Forcing selected WiFi devices to use IoT firewall zone via a single SSID

sct898 · May 10, 2025, 9:02am

Hi, I want to place all my IoT wifi devices within a separate firewall zone - separating them from trusted LAN devices - but all the tutorials i find online accomplish this using multiple WiFi SSIDs.

Through openwrt, is there a way I can select which of the connected WiFi devices (e.g. by their mac address) should be forced to use the IoT firewall zone which I have setup? And therefore all other devices will default to use the standard LAN firewall

Do I need to setup a new interface, a new bridge/device, a vlan? Any advice, instructions/tutorials would be most welcome

egc · May 10, 2025, 9:37am

See: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

frollic · May 10, 2025, 9:50am

That's exactly what OP didn't want ?

@sct898 check if PBR can do what you need.

slh · May 11, 2025, 12:35am

The short answer is: no, you can't do that.

Once a device has physical access to a network, be it plugged into the same switch (VLAN group) or using the same ESSID/ PSK, they have access to 'everything' within that network, without any filtering (and from there also beyond, to the internet). Yes, there are some 'advisory' (voluntary, if the client devices choose to follow) things that can be applied on a per-MAC/ IP base, but there's nothing preventing the client from ignoring these (and using another MAC/ IP). If you want to enforce your policies, you need to segregate your topology into multiple -physically distinct- networks (VLAN groups/ access ports filtering access of multiple ESSIDs) and give the clients only access to their network, without any shortcuts to circumvent the policies set by your router and enforced by (managed-) switches and APs.

psherman · May 11, 2025, 12:43am

You can setup multiple subnets, all linked to a single SSID. Then, the password used will connect each device to the relevant subnet.

slh · May 11, 2025, 1:55am

At that point, multiple distinct ESSIDs is a better approach (the requirements on the hardware, the valid interface combinations) are the same.

takimata · May 12, 2025, 1:17am

I titled the forum thread "per-passphrase VLANs". But it doesn't actually have to be "per-passphrase", it can also be "per-MAC" (and I just fixed the thread title accordingly). Each line in the wpa_psk file, or each UCI wifi-station section respetively, can be specific to a MAC address, even with the same PSK. Which is probably most in line with what the OP intends to do.

I never tried distinguishing by MAC, though. Most importantly I never tried what happens when one wpa_psk line is specific to one MAC, and one isn't (and uses the wildcard "00:00:00:00:00:00"). I feel it's worth investigating if the latter will be the fall-through if the PSKs are identical, and whether the (wpa_psk/UCI entries') order matters.

I don't agree. The wpa_psk approach allows one to move devices between VLANs without having to reconfigure the devices' wifi settings. Which can be a real hassle especially with "smart" IOT devices.