I would like to get some advice from you for creating a dedicated wireless network for IoT devices.
The current state:
In my home network I have several OpenWrt access points and each of them provides a wireless network bridged to my wired network. Among the internet gateway and other devices there is also an infrastructure server (providing DHCP, DNS, MQTT, ...) and a home automation server connected to the wired network. All wired devices are connected via unmanaged switches.
What I want to achieve:
All IoT devices should be moved to an own wireless network with the following requirements:
All devices must be able to reach selected services on the infrastructure and home automation servers.
All devices must be reachable from the wired network.
Some of the devices must be able to access the internet.
The access point to which a device connects to must not matter.
DHCP static lease configuration should be done on the infrastructure server.
Devices should not see each other.
Since the access point a device connects to might vary I cannot just create separated/isolated wireless networks on all access points with static routes on the gateway. I also thought about adding a separate subnet for the IoT networks, bridging them to the wired network and firewalling them on the access points but I'm not sure how this could be done.
IoT needs to access server and vice versa, then why do you need to have separate APs?
Just use a bunch of APs with SSID roaming, turn on the AP isolation so that wireless devices not seeing each others, and then you control your firewall to limit which can surf internet, isn't this enough?
The main router / internet gateway is a FRITZ!Box 7590 which should be VLAN-capable (but why is this relevant?).
@fakemanhk, I'm not sure if I understand you correctly, I don't want to have separate access points. All access points shown in the diagram above should provide both the private and the IoT wireless networks (same SSID so roaming is possible, i.e. the "IoT" and "private" SSIDs must be available on all access points). I just don't know how to configure the access points so the IoT WiFi clients are part of the "wired" network (necessary for DHCP and routing regardless of the access point the device is connected to) while enforcing the mentioned restrictions at the same time.
As I wrote above, a maybe naive approach would be to assign a dedicated subnet to the IoT devices, bridge the IoT WiFi interface to the wired network (like the private one) and add subnet-based firewall rules - but I don't know if this is possible at all, at least I couldn't figure out how.
I'm doing something vaguely similar to this (but more complex). If you really want to seperate your private and IoT networks, you're going to need to do this at both layer 2 and layer 3. You'll need to have 2 different VLANs, with your private and IoT SSIDs associated (aka bridged) to the respective VLANs/networks (irrelevent whether or not they're wired or wireless), and your router (in your case the fritzbox?) providing:
2 different DHCP ranges for the networks (one for each)
routing between the 2 different networks,
firewall defining which traffic from which network is permitted to which destination.
Alas, you can do this with "dumb" switches, which are vlan agnostic, but you're going to have to "unpack" the encapsulated VLAN packets somewhere before they can be routed at layer 3.
I dont really have much idea how this works on the FB.
I ask because the best way to achieve this goal is to setup a new network (as a VLANs) on the main router so that all the routing happens there, and then treat all the others as dumb APs. However...
Because you can't setup VLANs here, you'll have to do this on one of your OpenWrt devices. For this, you'll need to consider some options:
Replace your unmanage switch with a managed one
Connect all of the APs together directly such that the unmanaged switches are not involved in this path (you can still use the unmanaged switches for other devices, but that needs to be planned out a bit differently).
If option 2 is physically possible, you could, for example, connect all 3 of the lower APs to the top most one and reconfigure the wiring such that you can still connect your devices.
Some of your requirements will be tricky to meet based on the fact that your main router doesn't support VLANs and that you are using unmanaged switches... if some of those requirements are negotiable, you'll find that there is a bit more flexibility.
Seems like my quick VLAN-research on the FB was wrong. I have no VLAN-experience at all so far. Thanks for your feedback.
What if the infrastructure system (Linux) takes over the unpacking and routing? In other words, can I setup a tagged VLAN for the IoT network between IS and all APs, route it on the IS and leave the rest of the private network untouched?
I don't want to add VLAN-configuration to any other device besides APs and IS and I also don't want to replace my switches for this. Rewiring is also not an option. If it doesn't work like this I think I'll forget about IoT roaming, then it's easy.
What you describe is not easy, but is plausible if you are experienced in using the routing features in linux (they exist in most distros, but are considerably harder to configure in a non-router-optimized environment). You’d also likely need to be able to set static routes on your main fritz router, and you’re still going to need a managed switch.
If you’re not willing or able to replace the switches, you’re probably not going to get a reliably functioning network. And if you can’t reconfigure some of the wiring, similarly you won’t be able to achieve the goal. Therefore, you may need to abandon this until you are able to change these things.
