Creating guest network for stupid IOT devices that need UPnP

Hi gang. I have a WRT3200ACM running 19.07. My primary use for OpenWrt is to have this router use the OpenVPN client to connect to my VPN provider, on a kill switch, so any connected devices are always behind VPN. I also have 8 or 10 gigabit ethernet ports in my house that run to this router (over a separate unmanged switch).

Now, I have some appliances and stuff that hook on to my home wifi, which I can control with my phone. They work great! Except for a few troublemakers -- I'm looking at you, damned Mysa thermostats (previous thread on opening firewall for these). These things require 2.4ghz and UPnP, meaning they poke holes all over the firewall. I've not had success opening the specific ports they need on the firewall (and in the VPN connection). I think it's a combination of me not really knowing what I'm doing, the WRT3200ACM wireless being a little flakey, and the router being unable reliably to run anything newer than an ancient 19.07 build. So whenever I need to do any configuration on these Mysa thermostats, I have to switch to the stock Linksys boot partition, then they connect to this just great; then configure them, and reboot the WRT3200ACM back to the OpenWrt partition whereup on the Mysa thermostats fall away but it's ok because I don't need to do much with them.

I'm trying to come at it from a few different angles.

One idea I had was maybe I can make a guest network. It will be insecure as hell -- kind of like a stock router: it won't be tunnel through my OpenVpn client connection, it won't have any fancy firewall rules, and it will have UPnP so that my IOT devices can just wreck havoc on it. This insecure guest network will also be isolated and unconnected to my LAN and my second, 'secure' wifi network. If I have to, I think I can sacrifice the 2.4Ghz radio for this guest network, and use a different SSID for the 5GHz radio so that my laptops, phones, and other devices I care about having a secure connection just connect to this.

Another idea I had was to buy a new router that supports a more modern build of OpenWrt. Maybe the newer versions of OpenWrt work better for opening holes in the VPN and Firewall for a few select devices. Or maybe not, but I could revert the WRT3200 to its stock Linksys firmware with UPnP and no VPN, disable its 5Gz radio, and just have my IOT devices connect to it on 2.4GHz ... and then use the new router for 5GHz only and have all the other devices whose security I care about connect to this.

Is this crazy talk? Are any of these ideas worth perusing? Please let me know what you think!

Functionally speaking, there is not really much of a difference between 19.07.x and 21.02.x to achieve this behavior, but given that you're pretty much starting fresh from a rather simplistic configuration to a pretty complex one, it does indeed make sense to switch to 21.02.x now, before spending a lot of time on ironing out the details (presumably UPnP and igdv1 vs igdv2 is also easier to work with in 21.02.x). 21.02.x changes from swconfig based switch configurations to DSA on your device, changing the networking configuration quite considerably, so give it a try.

1 Like

Sorry, are you suggesting installing 21.02.x on my WRT3200ACM? Or trying a new router entirely?

My understanding from some posts here is that the 21.02.x release, and in fact any release newer than 19.07, results in an inconsistently unstable WRT3200ACM router. I would rather have a stable router and no Mysa thermostats, than a flakey router. For example, "Wireless is unstable on OpenWrt 21.02.0-rc3. Wi-Fi client does not disconnect but it won't receive/transmit any data for a minute or so. This happens regularly. I had no issues with OpenWrt 19.07.7" from this old thread. And there are some intermittent issues here about web interface stopping responding after some time, WPA3 networks stopping (I don't even know what that is, but it sounds not fun), "can't create an unencrypted guest network on radio1", "Two out of three Android OnePlus phones cannot keep connection to the 5GHz network anymore".

So I dunno. I worry if I upgrade the old WRT3200 to the latest firmware just to try and hack holes into the VPN and Firewall for my stupid Mysa thermostats, they will continue not to work AND in addition, a lot of other stuff also won't work.

Disclaimer: I don't own the wrt3200acm, nor any other mvebu/ mwlwifi device, and never did. So I can't provide stability comparisons between different OpenWrt versions on this hardware.

