How to protect and isolate IOT devices in a Multi AP environment?

ariznaf · December 13, 2021, 2:15pm

I have seen other similar questions but not with my network configuration ( IOT isolation with vlans in multi-AP environment - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum).

I have some IOT devices, which I would like to isolate in a network in order to have 2 separate networks (with the same base hardware infraestructure).

One home network where the PCs, tablets, phones... of the family members would connect (wirelessly 2.4G or 5G, depending on their capabilities, or through ethernet).
One IOT network where the thermostat, controllers, ip cameras or other IOT devices would be connected wirelesly. For now I don't have any iot device that has an ethernet interface.

The idea is to not let iot devices connect to internet, just among them and with the router.
They should not connect to the home lan either. So they can't send any info to cloud services or internet inadvertidly (with all that devices coming from china or other uncertain sources I don't want anybody to take control of my home).

But to simplify things (configuration or testint of devices, which usually exhibit an http interface) I would let alll devices from home lan connect to the iot lan.

A don't know if this approach can have security risks.
Any opinion about what would be the best approach and more secure would be wellcome (taking into acount simplicity, my home is not the NASA or the central bank either).

One problem I can think of is updating firmware to the devices. Many can be updated via OTA (that won't be directly posible from internet, as they won't be connected to internet) but you can allways use http connection to uplodad a file. OTA from the device won't work either from a file in the home lan as devices cannot access the lan network (there is always the posibility of configuring exceptions).

The second part of the problem is how to achieve that planning.

I would describe my current config with the home lan network.
I would like to change it (in the hardware part) as few as possible, and maintain the number of needed devices to the minimum (no new routers, gateways etc, if possible).

There are two parts in the home that are enough far away to don't be able to reach wifi network from one part to the other: backside and frontside.

So I have:

One gateway at the backside of the home.It is the one provided by the ISP.
It acts mainly as the gateway to direct traffic to ISP WAN. No other services are installed in it (that is the task of the main router), but it is configured as a WIFI access point for devices in the backside of the home (with the same SSID and password as the main router, to provide itinerancy), and ethernet access to a couple of computers. IP addresses are served by the main router.
This device is to configure more SSID to give access to the iot devices, but it is limited in functions and configuration possibilities (as the firmware is from the ISP).
One main router at the front of the home. It is a fritzBox 440 with openWRT installed (last version, 21.02.1). It is the DHCP server to provide IPs. It acts as the local DNS server for the home devices too. It has configured mDNS with a .home domain for easy accessing the NAS server or other devices that need to be accesses with a known IP and which have assigned static IPs in the DHCP config.
It has installed mosquito MQTT server too in order to act as the MQTT borker of the home (this service of course should be accessible from IOT network).
It has connected a QNAP NAS to its ethernet port and provides a WIFI access point to the devices at the front of the home, with the same SSID and password aste AP in the gatewate at the back side.

In order to achive the goals of isolating iot devices without adding more devices to the network as routers or gateways, I have:

Created another wifi lan at the main openWRT router, lets call it IOT Wifi, with its own different SSID and password.
Configured a new interface named IOT that is only linked to that wifi in the network field during creation.
configured the iot interface with protocol "static adress" with an IP address in a private Class B network different from the private IP network of the home lan.
Configured DHCP to serve IPs to devices connected to that iot interface.
I have not created VLANs for now at the switch level to assign ports to the iot lan, as there is not yet any ethernet iot device, and I would like to keep things as simple as possible.
I have configured a firewall rule to reject all traffic coming from iot zone to other zones, and to accept redirected traffic from lan to iot, as it can be seen in the image (the wan zone is not really used, as the wan port of the router is disable, as it is not directly connected to the internet, internet traffic is redirected to the ISP gateway configuring it as the gateway of the home lan interface in the main router).

image971×635 26.7 KB

At the ISP gateway in the backside, I have created another IOT wifi access point with the same SSID and password as the one at the frontside, in order to provide wifi connection to the IOT network to the devices at the backside.

It seems to work now to some extend.
I can connect to the IOT wifi in the main router and I get a new IP in the iot network, and I get an adviertizement that I don't have internet connection.

