I want to separate all iot devices from other devices in home network

Please advise how can I do that?
I have following

  1. Docsis 3.0 Modem
  2. tp link archer A7 router and another spare router which is also dual band
  3. poe nvr
  4. two poe ip camera
  5. two non poe ip camera
    Also apart from poe nvr recording locally - at times I want to be able to view all iot devices remotely when I am away from home.

You can create an IoT network (wifi only, wifi + ethernet, or ethernet only). It will look a lot like the guest wifi configuration, but you can adjust the formula to meet your specific needs (for the firewall and/or the physical interfaces).

4 Likes

I have created 2 guest wifi - one for 2.4g and another for 5.0G wifi
so all cameras are connected to 2.4G guest wifi so that is fine but recently bought poe nvr - so obviously when I connect it to router's lan port no. 4 - it gets 192.168.1.xxx ip address but for guest wifi I have chosen 192.168.8.xxx so how do I put this ethernet cable connected NVR with that wifi network (on which there are 3 cameras working fine) - so that entire camera+nvr setup stay in one vlan - separate from laptop etc devices in the home ?

It is fairly easy to do, but best if we can see your network config so we can give you the specific suggestions

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer A7 v5",
        "board_name": "tplink,archer-a7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '**ipv6**'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'eth0.2'
        option macaddr 'MAC'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option metric '20'
        option peerdns '0'
        list dns '94.140.14.14'
        list dns '94.140.15.15'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config interface '**2.4G guest SSID**'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option device 'phy1-ap1'
        option gateway '192.168.1.1'

config interface '**5.0 Guest SSID**'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option device 'phy0-ap1'
        option gateway '192.168.1.1'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'

config interface 'OPVN'
        option proto 'none'
        option device 'tun0'
        option delegate '0'
        option metric '10'
        list dns '94.140.14.14'
        list dns '94.140.15.15'

config device
        option name 'eth0'

config device
        option name 'tun0'

config device
        option name 'wg0'

config interface 'wg0'
        option proto 'wireguard'
        list addresses 'Proton VPN provided IP'
        list dns '**Proton VPN provided DNS**'
        option force_link '1'
        option metric '10'
        option private_key '**PRIVATE KEY**'

config wireguard_wg0
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        option description '1'
        option public_key '**PUBLIC KEY** '
        option endpoint_host '**PROTON VPN server IP** '
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'US'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '**5G SSID**'
        option encryption 'sae-mixed'
        option key '**Password**'
        option macfilter 'allow'
        list maclist 'MAC'
        option hidden '1'
        option isolate '1'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'US'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option ssid '**2.4G SSID**'
        option mode 'ap'
        option key **'Password**'
        option encryption 'sae-mixed'
        **list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC**'
        option macfilter 'allow'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid '**2.4G Guest SSID**'
        option encryption 'sae-mixed'
        option key '**Password**'
        option network **'2.4G Guest SSID**'
        **list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
        **list maclist 'MAC'**
**        list maclist 'MAC'**
**        list maclist 'MAC'**
        option macfilter 'allow'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid '5G Guest SSID'
        option encryption 'sae-mixed'
        option key 'Password'
        option network '**5G Guest SSID**'
        list maclist 'MAC'
        option hidden '1'
        option isolate '1'
        option disabled '1'

@psherman - Hope what I shared is enough for you. I tried to mark in bold what I have masked for example password or ssid etc but somehow it did not work.

We'll take logitcal port 5 from your lan and make it work with your 2.4G guest netwrok subnet. I'm not sure what the mapping is from logical to physical ports looks like on your device, so if you want a different physical port, you'll experiment with logical ports 2-4. Edit VLAN1 to look like this (logical port 5 removed):

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4'

Now, add VLAN 3 with 0t (CPU) and logical port 5.

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 5'

Create a bridge for vlan3.

config device
        option name 'br-guest24'
        option type 'bridge'
        list ports 'eth0.3'

Then modify your guest2.4 to use the bridge like this (note that I'm also removing the gateway -- this will automatically use the default gateway, and the DNS entries since they don't have any effect here):

config interface '2.4G guest SSID'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option device 'br-guest24'

While slightly tangent, remove the gateay, dns, and device lines below (radio devices should never be defined in the network config file):

Your OPVN interface should look like this (the other lines have no function here):

config interface 'OPVN'
        option proto 'none'
        option device 'tun0'

Remove all of these since they are vestiges and have no purpose:

Then restart and test again... it should work as you desire (except for potentially the physical port mapping).

1 Like

Thanks for taking time for me.