To my understanding, the only "instability" (in the sense of crashing) with this hardware gets introduced if you enable WPA3 or IEEE802.11w, but you couldn't (successfully) do this in previous versions either. The only difference is WPA3 now being selectable in a default image, making this driver/ firmware deficiency obvious to more of its users.

WiFi interoperability and reliability is another topic, a big one that has plagued this platform from day one - with varying effects and impact. Yes, there are voices claiming that the current driver/ firmware combination is worse than the state in 19.07.x, but we don't have actionable reports to come to and actionable conclusion. The updated firmware was requested by some of its users - and at least those don't seem to complain. Neither are there back-to-back tests using current OpenWrt (21.02.x or master) in combination with those older firmwares, so coming to definitive conclusion hasn't been possible so far.
Meaning, you will have to test this in your environment (and ideally report your findings; at least the different firmware images (the -very minor- driver changes less easily --> requiring rebuilding of custom OpenWrt images) can easily be replaced at runtime, allowing you to test the different versions - but someone has to do this, if changes are desired).
tl;dr: the wireless situation is unclear, no way around testing it yourself.

19.07.x is just about to be EOLed and 21.02.x introduces quite major syntax changes for the switch configuration, while this aspect is orthogonal to your stated issues, I -very personally- would prefer to migrate early and be done with it, rather than doing it now with swconfig in mind, and having to start all over again in a couple of weeks/ months to get it migrated to DSA and 21.02.x.
This is obviously a matter of personal opinions.

Now back to the differences that directly affect your issues, I have no idea if your Mysa thermostats require the IGDv2 or IGDv1 protocol for UPnP. The problem at hand, 19.07.x only offers the contemporary IGDv2 (while many proprietary devices still require IGDv1), with 21.02.x you can choose between miniupnpd (IGDv2) and miniupnpd-igdv1 (unsurprisingly, IGDv1).

1 Like

OpenVPN client plus UPnP sounds like trouble... If you can, I will definitely try to create a separate network for those devices.

I wonder, is it possible to have, on a single OpenWrt router:

  • a guest network with its own SSID, which does not utilize OpenVpn client, and which does have UPnP client. Use of 5GHz is not essential. Use of 2.4 GHz is essential.

  • a secure network with its own SSID, which DOES utilize OpenVpn client tunneling. Use of 5GHz is essential. Use of 2.4GHz radio is not essential.

That seems like it would solve the problem rather nicely, but I'm not sure if one can slice-and-dice the router services that cleanly.

Thanks for the candor and I agree that, while there is a lot of speculation that 21.02.x doesn't work right on WRT3200ACM, so far it seems people reporting these issues either disappear, fix themselves when someone says "that's a known issue, switch XX off", or the issue compounds with something else that makes it impossible to isolate the root cause to 21.02.x.

I'd like to see if it is possible to create a guest network for my stupid IoT devices (per my other post in this thread just now), and get some pointers on the jargon and tutorials i can grok to go this route. Then, it makes sense to update to the latest firmware and just try it out and see if it works. Maybe it will, maybe it won't. If it doesn't, I'll probably have some juicy bugs to report on a clean install on a popular router, which would only help the cause.

I guess you will want to completely secure your main network, so absolutely all traffic goes through the VPN. That is usually achieved by blocking all outgoing traffic, except the connection to the VPN server.

However, you will also need direct communication from the IoT to the internet, thus not all traffic has to go through the VPN. This makes the whole configuration more complex and prone to errors.

I am not saying it is not possible, just a bit scary.

I would do the upgrade as I diid and solve problems from there. ( if for no other reason that the hard working devs can't be expected to support old FW on a permanent basis).
For reasons well known and discussed he WiFi driver has always been a bit flakey on this target.
I improved matters by writing the final two lines into /etc/config/wireless

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option disassoc_low_ack '0'
        option max_inactivity '43200


Other than that 21.02 runs entirely solidly. The other option is to get an enterprise grade WiFi access point. You can get a secondhand Draytek AP900 really cheaply on eBay

Just split your networks and set up PBR:

Please help me understand a little better: Is the idea here to create a guest network for my IOT devices, which does not pass traffic through my wireguard VPN client, and does have a UPnP server to allow these IOT devices to poke their own firewall holes as they see fit?

1 Like