Firewall configuration

I'm attempting to deal with various WiFi devices (IoT, printers, TVs etc) that I want to lock down as much as possible and came up with the attached firewall zones that seem to be working so far.

I have 3 WiFi networks configured:

  1. normal devices (computers etc)
  2. IoT devices
  3. local network devices

I want WiFi network 2 to only be able to get out to the Internet and not see other local devices or the LAN. WiFi 3 shouldn't see anything... mainly this is for devices like printers that will accept incoming requests but shouldn't be able to initiate connections. For wifi networks 2 and 3 I have the networks set to isolate. Wifi 1 is set to the 'lan' zone, 2 is set to the 'guest' zone and 3 is set to the 'local' zone. I just wanted to see if this seems like a reasonable way to accomplish it? Is there anything else I should be looking at?

Yes, this sounds reasonable and feasible in general.
Note that Wi-Fi isolation requires hardware support, otherwise you can use bridge firewall.
Also some printer functions may require internet access, e.g. NTP support or firmware upgrades.

1 Like

@vgaetera I'm basing my 'seem to be working' comment entirely on having a laptop join each of the WiFi networks to see if it is behaving as expected without exhaustive testing. (i.e. simply can I see a device on network X? can a device on network X see me? etc) I'll read up on bridge firewall to see if that might be a better option as I'm far from an expert on firewall configuration. I'm on a Linksys WRT1900ACS... any idea if it supports WiFi isolation? For the 'local' network, I absolutely don't want things like phoning home, firmware upgrades etc to work... that's the point: break as much of that functionality as possible :wink: For other devices, I only want them to be able to see the Internet since they are only functional in that mode and local network access is pointless (the fun of IoT: have a device in your house that only talks to a remote server and then you have to contact the server to find out what the thing in your house is reporting... grr) and I don't want them to be able to poke around my network. So that's why I was asking: does this configuration sound like it will do what I want or do I just have an illusion of it doing what I want (i.e. not testing the right things) and is there a better way to do it?

Wifi isolation only applies when you want to isolate two devices connected to the same BSSID from each other.

1 Like