How to isolate some iot devices but not all?

Hi all,

I've been doing a lot of searching but as a beginner to openwrt I can't find a solution to my problem. Here it is:

I'm renting at a place with shared wifi and want to isolate my IOT devices from the other people here, and also stop most of the IOT devices from being able to talk to their servers in China etc.

I have 2 wifi switches with open source firmware on them that only talk locally, a couple of Xioami bulbs that only need to talk locally (but might try and contact China), and a Raspberry pi running my open source smart home hub that needs internet access.

So basically I need to have all my devices connect to my openwrt router, let all the devices talk to each other though my openwrt router, but only let the smart home hub talk to the internet. I will have my openwrt router connect to the wifi already here.

If anyone can advise on the best way to do this, it would be most appreciated. I've seen that MAC address based rules aren't very secure because my Chinese iot devices could easily detect the MAC address of the smart hub (or my laptop), clone it and then get access to the internet. Is this correct?

Oh and I'd also like to have all my IOT stuff hidden from the other people on the currently installed wifi. They have some philips hue bulbs for example and I don't want to have my smart hub being able to control them (or them be able to see or control my devices)

Many thanks


I manage the risks of my IoT devices, by vendor with

  • Put the devices on their own SSID and their own VLAN
  • Block forwarding to/from that VLAN to the outside world
  • Block forwarding to/from that VLAN to anything "inside" that they don't need to "talk to"
  • If appropriate, give the devices your own "custom" DNS on that VLAN for the servers they want to reach (NXDOMAIN, for example) and/or the NTP servers as your local NTP server

Reverse engineer the IOT firmware so that they won’t be able to connect to any IP address ?

Or create a bind server on a VM and redirect to that server IOT devices for DNS of course China IP won’t be answered by your bind server ?

What does your physical topology (connections) look like? Are any of the IoT devices wired in or only on WiFi? Is the home hub RPi wired in?

The thing I can imagine you do is disable all forwarding from this network to WAN by default. Make sure your RPi is wired into your router. Put that particular ethernet port into its own VLAN and bridge that into the LAN. Then add a traffic rule specifically allowing packets from this VLAN to forward to WAN. Then you're sure that the packets physically come from the ethernet port of the RPi.

1 Like

Another advantage / domain worth thought of IOT is the application layer stack.

Highly variable.... case and point is this thread.... But in some cases this can work to your advantage.....

There is also the question of directionality.... where possible.... You can leverage traffic flows to drastically limit the scope of your exposure....

With limited protocol stacks and no gateways..... you've almost achieved your goals already!

At the moment I have a Tp-link WR840n router with a connection to the outside world that manages all the DCHP (I'm allowed admin access to the router, but it's the property of the landlord), this then pumps out wifi to a halfway point between me and the source. There is then a wifi repeater that extends this wifi to where all my devices are. At the moment I have my devices on his router/repeater and he can see my chromecasts, and I can see his. I want to stop this happening as he has his setup and doesn't like my devices filling up his cast options on his phone.

I can't plud the RPi into the ethernet port of my openwrt router because the RPi is in a basement and the wifi hotspot for the openwrt router would then be in the wrong place.

Basically, I just want all of my devices on the wifi of my openwrt router, and only some devices are allowed to contact the outside world through the already installed wifi repeater.

I'm still not clear on how devices are connected together, and which device you own vs which device you borrow access from etc, can you draw a network diagram?


Yeah I guess it's rather confusing to explain in words. Here's a diagram showing what I'm trying to achieve:

Ideally I'd like to stop him from seeing my IOT devices when he connects to his router or repeater, but it's not the end of the world. My main concern is that I want to stop my IOT things from being able to access the internet, and only let them talk to my laptop and home automation hub (HAH).

Another thing is that at the moment I'm trying to deploy some IOT lights that flash in time with music being played on my laptop. They do work, but you can really see the lag and glitching caused by having to send the data from the laptop all the way to the Landlord's router and back again through a repeater. What I want is for my laptop to send the data to my openWRT router and straight to the IOT music lights.

Any help is massively appreciated. I've been messing around with settings for hours now and I can't seem to work it out.

Oh and the Landlord's router has the DCHP sever in it that is currently issuing the IP addresses. The currently installed repeater is just a dumb repeater.

No problem, thanks for making the diagram it makes it easy to help you

If you set up a wireless network in client mode and then make that wifi ssid the WAN on your router, and then use standard LAN for your own devices, with masquerading on your WAN... your LAN will be totally isolated from the landlord's stuff.

If you need wifi for your LAN set up a separate SSID for yourself, with your own password. It's even better if you actually get yourself a cheap second router like a GL-inet AR300-lite and set that up in access point mode on a separate channel so your devices can talk to each other without all that repeater nonsense...

Is your landlord on a 2.4GHz or 5GHz channel? And do you have 1 or 2 radios on your OpenWrt router?

1 Like

Thanks for the first stages of hand-holding me through getting this set up haha.

My router is a TP-link wr841n v13, I'm looking through the settings but I can't see how many radios I have. Any clues on how I can find this out?

Landlord's router is 2.4ghz only.

