Creating an isolated zone for IoT devices

I created a seperate zone to IoT devices. The intention is that

  • IoT devices can only talk out to the internet.
  • They should not be able to initiate connections into the rest of the lan (zone name is trusted in my case).
  • the other devices in the trusted zone should be able to connect to IoT devices.

Currently I have the following zone setup:

It looks like traffic flows from trusted > IoT but not back. Any ideas on how to solve this?

I'm presuming that each zone needs to have conntrack=1 to enable flow state monitoring and know whether return traffic is allowed back into the source zone. Is this a correct assumption?

My "modem" zone has some similarities to your scenario and I solved it with masquerading.
Could that be a solution for you too?

Where are your inter-zone rules?

@iuncuim they are all in the same file. Here's the section that should enable this afaik.

@aboaboit I did try throwing the masq setting into the zone. But ideally I'd like to maintain a flat IP space than have NAT between zones.

1 Like

Thing is, masquerading also saves you from having to tell IoT devices about routing back to the originating network.

Let me guess: any one of these devices has a default gw and nothing more, right? In this case, what is the routing table like on your router?

1 Like

the interesting devices are br-trusted and br-iot.

root@w16gw:~# ip r s
default via dev eth0.4 proto static src dev wg0 proto kernel scope link src dev wg0 proto static scope link dev wg0 proto static scope link dev wg0 proto static scope link dev wg0 proto static scope link dev wg0 proto static scope link dev br-iot proto kernel scope link src dev wg0 proto static scope link dev br-trusted proto kernel scope link src dev br-notrust proto kernel scope link src dev eth0.4 proto kernel scope link src dev ffvpn proto kernel scope link src 

Uhm, in my case both the "modem" (aka your "IOT") and the lan ("trusted") are /24 but I don't think this is the issue. The gateway for the IOT devices is, right?

I might try to replicate your scenario on my guest lan, for the sake of curiosity.

@aboaboit correct: the IoT gateway is setup to be Am I correct to assume that I define the two zones then I would define forwarding rules between them?

So the following

    uci add    firewall  forwarding
    uci set    firewall.@forwarding[-1]=forwarding
    uci set    firewall.@forwarding[-1].src='trusted'
    uci set    firewall.@forwarding[-1].dest='iot'
    uci commit firewall.@forwarding[-1]

is saying "allow traffic from Trusted to IOT, and allow return traffic if there is a session / flow setup?

I'm not sure I understand why you use "uci" directly instead of files under /etc/config but let's say my "lan" is like your "trusted" network (minus an input drop, I'd say) and my "guest" is your "iot". I did this way instead of using the "modem" zone since in that case the router is a DHCP client and I didn't want to mess with that.

All I had to do to get it to work is add "guest" to the allowed target zones for the "lan" firewall zone: placing my laptop in the "guest" wifi, I can ping it from my desktop in the "lan" zone but I can't ping it back. "w" on my laptop shows the real address of the desktop when I login via ssh, not the router (just to confirm that it is not masqueraded).

Here are the relevant bits:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'REJECT'

config zone                                     
        option input 'ACCEPT'                   
        option forward 'REJECT'                 
        option output 'ACCEPT'                  
        option name 'guest'                     
        option network 'guest' 

config forwarding                                  
        option dest 'wan'                          
        option src 'guest' 

config forwarding                               
        option dest 'guest'                     
        option src 'lan' dev br-lan scope link  src dev br-guest scope link  src

Try this setup, it should work.