Best practice for IOT devices

Hey everyone!

I've been reading up on this topic, but I can't settle on what is the best practice for the openwrt settings.

I use LuCI and my router is a Linksys WRT3200ACM.

I can't wrap my head around on where to start. Reading up on the topic it seems like VLANs are tied to the physical ports. But most of my devices are wifi only.

What I want to achieve

  • Ideally one SSID (I can create multiple SSIDs, but it would be great to be able to keep the existing config on all devices)
  • Separate VLANs. Examples of categories:
    1.0 User-devices, like PCs/tablets/phones
    1.1 IOT devices that require internet access (they shouldn’t be able to connect to my network devices by themselves)
    1.2 IOT devices that require internet access and access to my LAN (maybe even specific devices in my LAN)
    1.3 IOT devices that require LAN access but not internet access
    1.4 Chromecasts and Apple TV
    1.5 Homey - my IOT hub
    1.6 Guest devices (maybe separate SSID for this one)
    1.7 (other groups I might come up with)

Big thanks!

Not necessarily. You can have a separated wireless interface without ties to physical ports.

In fact you may as well not use vlans at all. Check this guide and adapt to your needs. Masquerading in lan zone will not be needed. Also forwarding from lan to iot zone may not be necessary.


Thanks for the quick response. Do I a separate SSID for each separate interface? So in the example above I need eight SSID?

Not necessarily. You can have one IoT SSID/interface and then allow/deny access to LAN or internet with firewall.


@trendy if you have an IoT environment running on a separate SSID, would you care to share the details here? I already have a Guest WLAN thanks to that guide you linked but I would like some more detail on how to filter traffic from devices that I whitelist from the rest.

Let me elaborate a bit on what I have in mind. I have my main SSID and I plan to rotate the WPA2 key often. However I can contemplate doing that as well with my IoT SSID (a 2.4Ghz SSID because IoT devices are mainly 2.4Ghz compatible) because re-onboarding these devices is a pain in the neck.

What I had in mind is: I create static DHCP records for my IoT devices and filter out any thing different that those whitelisted devices from accessing my lan. This is by no means as secure as EAP TLS or other modern security approaches, but these devices really limit what one can do with those.


I think it makes more sense not to allow overall forwarding from iot to lan. If you need, allow only specific devices. You can filter by mac, so they don't have to have static dhcp lease, but it doesn't hurt anyway.


I’m running Home Assistant as my home automation platform, and if I intend to command these IoT devices from my automation hub, I really need to be able to reach them from the LAN. Maybe I could even explore denying any communication not initiated from the LAN, but I must enable communication between the two I’m afraid.

If the initiator of the communication is in lan, then a lan->iot forwarding only will be enough. Or the Home Assistant IP only to the iot if you are too paranoid.

1 Like


With this comment you mean, just dont add lan -> iot interface/subnet zone-rules in firewall? and also dont add iot -> lan?
Or do i need to do something actively?

By default traffic will be denied, so if you don't allow a global zone forwarding to another zone or a specific forwarding of a host or two with a rule, then nothing will be allowed.

That was my guess, thank you.
So if i have firewall - zone settings "general settings", input-accept ouput-accept forwarding-reject and no specific rules to allow traffic, its not allowed

The general settings apply to interfaces which don't belong to a zone.
For interfaces which belong to a zone, the zone settings apply.
Inter zone forwarding is denied, so you need to create forwardings for each and every one.

For me I created a new zone and a new WiFi AP specifically for smart home devices, and applied firehol blacklist rules to it.

1 Like

Hi @trendy, bringing up this old thread because I never managed to feel confident enough to apply the changes because I always feared I could lock myself out of my network. Would you mind walking me through the different steps needed to accomplish what you suggest? or, could you possibly point me in the right direction?

My current situation is I dedicated the default 2,4 Ghz network to hosting my IoT devices and I would love to apply the required filtering to ensure proper isolation.

thanks a million in advance!

lan firewall zone allows by default access to wan (the internet) and the device. As long as you don't change anything there, you can experiment with other zones without losing access to the device.

1 Like

Hi there @trendy I'm wondering if you would be so kind as to check my post: Please peer review my IoT and Guest configuration

I finally jumped the gun and I'm very happy because I believe I've managed to create a Guest an IoT network. I'm looking for somebody who can do a sanity check on what I've done. Thanks a million!!