I know this has been discussed several times in other places, but it seems that config has slightly changed, so none of the tutorials online seem to fit exactly anymore. Anyways, this is complicated and I have a hard time wrapping my head around this.
Would be very grateful if someone could help me set this up:
Here is my setup and what I am aiming to do:
GUEST should be able to access the internet but nothing else
IOT should be accessible from LAN
Host (HASS) in IOT should be able to access all other Hosts in IOT, the other hosts should be able to communicate via mqtt and a specific port (1883) at Host HASS
IOT should not be able to access anything else (WAN, LAN, GUEST)
Questions:
Do I need to create VLANs or could the same be done with IOT as a "guest network"? apparently - answered by @psherman below
How would my config need to look like (see current config below)?
I have a fairly complex home network that looks like this:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd93:6410:07a0::/48'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ip6ifaceid 'eui64'
option ip6addr 'fe80::1'
config interface 'wan'
option device 'eth2'
option proto 'dhcp'
option hostname 'turris'
option ipv6 '1'
config interface 'guest_turris'
option enabled '1'
option proto 'static'
option device 'br-guest-turris'
option ipaddr '10.111.222.1'
option netmask '255.255.255.0'
option ip6assign '64'
config device 'br_guest_turris'
option name 'br-guest-turris'
option type 'bridge'
option bridge_empty '1'
config device 'br_lan'
option name 'br-lan'
option type 'bridge'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config device 'dev_wan'
option name 'eth2'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '10.10.10.1/24'
option private_key 'redacted'
list dns '1.1.1.1'
list dns '8.8.8.8'
config wireguard_wg0
option description 'phone'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '10.10.10.2/32'
option public_key 'redacted'
option private_key 'redacted'
config device
option bridge_empty '1'
option type 'bridge'
option name 'br-iot'
config interface 'iot'
option device 'br-iot'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
If I understand correctly, I need to 'tag' the traffic on the respective LAN port (i.e. lan4) and then configure the dumb APs and the router to tag packets according to interface?
Thanks a lot for your help - happy to provide more detail on network etc.
if the switch is not managed can you think of replacing it?
How many ethernet ports does the switch have? (if there are few it is better to convert an old router on which to install openwrt and transform it into a managed switch)
the biggest problem is that non-managed switches have an anomalous behavior with mixed ethernet frames (tagged and not)
then the first step is the creation of the vlans on the switch and on router2 (I recommend you to have only tagged traffic between the switch and router 2 and between the switch and the dump-aps)
ps: be careful you may find that you no longer have access to router 2 (in this example I created vlans for the three required zones)
for this reason I warned him and proceeded to give him the solution on how not to lock himself out initially once he has created the vlans on router 2 and on the switch
I am on another opinion to be frank- vlans are very static. You dedicate a particular port and if you forget about that after a while, and you make changes to your router setup/infrastructure, you may spend hours investigating why it is not working- well at least that's what happend to me
Anyway- I need to admit that I was considering not to answer with my sugestion as it is out of topic, but felt obligated to do so, if OP is not aware of other options.
Kr
K
Hey there, thank you for the input. Looking at the documentation got me thinking and I assume that a guest network on ALL dumb APs could potentially suit my needs.
How exactly does that differ from a VLAN?
One potential problem: I want a separate VLAN/guest network to isolate my IOT devices. They are all managed via Home Assistant, which needs to talk to all of the devices. So, there are two options:
Keep Home Assistant on my Lan network and allow communication to the devices in the guest network
Put Home Assistant in the guest network and somehow allow it to communicate with the other devices (not sure if that is even possible?)..
This would be a bad setup - problematic for guest devices roaming between APs, harder to administer, and just generally inefficient and inelegant.
Your main router should be tasked with all the routing and firewall functions, sending those networks over Ethernet (using VLANs) to the APs which then only need to bridge the VLANs to WiFi ssids. If you do setup guest networks on each ap separately, there are no VLANs involved and you basically have a bunch of isolated islands.
Well @mor3dr3ad do you really need it to ALL dumb APs or just one which can reach all IoT devices? @psherman I agree. However I have similar setup. Home Assistant sever and 2 dumb APs. In my setup the leading factor is HA. I let all IoT devices which do not need internet to connect my lan/wifi lan and I block their access to internet via traffic rules in firewall and still they can access my HA server . All other IoT devices (which needs internet to synch with HA) connects to the dumb AP guest network, where I isolated them and also reduced the bandwidth with SQM.
I have tried it with VLAN and it was harder for me to set it up (actually you helped me - thanks for it), and also harder to sustain a network change, if I forget about the ports in question.
I am giving my 5 cents, but I fully trust @psherman expertise. It is just easier for me.