But I could not solve some things yet:

I am not sure if the firewall rules are OK and devices from home lan can connect to the iot devices, but not viceversa.
I don't know how to provide IOT address to the devices connected to IOT wifi at the BACKSIDE of the home, to the ISP gateway. Devices connected there get addresses from the home lan, I think.
I don't know how to config mDNS in order to create a separate .iot domain, different from the .home local domain, to give iot devices easy access names instead of having to remember IPs.

Any help and ideas would be wellcome.

trendy · December 13, 2021, 8:54pm

It is correct. However you may change iot zone input to reject. Then allow dhcp and dns (if needed) from iot zone to the router itself.

Make a new dnsmasq instance for iot and give its own domain name.

That cannot work without vlans and proper configuration on ISP router.

ariznaf · December 13, 2021, 9:44pm

I had a look, but it seems difficult.

After creating the new dnsmask instance, would it be possible to manage both instances from luci?

Now the ISP gateway has disable DHCP in the internal lan in order to direct all dhcp requests to the main openwrt router.

But one way of having it working would be to activate DHCP to serve IPs only in the iot wifi network to the devices connected to the gateway, with leases in the same IP network than the ones served by openwrt main router, but with lease ranges that won't overlap.
I think it can be done using the (awful) interface of the ISP gateway.

So all iot devices coonected to wifi iot network would have IPs in the same network.

But the problem is that they wont have DNS names assigned dynamically and it would be more work to assign names to devices, but it can be done (with static leases in the gateway and DNS names in the openwrt router).

Do you think it is feasible or you see other problems?

Other possibility is installing another openWRT AP point with some old router I have arount in the backside to create the iot wifi network there.
With two openWRT routers that should be feasible using tagging and VLANS ?

But it seems a complex and error prone job, with lots of possibilities of putting my main router out of work for long time periods (and my family won't be happy).

trendy · December 13, 2021, 10:30pm

It is copy-paste.
Then you can use Luci to manage them.

If you don't use vlans, they will be 2 different networks. You should start thinking to take the ISP router out of the equation and use it only as a router between the ISP network and the OpenWrt router.

ariznaf · December 13, 2021, 10:47pm

OK, I will try having two dnsmask interfaces in an old test router.

Why to different networks?

If they are in the same class B network like 172.16.XX.XX all of them, they will be able to interact and send messages main router would be at address 172.16.255.1 for example and have activated dhce serving leases from 1 to 1023 (172.16.0.1 to 172.16.4.254) and the ISP gateway (or other access point that offers iot wifi connection and has dhcp activated) would be on 172.16.255.2 and offer leases from 1024 to 2044 (172.16.5.1 to 172.16.9.254). Both will configure 172.16.255.1 as the gateway and dns router.

So all connected devices to one or the other routers offering iot wifi, would be in a logically unique network of class B, and in the same network as both routers (in their iot interface).

So they can interact and send messages, but when they try to access other networks, the main router will block the traffic.

On the other hand I have been thinking about subsituting the ISP gateway functions with another openWRT router from time ago, as its interface and functions are quite limited and the interface obscure and awful.

I would use just use the wan ethernet port in the openWRT router to connect to one port in the ISP gateway and just use DMZ to redirect all traffic to the openWRT router or send traffic destinated to internet through the gateway.

But I don't like having so many gadgets and things to configure.
But if I install zigbee or other protocols like z-wave that are supported in some routers and by openWRT it would be the time to do that.

trendy · December 14, 2021, 10:47am

What you describe here won't work.
IOT and LAN must be separate networks, both physically, e.g different vlans, and logically, e.g different subnets.
If you use the ISP router as you described:

and you configure everything on the OpenWrt only, then you can make it work. However nothing should connect to the ISP router anymore.

ariznaf · December 14, 2021, 5:30pm

I don't know if was I tried to explain was understood correctly.

Home LAN is in a different IP network, it is in 192.168.2.0 and served through ethernet and WIFI with other different SSID.
So at least it is separated at the logical level, even if traffic travels through the same ethernet wires.

