IOT firewall zone: sanity check

Borromini · November 25, 2023, 9:40pm

I just set up a separate firewall zone for IOT. So far the only thing in there is a smart meter reader. I just need Home Assistant (which sits on my main LAN) to be able to read it out. No internet access needed.

The settings below seem to work (the forwarding rule is necessary, from what I read). I found that setting input to 'REJECT' would make the reader invisible to Home Assistant. However, I'm wondering if output needs to be set to 'ACCEPT' still?

Edit: well, looks like this is not working. HA is seeing the reader, but it's not registring any energy consumption, the past hour slot is empty. How do I diagnose this? I suppose adding another forward rule the other way around (IOT to LAN) would make the separate zone pointless?

config zone                               
        option name 'iot'       
        option input 'ACCEPT'   
        option output 'ACCEPT' 
        option forward 'REJECT'      
        list network 'iot'         
                                                
config forwarding                           
        option src 'lan'                     
        option dest 'iot'

Borromini · November 27, 2023, 7:04am

No takers?

Underworld · November 27, 2023, 7:43am

Hi, please look at my setup in https://forum.openwrt.org/t/another-vlan-question-x86-to-2xrt3200/176858/5. 192.168.1.201 is my HA server. I still haven't restricted it on a port level, but it is working. I have ised trafic rules by IP addrres to block the internet acceass to the sensors.

xize · November 27, 2023, 7:54am

If i would go out of this zone forwarding i would expect in most cases it works, though i might had used a traffic rule, but this should work aswell.

Let me explain a little about firewalling and handshaking or atleast you can see it as handshaking.

A normal firewall works always from src lan to wan, but never from wan to lan, with other words if a person wants to talk first from wan the connection gets dropped as expected unless of course you opened the port with port forwarding (in your case forwarding iot zone to lan), now if a lan device was the first communicator it creates a line and both clients are allowed to communicate back, its a one way direction and that is a typical firewall.

So if you would reflect this on your meter, theoretical it should work if not then you can try also the opposite it's not always useless to try

Note some of these devices still require internet because the app communicates via a relay web api back to your iot device it can be plausible it still needs internet.

On my home i use also a meter from homewizard and another few aqara zigbee devices, both of them don't use direct lan communication but rather relay to servers over the internet which then communicate back via their api on the apps on my phone, if i block wan all show offline.

Hudra · November 27, 2023, 8:19am

I guess the easiest solution would be to put HA on your IOT Network.

I have almost the same setup and you could also just make HA available on both networks. As described here:

grrr2 · November 27, 2023, 9:29am

hi,

it looks your HA-iot device is not using fetch but push mode, meaning your iot device starts the connection to HA. with your current config it is prohibited, but instead of adding another forwarding rule (from iot to lan) add a normal firewall rule which allows the connection specific traffic only.

Borromini · December 4, 2023, 9:02pm

Thanks guys, seems like making HA listen on that VLAN as well might indeed be the easier solution.

system · May 14, 2024, 8:45pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.