Hi there
I heard that it is recommended to have IoT devices on a different subnet, so that's what I want to achieve with your help.
My Network just so you can imagine my setup a little bit better:
What I did so far:
Router:
- Created Guest Interface, guest firewall zone and enabled DHCP server:
/etc/config/network
config interface 'IoT'
option proto 'static'
option ipaddr '10.210.11.1'
option netmask '255.255.255.0'
option device 'br-IoT'
config device
option name 'br-IoT'
option type 'bridge'
list ports 'eth0.2'
option igmp_snooping '1'
option promisc '1'
option multicast_querier '0'
/etc/config/firewall
config zone
option name 'IoT'
option output 'ACCEPT'
list network 'IoT'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'IoT'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'IoT'
config rule 'IoT_dns'
option name 'Allow-DNS-IoT'
option src 'IoT'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'IoT_dhcp'
option name 'Allow-DHCP-IoT'
option src 'IoT'
option src_port '68'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
/etc/config/dhcp
config dhcp 'IoT'
option interface 'IoT'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,10.210.11.1'
list dhcp_option '3,10.210.11.1'
list ra_flags 'none'
On AP Downstairs:
- Tag the right ports with VLAN ID 2, create IoT-Interface and configure Wifi:
/etc/config/network
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3 4 5 6'
option vid '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option description 'IoT'
option ports '0t 2t 5t'
config interface 'IoT'
option proto 'dhcp'
option device 'br-IoT'
config device
option name 'br-IoT'
option type 'bridge'
list ports 'eth0.2'
/etc/config/wireless
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option htmode 'HT20'
option rts '784'
option channel '11'
option beacon_int '500'
option cell_density '0'
option txpower '24'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option key 'xxxxxxxxxx'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option ieee80211r '1'
option dtim_period '1'
option ssid 'xxxxxxxxxxxxxxx'
option nasid '123D'
option encryption 'psk2+ccmp'
option network 'IoT'
~
And on the other AP upstairs:
- Same as with AP downstairs, exept other ports
/etc/config/network
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3 4 5 6'
option vid '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5t'
option vid '2'
config interface 'IoT'
option proto 'dhcp'
option device 'br-IoT'
config device
option name 'br-IoT'
option type 'bridge'
list ports 'eth0.2'
/etc/config/wireless
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option htmode 'HT20'
option channel '6'
option rts '784'
option beacon_int '500'
option cell_density '0'
option txpower '24'
option disabled '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option key 'xxxxxxxxx'
option ft_over_ds '1'
option ft_psk_generate_local '1'
option ieee80211r '1'
option dtim_period '1'
option ssid 'xxxxxxxx'
option nasid '123D'
option encryption 'psk2+ccmp'
option network 'IoT'
Only thing that doesn't work so far is the DNS server. I'm using Adguardhome as DNS server and I do not know how to send my requests from my subnet to it.
I would also appreciate if you could sanity check my settings, if there are any mistakes etc. Thank you in advance!