So like many others on this forum one of the first things I did when getting into OpenWrt was set up a separate VLAN for my "IoT devices" apart from my "home" network. Which has been working alright, I've been able to set up a handful of sub-networks across several OpenWrt switches/routers/APs and it's been a fun learning experience.
But one thing that's been nagging me: what's actually really the benefit of splitting IoT devices onto one big network of their own? Frankly I'd be more worried that one poorly/maliciously coded renegade device manages to infect/subvert one of the other poorly coded devices on that same network — i.e. those devices needing protection from each other — more than that my wife's robo vaccuum could manage to worm its way into our macOS laptops or Linux-based ssh-key-only Raspberry Pis?
So as much as I kind of feel like this is a slippery slope of unhealthy obsession it does make me wonder if I shouldn't rather set up one VLAN (and I guess then also out of necessity, separate WiFi SSIDs) per device to really gain much actual security benefit. Thanks to UCI (and maybe pulling in Ansible as well) I could maybe automate the setup of all those, but my question is: will setting up dozens or maybe eventually even hundreds of VLANs hurt the performance of my routers? Is it even possible to set up that many separate WiFi SSIDs?
Is there a practical solution to this? On my Mac I'm spoiled with Little Snitch which is a really low friction per-application firewall. So I tend to think of each IoT device as its own barely-trusted "app" that deserves its own separate sandbox and own separate list of domains it can connect to — but as I learned way back on an earlier semi-related thread each "network" is designed specifically for letting all the peers within talk freely with each other. So either networks (and WiFi SSIDs) are really really efficient to spin up, or I'm just going to have to live with gadgets potentially doing terrible things to each other behind my back, in exchange for the entertainment value all these cheap WiFi parasites provide…
Aside from that, the wifi chipset limits the number of concurrent vAP interfaces anyways (depending on the hardware to something between 4-16 at most), not that it would be sensible to max that out.
I agree with @slh and @account4538. This would not be a good plan.
For the record, VLANs themselves are not the source of any significant overhead, but the
multiple SSIDs are.
If you really want to isolate your IoT devices, the best and easiest solution is to enable wifi client isolation on a dedicated IoT network+SSID. Keep in mind, though, that isolation is all-or-nothing. Each wifi device on an SSID with isolation enabled will be unable to reach every other wifi device.
Thanks, yeah but unfortunately I have a couple different wireless APs for coverage. So if I'm speculating correctly, the devices on one AP wouldn't be able to talk to each other but they would be able to talk to all the other devices on other APs?
I guess the way to deal with that is then one "IoT" SSID per Access Point, and then just separate VLANs (but sharing the same firewall zone) per AP. So AP #1 might host the same mywifi-iot SSID but have client isolation, and use VLAN #6661 back to the main router. And AP #2 would have duplicated SSID setup, but use VLAN #6662 back to the main router so that its clients would be in a separate network prevented from talking to AP #1's clients.
And thanks @account4538 and @slh for the other tips — I kind of suspected that the SSIDs would be an earlier limiting factor than the VLANs but didn't know by what scale!
Don't know why I didn't realize before to embrace WiFi "client isolation" like this , guess it seemed the "crosstalk" over the backhaul between APs would spoil. But that seems easily enough avoided now just with a couple separate VLANs i.e. per AP. And pretty much 99% of the typical devices I would put in the IoT zone are wirelessly connected rather than Ethernet cable. So assuming my new plan isn't overlooking some "gotcha" it doesn't seem as over-the-top as my initial thinking and might be a go then!
in theory, yes, it is good thinking
in practice: no
AP1, vlan661 -> dhcp 192.168.61.x
AP2, vlan662 -> dhcp 192.168.62.x
now, if your APs are close enough, and cheap IoT device try to roam between them, it migh get stuck because it will miss the need of dhcp renewal or will be pis*ed off because constant IP changes, or similar
another problem
many switch chips allow only 16 vlans
and no, there is no vlan6661 max is 4094 but again, some older chips have problem with that, so stay below 256 id
You can also try setting up multiple WPA2-PSK keys and/or multiple WPA3-SAE on the same SSID. I have successfully set up a WPA2-PSK network with 30 different PSKs, and each on their own VLAN.
This is not a standard thing, but can work with 23.05+ and the config from this commit. Just note that you cannot use "Generate PMK locally" if you are using fast transition (802.11r).
it does make me wonder if I shouldn't rather set up one VLAN (and I guess then also out of necessity, separate WiFi SSIDs) per device to really gain much actual security benefit. Thanks to UCI (and maybe pulling in Ansible as well) I could maybe automate the setup of all those, but my question is: will setting up dozens or maybe eventually even hundreds of VLANs hurt the performance of my routers? Is it even possible to set up that many separate WiFi SSIDs?