I did something similar to what you want and described it here.
The sceenshots might not be 100% accurate anymore and note this is without DSA.
What i basically did was make 2 VLANs and assigned them to separate subnets then with firewall allow the main net to contact the guest net (once contacted they obviously can reply, but cannot initiate). I think this is what you want.
As already stated, i hope the unmanaged switch passes through the vlan tags...
Oh if you want some to connect to the internet and others not then easiest is to make 3 vlans where on one you dont allow forwarding to the internet. You could also block specific IPs but then you got to keep track
The first two points are clear and not a problem, but why do you think I still need a managed switch?
Seems like this is possible, at least on the TP-Link TL-WR710N v1 and D-Link DIR-505 devices. On those access points I just created a new VLAN device eth0.10 and a new bridge device br-iot bridging eth0.10 with the IoT wireless network. On the IS I also created a VLAN device and added a new IoT subnet to the DHCP. With this setup in place a wireless client connected to the IoT network was a assigned an IP from the IS DHCP and was able to reach it. So seems like my unmanaged switches pass VLAN-tagged packets. The original private network setup is untouched, both networks run in parallel over the same port and wire (which is what I wanted). Is anything wrong with this setup?
The problem I still have is that I couldn't manage to set it up in the same way on a TP-Link Archer C7 v5. It has a Switch menu beneath Network and already two "switch VLANs" eth0.1 and eth0.2 defined:
Unlike the other APs adding another eth0.10 software VLAN device does not work here, the IS and the other APs are still not reachable via the IoT subnet then. What am I missing here?
Because you have stated that you want the IoT network on multiple APs and that you cannot reconfigure the wiring -- it will continue to go through the switch. Since you will need to send the IoT network using 802.1q tags (i.e. VLANs), you need a managed switch to do this.
The reason for the managed switch requirement is simple: the behavior of tagged ethernet frames through an unmanaged switch is undefined, and the actual real-world behaviors are entirely dependent on the chips used inside the switch. Some unmanaged switches will actually work just fine, but others may not work and/or may cause major network issues. Further, you cannot configure the switch on a per-port basis, so this can cause other issues in some situations.
Per my description above... unmanaged switches are not designed to carry tagged networks. If it is working, that's great. But I wouldn't recommend this setup, as it could have edge cases and odd failure modes. Earlier, I said that you cannot guarantee a reliable network when using unamanaged switch with VLANs.
I'd have to see the text config to understand what is going on... VLANs on that device should theoretically work. My concern is about your unmanaged switches.
Regarding the IS -- do you want it on the IoT network or on the main lan? If the latter -- you just need to setup appropriate firewall rules on the router that is responsible for the IoT network (and maybe on the IS, too). If you want it on the IoT network.... well, that's another reason you may need a managed switch -- you need to be able to untag the IoT network (unless your IS is VLAN aware -- you could configure that interface accordingly on the IS itself). But, another possible issue is that the switch inside the Fritzbox may not support passing VLAN tags (it certainly cannot untag them).
Ok, understood. I still want to give it a try before exchanging hardware (at least if I manage to setup the C7) but I'll keep that in mind in case of odd failures. Thanks.
The IS should be the router between the IoT and the main network. As I wrote above I created a VLAN device on it and can communicate with the APs (except for C7 of course) and the wireless IoT clients through it without issues so far. This tells me that all my switches, including the FB switch since the IS is connected to it, pass VLAN-tagged packets. Maybe not "reliable" but that's another topic.
The only problem currently is the C7 configuration.
could I trouble you to repost your configs in a different format (I find it more readable):
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
eth0.1 and eth0.2 should not be bridged together. What was the intent here? Do you want to use the wan port as 'just another port'?
Usually there is only one network that will be associated with an address (typically your lan or management network). So, eth0.10 is fine, but I'd recommend making it proto none. But the bigger issue is that it isn't assigned on the switch. I'd recommend making it like this:
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 2t'
option vid '10'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth0.10'
config interface 'iot'
option proto 'none'
option device 'br-iot'
In the above example, I have placed VLAN10 on logical port 2 as a tagged network. Logical port 2 will likely be one of the 4 LAN ports (although I don't know which one offhand).
If you want all of the ports to operate as a switch, it's quite simple to do... as you already know logical port 1 is the wan port and 2-5 are the lan ports. 0 is the CPU. Let me know if you need any help doing that (just make sure that you don't have any given port setup as untagged in more than one vlan).
