I've been reading up on this topic, but I can't settle on what is the best practice for the openwrt settings.
I use LuCI and my router is a Linksys WRT3200ACM.
I can't wrap my head around on where to start. Reading up on the topic it seems like VLANs are tied to the physical ports. But most of my devices are wifi only.
What I want to achieve
Ideally one SSID (I can create multiple SSIDs, but it would be great to be able to keep the existing config on all devices)
Separate VLANs. Examples of categories:
1.0 User-devices, like PCs/tablets/phones
1.1 IOT devices that require internet access (they shouldn’t be able to connect to my network devices by themselves)
1.2 IOT devices that require internet access and access to my LAN (maybe even specific devices in my LAN)
1.3 IOT devices that require LAN access but not internet access
1.4 Chromecasts and Apple TV
1.5 Homey - my IOT hub
1.6 Guest devices (maybe separate SSID for this one)
1.7 (other groups I might come up with)
Not necessarily. You can have a separated wireless interface without ties to physical ports.
In fact you may as well not use vlans at all. Check this guide and adapt to your needs. Masquerading in lan zone will not be needed. Also forwarding from lan to iot zone may not be necessary.
@trendy if you have an IoT environment running on a separate SSID, would you care to share the details here? I already have a Guest WLAN thanks to that guide you linked but I would like some more detail on how to filter traffic from devices that I whitelist from the rest.
Let me elaborate a bit on what I have in mind. I have my main SSID and I plan to rotate the WPA2 key often. However I can contemplate doing that as well with my IoT SSID (a 2.4Ghz SSID because IoT devices are mainly 2.4Ghz compatible) because re-onboarding these devices is a pain in the neck.
What I had in mind is: I create static DHCP records for my IoT devices and filter out any thing different that those whitelisted devices from accessing my lan. This is by no means as secure as EAP TLS or other modern security approaches, but these devices really limit what one can do with those.
I think it makes more sense not to allow overall forwarding from iot to lan. If you need, allow only specific devices. You can filter by mac, so they don't have to have static dhcp lease, but it doesn't hurt anyway.
I’m running Home Assistant as my home automation platform, and if I intend to command these IoT devices from my automation hub, I really need to be able to reach them from the LAN. Maybe I could even explore denying any communication not initiated from the LAN, but I must enable communication between the two I’m afraid.
If the initiator of the communication is in lan, then a lan->iot forwarding only will be enough. Or the Home Assistant IP only to the iot if you are too paranoid.
With this comment you mean, just dont add lan -> iot interface/subnet zone-rules in firewall? and also dont add iot -> lan?
Or do i need to do something actively?
By default traffic will be denied, so if you don't allow a global zone forwarding to another zone or a specific forwarding of a host or two with a rule, then nothing will be allowed.
That was my guess, thank you.
So if i have firewall - zone settings "general settings", input-accept ouput-accept forwarding-reject and no specific rules to allow traffic, its not allowed
The general settings apply to interfaces which don't belong to a zone.
For interfaces which belong to a zone, the zone settings apply.
Inter zone forwarding is denied, so you need to create forwardings for each and every one.
Hi @trendy, bringing up this old thread because I never managed to feel confident enough to apply the changes because I always feared I could lock myself out of my network. Would you mind walking me through the different steps needed to accomplish what you suggest? or, could you possibly point me in the right direction?
My current situation is I dedicated the default 2,4 Ghz network to hosting my IoT devices and I would love to apply the required filtering to ensure proper isolation.
lan firewall zone allows by default access to wan (the internet) and the device. As long as you don't change anything there, you can experiment with other zones without losing access to the device.
I finally jumped the gun and I'm very happy because I believe I've managed to create a Guest an IoT network. I'm looking for somebody who can do a sanity check on what I've done. Thanks a million!!