IOT: How to combine additional Wifi SSID and physical LAN port with vlan

I am trying to set up an isolated network for my IOT, comprised of a Wifi SSID and a physical LAN port on my R7500v2. This is under 21.02.2. I have both wireless and wired IOT things I want to connect.

I went into Luci->Network->Wireless and added a new SSID called "iot", creating a Network called "iot" there and giving it an interface name of "if_iot".

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option ssid 'iot'
	option encryption 'sae-mixed'
	option ifname 'if_iot'
	option key '[redacted]'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option wpa_disable_eapol_key_retries '1'
	option network 'iot'

Then I made a new interface for IOT under Network->Interfaces:

config interface 'iot'
	option proto 'static'
	option device 'if_iot'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'

and turned on DHCP:

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.3'
	list ra_flags 'none'

and made a firewall zone:

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

That seems to work, with a firewall rule to let local DNS through, to get my IOT devices that connect via wireless into the 192.168.3.1 range and isolated on the network.

However - my SmartThings and Hue hubs can only connect via ethernet, no wifi. They are attached to a switch which is plugged into LAN port 3 on my router. How do I combine the devices on that LAN port with devices on SSID iot and get them all assigned to the same subnet & firewall zones so they can talk to each other, but remain sandboxed from the rest of the LAN?

I think I need to make a VLAN and bridge the VLAN associated with LAN port 3 with the Wireless iface I created, but this is where I'm completely lost. It doesn't look like the tutorials I've found on Youtube or elsewhere, so I can't tell what ports to choose etc.

Basic config info for my router: https://openwrt.org/toh/netgear/r7500#basic_configuration

Any help is most sincerely appreciated!

1 Like