Device Internet access only

dmark · February 27, 2024, 9:59pm

Would like to restrict a device to only internet access (no lan)
Can this be done without vlan implementation?
Thanks

papagirafe · February 27, 2024, 10:22pm

Would the access of this device to the openwrt router be via ethernet or wifi?
update: firewall/traffic rules should do the trick. You may filter based on mac address

dmark · February 27, 2024, 11:13pm

wifi (but what difference does it make, it's the same subnet)

psherman · February 27, 2024, 11:19pm

Firewall rules cannot block lan access unless the device is on a different subnet.

@dmark - you can create a guest network for this device -- regardless of the name (guest vs iot, etc.) this will achieve the goal you have in mind.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

papagirafe · February 27, 2024, 11:22pm

At some point during experimentations, I used a separate SSID for a mangement probe to access the router configuration in case I messed up. This access was on a separate Interface (device=radio device) in a different firewall zone and it had no access to the lan. All that was missing is to allow forward to the WAN zone.

Looks like the traffic rule would not work. I learned something new here!

dmark · February 27, 2024, 11:23pm

I use a dumb AP for wifi

psherman · February 27, 2024, 11:25pm

in that case, you can setup a dumb AP with guest wifi, or you can set this up on your main router (assuming it supports VLANs -- if it's openwrt, it will).

https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

papagirafe · February 27, 2024, 11:27pm

Thanks for correcting me!

dmark · February 27, 2024, 11:34pm

At the moment I use a tp link device and for what I know in AP mode guest wifi doesn't work.
Can this be done by flashing openwrt on the tp link and creating a separate subnet with dhcp for the guest wifi ssid or any other ssid (ex: 192.168.2.x), and leaving the lan subnet with it's dhcp on the router (ex:192.168.1.x)?

psherman · February 27, 2024, 11:36pm

Yes.... assuming your TP-Link device is supported on OpenWrt, that will work well.

Or, if your TP-link AP supports VLANs and multiple SSIDs (i.e. if it is a purpose built AP, not an all-in-one wifi router), you can do this with VLANs on the main router.

What device is this?

dmark · February 27, 2024, 11:40pm

The whole point was to somehow avoid using vlans
The thing is my LAN is connected thru this dumb AP (using it is a switch) and I'm not sure if in this case the guest wifi could be configured.

psherman · February 27, 2024, 11:43pm

Why do you specifically want to avoid VLANs? Your router supports them and they're easy to setup.
(the short answer to the question is that no, aside from a guest network on your dumb AP, you cannot do what you've asked wtithout VLANs).

What is the dumb AP? (what model)

dmark · February 27, 2024, 11:53pm

It's a tp link which can be flashed with openwrt.
So theoretically this would work if I would to add another switch between the router and AP?
AP could be setup with a main ssid (same subnet as LAN) and a guest ssid with a different subnet with it's own dhcp, and just use the remaining ports of my switch between the router and AP for the other devices which are connected thru cable?

(192.168.1.x)----> dumb ap 2 ssid's (1 with lan subnet 192.168.1.x with dhcp from router, and second ssid (guest) with subnet 192.168.2.x dhcp on AP and the remaining ports on the AP could be connected to other LAN (192.168.1.x) devices thru cable.

Second option is to add another switch between the router - AP

psherman · February 28, 2024, 12:01am

What is "this" (above) referring to? The VLANs on the main router, or the guest wifi on a dumb AP?

For the former, assuming you use a managed switch, yes. Do not use unmanaged switches in the context of VLANs.
For the latter, a switch would have no impact.

But why will you be adding another switch? Is this a question for planning additional port capacity now or in the future? For the goal at hand, it is not necessary to add another switch.

Yup. This is the dumb AP configuration.

Yes. This would be either the guest wifi on a dumb AP config, or a VLAN based approach with a dumb AP and multiple SSIDs.

Sure... the extra ports can be assigned however you want in both the VLAN + dumb AP config or the guest wifi on a dumb AP setup.

dmark · February 28, 2024, 12:08am

Let's put aside the vlan's for a moment.
So, as far as I understand If I where to flash openwrt on the tp link I could create 2 ssid's, 1 for LAN (same subnet as router) and a 2nd one for guest (different as LAN subnet with it's own dhcp) ?

psherman · February 28, 2024, 12:09am

Yes, that is correct. That is the guest wifi on a dumb AP configuration that I linked earlier.

dmark · February 28, 2024, 12:11am

Then why using vlan's in this context if I could just separate my IOT devices from the LAN subnet with the guest wifi and use the remaining ports on my AP for devices which are connected by cable to the LAN subnet.

That means that the guest wifi would not be isolated from the LAN subnet on the AP even if I set it up.
There's a reason why on the factory firmware the guest wifi is not working in AP mode as it is not working on layer 3.
Maybe this is the misunderstanding on my end, thinking that with openwrt in AP mode a guest wifi device would be isolated from the other ssid devices and LAN.

psherman · February 28, 2024, 12:23am

I'm not entirely certain that I understand your most recent question -- let me know if I've missed it...

Why use VLANs vs guest wifi on a dumb AP?

VLANs
- are extensible to service multiple APs (should that be a need now or in the future) as well as devices that may be ethernet connected (now or in the future).
- when implemented on the main router, allow easier administration of the network routing and firewall rules. The configuration of downstream devices (managed switches, APs) is easier as they are really just 'dumb' devices. This also means that there are fewer chances for misconfigurations.
Guest wifi on a dumb AP
- easy to setup on an OpenWrt device when there is just a single AP (or at least only one needed for this purpose) and no ethernet required
- useful when the upstream/main router is not capable of VLANs (such as ISP or other consumer routers not running OpenWrt or other advanced firmware).
- Also useful when other infrastructure doesn't support VLANs (i.e. unmanaged switches between the main router an the AP).

The networks can be properly isolated in either configuration, as long as you follow the guides (or our instructions in forum discussions).

For a guest network to function, there needs to be some layer 3 (routing) somewhere. Some vendor firmware will use other tricks to setup a guest network that is isolated, but the best way is simply to setup another subnet and the requisite firewall rules.

As I said above, if you're running OpenWrt, this is easy (VLANs and/or guest wifi + dumb AP)... it's a function of setting up a new subnet and the firewall rules to isolate them.

dmark · February 28, 2024, 12:28am

Thanks alot for your feedback/reply.
My goal is to isolate some (wifi) IOT devices from the main LAN subnet.
I guess in this case the only solution would be setting up vlan's on both the router and AP.

psherman · February 28, 2024, 12:37am

It's not the only solution, but it is the one I'd recommend. The guest wifi on a dumb AP would work, too.

In either case, you need to have OpenWrt or another firmware that supports multiple SSIDs associated with different networks on that AP. You didn't say what model TP-Link AP you're using, but if it is a consumer model (vs business), it will almost certainly not support what you need with the stock firmware.