Best practice for IOT devices

Hey everyone!

I've been reading up on this topic, but I can't settle on what is the best practice for the openwrt settings.

I use LuCI and my router is a Linksys WRT3200ACM.

I can't wrap my head around on where to start. Reading up on the topic it seems like VLANs are tied to the physical ports. But most of my devices are wifi only.

What I want to achieve

  • Ideally one SSID (I can create multiple SSIDs, but it would be great to be able to keep the existing config on all devices)
  • Separate VLANs. Examples of categories:
    1.0 User-devices, like PCs/tablets/phones
    1.1 IOT devices that require internet access (they shouldn’t be able to connect to my network devices by themselves)
    1.2 IOT devices that require internet access and access to my LAN (maybe even specific devices in my LAN)
    1.3 IOT devices that require LAN access but not internet access
    1.4 Chromecasts and Apple TV
    1.5 Homey - my IOT hub
    1.6 Guest devices (maybe separate SSID for this one)
    1.7 (other groups I might come up with)

Big thanks!

Not necessarily. You can have a separated wireless interface without ties to physical ports.

In fact you may as well not use vlans at all. Check this guide and adapt to your needs. Masquerading in lan zone will not be needed. Also forwarding from lan to iot zone may not be necessary.

3 Likes

Thanks for the quick response. Do I a separate SSID for each separate interface? So in the example above I need eight SSID?

Not necessarily. You can have one IoT SSID/interface and then allow/deny access to LAN or internet with firewall.

2 Likes

@trendy if you have an IoT environment running on a separate SSID, would you care to share the details here? I already have a Guest WLAN thanks to that guide you linked but I would like some more detail on how to filter traffic from devices that I whitelist from the rest.

Let me elaborate a bit on what I have in mind. I have my main SSID and I plan to rotate the WPA2 key often. However I can contemplate doing that as well with my IoT SSID (a 2.4Ghz SSID because IoT devices are mainly 2.4Ghz compatible) because re-onboarding these devices is a pain in the neck.

What I had in mind is: I create static DHCP records for my IoT devices and filter out any thing different that those whitelisted devices from accessing my lan. This is by no means as secure as EAP TLS or other modern security approaches, but these devices really limit what one can do with those.

thanks

I think it makes more sense not to allow overall forwarding from iot to lan. If you need, allow only specific devices. You can filter by mac, so they don't have to have static dhcp lease, but it doesn't hurt anyway.

1 Like

I’m running Home Assistant as my home automation platform, and if I intend to command these IoT devices from my automation hub, I really need to be able to reach them from the LAN. Maybe I could even explore denying any communication not initiated from the LAN, but I must enable communication between the two I’m afraid.

If the initiator of the communication is in lan, then a lan->iot forwarding only will be enough. Or the Home Assistant IP only to the iot if you are too paranoid.

1 Like

Hello,

With this comment you mean, just dont add lan -> iot interface/subnet zone-rules in firewall? and also dont add iot -> lan?
Or do i need to do something actively?

By default traffic will be denied, so if you don't allow a global zone forwarding to another zone or a specific forwarding of a host or two with a rule, then nothing will be allowed.

That was my guess, thank you.
So if i have firewall - zone settings "general settings", input-accept ouput-accept forwarding-reject and no specific rules to allow traffic, its not allowed

The general settings apply to interfaces which don't belong to a zone.
For interfaces which belong to a zone, the zone settings apply.
Inter zone forwarding is denied, so you need to create forwardings for each and every one.