Help requestet for setting up IoT VLAN

I want to improve the security of my Network and banish the IoT devices into a vlan. I am using a Fritzbox 4040 and i need help setting it up. I allready know that i need to edit the config file but not how and where. The goal is that the lan can still speak with the IoT Vlan but the Vlan cant access the Lan.

Thank you very much for your help.

I assume you want a wifi network... Start with setting up a guest wifi network as described here:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

a VLAN is only used if you intend to carry guest traffic over ethernet. Like if you have a separate access point connected to your router. Otherwise, if you have just a single all-in-one router, you can have the guest wifi without a separate VLAN.

2 Likes

Thanks for the feedback dlakelan. I know that guide and can follow it without any problems. My goal is to force a Hue Bridge into a seperate Vlan and let Clients from LAN/Wifi still communicate with the bridge.

ok so you want the hue bridge to connect via Ethernet to your router, but be on a separate VLAN?

easiest way is to do it in Luci, can you screenshot your switch page?

I cant use Luci. When i change something in Luci i loose the connection. Its a driver problem as far as i understand and i need to use the config files.

See [solved] VLANs on ipq40xx alternative config (for Fritzbox 4040)

/edit: Switch Page is the default right now, nothing changed yet.

Have you looked here? https://openwrt.org/docs/guide-user/network/vlan/switch_configuration

what you will need to do is create a new VLAN, say VLAN 3, put one of your ports into that VLAN untagged, put your CPU port into the same VLAN tagged. then create a new interface called iot using eth0.3 as the physical interface.

put the iot network into a different firewall zone. allow forwarding from lan to iot but not vice versa.

if you need more info, post the network config

1 Like

I am sorry but i really dont know what you need from me. The network config file?
And again, how do i do all this in the config file? To be honest i just dont understand the options from the Wiki. Good examples are missing.

I just need help creating the Vlan. The rest i know how do it.

Here is an example (from a different router, though) on how to create VLA's 11, 22, and 33 for eth1 (LAN ports). This gives me devices eth1.11, eth1.22, and eth1.33. The next step is to create an interface for each VLAN. The third step is to disable forwarding between interfaces.

UPDATE: Here is the config from /etc/config/network

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '3 6t'
	option vid '22'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '4 6t'
	option vid '11'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '2 6t'
	option vid '33'

yes, specifically the switch section. or follow the example from @fantom-x

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'

Thats whats in the file right now (like i said the default). Thanks for the example @fantom-x but i still dont understand the config file. If i read for file right, Vlan 33 is Ports 2 and 6 but in your Screenshot its 5. Where is my misstake? Can somebody tell me the right config if i want a seperate Vlan on Port 4?

I do not know how to properly set it up for your router: I do not want to get your router locked up.