I've been trying to follow your instructions but can't quite manage it. I've gone to "Network" then Wireless and clicked "add". I've then created selected "client" mode, and set the ESSID to the wifi network of the wifi here. I've also set the network to "wan" Then in "wireless security" I've entered the password of the wifi here. I think that's it, but after a save and reboot of the router it doesn't show any signal strength or connection on the router for that wifi connection, and just says "Wireless is not associated". I had this showing signal strength once while trying to work this out, so it has the ability to work, I can't work it out

Just 2,4GHz

Do a wireless scan, connect to the Wifi of your landlord and then proceed with the rest of the settings.

1 Like

I've also tried the scan method (found Landlord's wifi) and entered the security details. and as before I just get "Wireless is not associated".

Aha. I set the channel width to 40mhz and I now have wifi connection. I am however still confused about how to set up this connection. At the moment I have just got my laptop plugged into the ethernet port, and and trying to get the internet on it from the Landlord's wifi. So far I can't work out the correct combination of settings. And one lots even caused him to lose internet access for 10 minutes, so he's not too happy about that. Probably need less guess work and more hand holding if that's okay?

If you have assigned the WWAN interface in the WAN firewall zone and the interface that your laptop connects into the LAN firewall zone, then most of the part is finished. By default the WAN zone will do NAT and the LAN zone will provide with dhcp the settings.

1 Like

I suggest to do a firstboot and start from scratch, then just add the wifi client and make it part of the WAN network... after that it should "just work"

To do firstboot, just ssh into the router, and execute

umount /overlay && firstboot && reboot now

then when you've rebooted, set your password, log in on luci and add the wifi WAN.

EDIT: the only problem might be that your Landlord might use 192.168.1.x as his IP address range, if so, you'll want to change your LAN to use something like 192.168.2.x or even 192.168.38.x or some other such number that is unlikely to conflict with other networks :wink:

1 Like

To avoid ip conflicts on the network whilst you setup, set the static ip of your router to and give your laptop's lan connection a static ip address (just use the one you'll get via dhcp.)

In LuCI, I had to enable the force option for the dhcp server. I have set the Land Lord's router's ip address as the default gateway.

Your OpenWrt router needs to become another repeater and then you need to create two Wi-Fi vlans, one for IOT and the other for Internet access.

Bare in mind that being able to do so might depend upon the hardware.
A Wi-Fi device cannot go into client and AP mode at the same time unless it has a special mode for doing so. I have a router in repeater mode doing this right now but it's got DD-WRT, so please don't ask me how to using OpenWrt.
I'm sure someone else knows or the wiki has some info.

Also, might be worth looking at MAC address white and black listing to see if it could be a simple solution.

This could work, but it's also kind of a "default" setting so could also conflict with things. I like to do 10.x.y.1 where x and y are chosen at random (like go to and ask it for two random integers between 1 and 250)

I think this is reasonably common, but I don't know if it works on the machine in question. @dave-sausages if you give us the output of "iw list" we can find out.

Yeah, I'd not thought that the IOT devices like the bulb could be running an httpd instance for configuration.
I'll admit I go for first myself but I use both address ranges at the moment and don't have any fancy IOT stuff.

root@OpenWrt:~# iw list
Wiphy phy0
        max # scan SSIDs: 4
        max scan IEs length: 2257 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Available Antennas: TX 0x3 RX 0x3
        Supported interface modes:
                 * IBSS
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 1:
                Capabilities: 0x1fe
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        TX STBC
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-15
                        * 2412 MHz [1] (18.0 dBm)
                        * 2417 MHz [2] (18.0 dBm)
                        * 2422 MHz [3] (18.0 dBm)
                        * 2427 MHz [4] (18.0 dBm)
                        * 2432 MHz [5] (18.0 dBm)
                        * 2437 MHz [6] (18.0 dBm)
                        * 2442 MHz [7] (18.0 dBm)
                        * 2447 MHz [8] (18.0 dBm)
                        * 2452 MHz [9] (18.0 dBm)
                        * 2457 MHz [10] (18.0 dBm)
                        * 2462 MHz [11] (18.0 dBm)
                        * 2467 MHz [12] (18.0 dBm) (no IR)
                        * 2472 MHz [13] (18.0 dBm) (no IR)
                        * 2484 MHz [14] (18.0 dBm) (no IR)
        valid interface combinations:
                 * #{ IBSS } <= 1, #{ managed, AP, mesh point } <= 4,
                   total <= 4, #channels <= 1, STA/AP BI must match
        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing

Output of "iw list" is above. Was just about to finally get this up and running and have now seen how many different routes I can take, so I'll hold off for the moment until you tell me which route to take, but I've got lots of jobs backing up that are reliant on this being set up. So I'd really like to get it running today.

Cheers guys

Edit: yes the ip address of my landlord's router is indeed with his dchp assigning ipdresses from to 150

How that helps you guys hand hold me through this

I've been having a play around for the last hour and still can't get anything to work. Laptop is working fine with openWRT router on ethernet port 1. Have set ip address of router lan to fine and works.

Have finally managed to get the wifi client link setup to the Landlord's wifi too. But even the stage of getting internet access to the laptop through the ethernet port is beating me.