCP INPUT for UDP with source port 68 and destination port 67
  • Allow DNS INPUT for UDP with destination port 53 (where I've spoofed whatever NTP servers it is looking for to be the router)
  • Allow NTP INPUT for UDP with destination port 123

The return packets get allowed by conntrack and the "related" rule that is a default.

Then, if a device really needs to get out to a specific server on a specific port, I'll allow that. I often will use Wireshark to determine what a given device really needs to operate.

My TP-Link smart switches don't get any outside access. They try to "phone home" even when disabled. I run a local server that "talks pyHS100" to control them, not the TP-Link app.

On the other hand, I find the Lutron app too valuable to block entirely, so that device gets access to the MQTT port it uses, with what would be a FORWARD rule. (I can't set a specific destination host, as what its server host name resolves to changes with the whims of AWS.)

Thanks for all your help Jeff getting to grips with this has always been a steep learning curve. So I'm trying to prevent anything on the IoT (untrusted ) network from accessing anything on the LAN (trusted) network. I've set the forwarding rules on the zones as follows;

and setup a rule to block traffic from anything in the IoT zone to Lan

I can access the router and ping anything in the LAN when I'm connected to the IoT zone, I cannot however login to my synology box from the IoT zone (the rule is preventing this). Therefore, I assume there is a rule that allows ping IoT > LAN and also access to the router irrespective of zone?

I hand-craft my firewall rules, so I'm not very familiar with the default OpenWrt configuration. If you post the output of uci show firewall using the preformatted-text button


perhaps someone more familiar with the default rules could help.

1 Like

I would recommend changing your iot input rule to drop (the IoT network should have no reason to access the router itself). Then add two rules to allow DHCP and DNS from the iot zone to the router.



"drop" -- silently ignore
"reject" -- let the device know you're not permitting the traffic

With a "hostile" device, there's often no good reason to tell it you're ignoring its request.

1 Like

Can you access/add in LuCI default, "zone => forwardings" rules for iot => lan and lan => iot?
(I don't know if that is possible.)

It may be that your custom rules come "too late" to block some of the traffic.

I wanted to say :+1: for everyones help. I have managed to use the guidance from @jeff and the simple way to avoid complex rules in the firewall @psherman to have my VLAN1 (Trusted) including WIFI on a separate ip to the VLAN5 (Untrusted) WIFI (used for IoT devices - a "virtual DMZ") each with its own DHCP and with the VLAN5 locked down so that it cannot access VLAN1. All done via LUCI now I just need to write it all down :smile:


...and save your config to your "desktop" in case of later questions/problems!