I have tplink archer A7 and it has 4 lan ports so when you say logical port 5 - I think you are referring to lan 4 port correct? and yes that is where I am going to connect poe nvr - so please confirm if am wrong here..

When modifying guest2.4 - you said - remove gateway and remove custom dns (in this case I have used google public dns servers) - I have used custom because I read somewhere - you do that to prevent dns leak ? correct me if am wrong.

Same logic is applied for opvn custom dns entries- here I have used adguard public dns 94.140.14.14 and 94.140.14.15

Further you said remove eth0 and tun0 and wg0 devices - but I use wireguard interface and sometimes when wireguard is not working I use opvn so wg0 and tun0 are required correct? not sure what it will do if I remove eth0?

That is my intent, yes... but... with swconfig, the logical-to-physical port mapping is not always 1:1 or otherwise logical in human terms. So, it could turn out that it is not port lan 4. You should know right away once you make the changes.

No. I recommended removing the dns entries there because they actually have no effect. The only situation where the DNS entries in a network interface stanza will have an effect is on the upstream network(s)... in most cases that means the wan interface.

Yup... they do nothing in the network stanzas.

You can set these in the DNS & DHCP configuration (/etc/config/dhcp), and you may even use a set of firewall rules if you intend to block other DNS servers and/or perform a DNS hijack.

those devices are already assigned and in use... the device stanzas I highlighted just don't do anything. For example, eth0 is already known to the OS and it is actually the connection between the CPU and the built-in switch. The tun0 device is created by the OpenVPN config as is the wg0 via wireguard. You don't need these little vestigal device definitions.

I have entered adguard dns servers under wan interface advanced settings..
So should I continue to use adguard dns entries I have in wan interface as well ? or you recommend removing from there too?

Until now I have followed all steps you advised - now I have to connect poe nvr to lan port 4 and than I will share the results.

Thanks again.

The wan interface normally should contain DNS entries that are accessable by the router at all times. ISP or other public DNS servers should be fine. Using an internal address such as self-referencing to the router itself (in the case of running AGH or similar) as well as directing to a separate DNS server in your own network (think PiHole) can lead to issues in the even that the DNS server goes down and/or has other reasons it cannot resolve. Typically you want your router to always have the capability of reaching a DNS server, but the details of that are up to you.

1 Like

More than likely, VLAN 3 on port 4 should be untagged. (unless your NVR is VLAN aware and is expecting VLAN 3 tagged; this is unlikely, though).

1 Like

So currently I have set it as untagged - and I can access that nvr on that guest network. -
I still have trouble accessing cameras I attached to this nvr - so right now it shows not online so not viewable in browser window - (I think that is the subject I need to discuss somewhere else other than this forum correct?

Try connecting your computer to the guest network and see if you can access the cameras at that point.

I could try that but I dont want to connect my computer or devices on my main network on to that guest network - even for temporarily - I have dedicated a smartphone for that guest network - on which I can login to that nvr via browser - when I check network settings - it shows camera status offline

Are the cameras connected directly to the NVR or to some other device? Do you know if the NVR has NAT masquerading enabled?

Oh I guess you know about these cameras as well...good for me ..
Yes I have 2 onvif cameras directly connected to poe ports 1 and 2 of nvr - please note nvr is poe but cameras are not poe so I am connecting both ethernet cable and power adapter to cameras ...

I checked for NAT under network settings and it gives the option either enable or upnp ..I tried both but does not work ..it also gives the option to set 'port mapping ' either or auto or manual -- masquerading option is not there to enable or disable

Under network -- tcp/ip option it gives the option to check box DHCP and DNS or uncheck so you can manually enter ip/subnet mask/gateway and dns

RTSP is enabled ...I can disable it if I want

Under camera management I can choose to edit ip address as well as protocol and port number (in this case I chosen onvif because those are onvif cams - (nvr and cams made by different mfg)

Btw I just noticed - in openwrt router - under routing ipv4 neighbors it shows 2 wan address - 73.193.xx.xxx and 73.193.xy.x - it shows same device mac id for both wan address - is something to be worried about?

Well, no, I don't know about your cameras. I was asking, though, because NAT masquerading could be a factor here, but it sounds like the NVR doesn't do this, although I do wonder what "port mapping" control it has (that's typically a function of NAT).

This is the NVR box? Is it set to DHCP?

How do the cameras get their IP addresses? Are they DHCP or static IP? Are you able to connect to the cameras in any way?

That's rather unusual to have to wan addresses.... are you sure one of them isn't the gateway on the wan?

1 Like