The wifi for iot is served in two access point: the main router and the other router (from the ISP) and it would be IP net 172.16..0.0.
The need for activating DHCP in the ISP router is for being able to serve IPs in that network for devices connected to that router, as I won't be able to differentiate devices connected to that router iot wifi if the DHCP messages arrives to the DHCP server in the openWRT main router, at least with no VLAN tagged traffic (I don't know how to do it with two openWRT router).
At least device connected to any of the router in the IOT Wifi would be served correct IP address in the same network and would be able to talk among them.

But it is not a real vlan isolation, may be. And then is the problem of being able to register that assigned IPs and name in the DNS in the main router (I don't know how to do that either, if possible).

The ISP router has vlans and other possibilities, but it is not documented at all, and if you play with it would end with a bricked router and no internet connection for long time.

So yes, the best aproach would be to have to openWRT routers and use the ISP router just as a gatewa/modem (it does other functions too like separating TV traffic and voice).

That was my first idea, I prefer having just the ONT to convert from fibre to ethernet. But operator does not provide that option for residential users.

The problem with installing another router is that the operation of the ISP router in bridge mode is not supported by the ISP (you can do it from internet tutorials, but at your own risk, and when you have any problem the ISP would say that the problem is having a misconfigured router).

If you don't use it in bridge mode you would have the problem of double NAT, that is not good either.

Another problem is that the router I have to do that have a slow WIFI, no 5GHz mode or the advance mode of 2.4 G (N). But it can be solved buying another router, not a big deal breaker.

And on the other hand I don't know how to configure the two openWRT to create the two VLANs and collabortate and serve DHCP for each network correctly, and DNS for home and iot domains (each devices being served a DHCP IP for the appropiate network and being register in the .home or .iot domain as needed).

May you explain me how to do it as easily as possible? (at a logical level of how to separate two vlans and assign wifi interfaces to them and interconnect the routers, with tagged vlan traffic, I suppose, I will see the details of how to do it step by step later).

I have another router to make tests.

If it works, I can see if I can substitute the ISP router and let it just as a bridge.

ariznaf · December 15, 2021, 7:58am

I have not put it to work yet, but I think I mastered the creation of VLANs in openWRT, thank you.

If I understood it well, I need to create a new virtual device of type vlan q, lets assign 15 to it.
That would create a new bridge type device.

Then assign the wireless device corresponding to the iot SSID to that device.
In the switch, Assigne the new 15 VLAN to the therports and cpu as tagged in order to get both router communicated through that vlan, ancreate a virtual able between both routers.

The new device interface can have DHCP activated with a new IP network.

There remain some DHCP and DNS details, but may be better to initiate a different thead for that.

darksky · December 15, 2021, 11:39am

You may find these two videos helpful. Some of the interface options within LuCI have changed since they were produced.

darksky · December 23, 2021, 12:02am

The same youtuber recently release an updated video based on OpenWRT 21.x:

ariznaf · December 23, 2021, 12:07am

Thank a lot.

Tomorrow a new router will arrive and I will be able to test this, with the old router it was a bit problematic, too slow and it hangs.

I will study that videos. I think I have mastered the vlan creation already.

It seems that in my case the dumb switch works and passes the vlan data correctly, as I could ping from a pc connected to a router to another in the other router.

ariznaf · December 27, 2021, 8:10am

FinallynI could get it to work, with vlans to separate iot, guest and lan networks.
The new RT3200 seems to work quite well even in beta snapshot firmware.

The Frit!box 4040 gave me a lot of headaches, I configured it, seemed to work to some extend and then stop working suddenly and had to boot in failsafe mode due to minor changes that where supposed to be correct.

I could finally get vlans to work, using the switch mode.
The problems I was experimenting had nothing to do with using DSA or switch arquitecture.
It seems these kind of routers with Atheros IPQ4018 have some problems and limitations with vlans 1 and 2 thatbare hardcoded to internal use. Not the vlan id, but the entry table position where you assign the vlan.
Luci does not let you control that and uses that positions even if you use different vlanid, something I did not fully understand.

When I changed that and use other entries, all worked.
It took several days and lots of work trying different things thinking that I was doing something wrong, when it was OK from the beginning.
Thanks to several posts here in this forum and the help of different people I could get it to work.

system · January 6, 2022, 8:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.