Hi,
I basically need to isolate certain devices not allowing them to connect to the internet but have LAN access so I can reach them and use them only from home.
The thing is that they are """smart""" and have automatic integration with google and alexa and I want to restrict all of that. I can not use them without a WiFi connection so not connecting them to the WiFi is not an option sadly.
I would like to have like a different sub-net and WiFi SSID and connect all the dangerous IoT devices there.
My plan is:
Network A - 192.168.1.X for general devices.
Network B - 192.168.2.X for IoT devices.
Is this the best way of doing this? The goal is to connect them to the wifi and not allow to call their servers but allow me to use their apps when connected to my WiFi.
Thanks.
You can follow https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#guest_wi-fi_basics
for the most part.
Obviously disallow DNS and don’t forward to any destination zones in firewall.
2 Likes
Are you sure they'll even start without the internet connection?
If yes, then block the access from 192.168.2 to the wan interface.
2 Likes
A zero configuration and secure way of isolating IoT devices without having to put them on a separate ip subnet is to install openNDS.
In the default, post install config, openNDS will block all traffic to the Internet. "Humans" will be served a simple page where they just have to "click to continue" but even "smart" IoT devices will not know what to do and remain blocked.
Personally though, if I knew an IoT device was dangerous, I think I would bin it. 
1 Like
I have read it but I don't know if i can access network A from network B that way. Does it require extra configuration steps?
I haven't tried yet but I'm pretty sure they will
Another great use-case would be for example for a WiFi printer that I have, that way I can prevent the auto-firmware upgrades that block non-official ink cartridges.
I have other devices that will fail that test and I want to use. But thanks for the suggestion.
Is not about dangerous, is my non-willingness to give my private data and being advertised easily.
If by that you mean you have devices that do need Internet access, then they can be added as trusted devices by mac address.
1 Like
Oh that's cool, I never heard of it before. I will have in consideration in case that other approaches don't work.
It seems to follow your use case - control your IOT devices from your lan subnet, don’t let them call home, isolate them from accessing anywhere else.
1 Like
But my issue is:
I am normally connected to network A and I want to call the devices from that network despite the Iot being in other subnet (B).
Imagine that that device is a network printer. I want to send documents but not allow it to connect to the internet. If the printer is in another subnetwork, do i need to configure any rules to communicate with the device?
This is generally pretty simple.
If you have 2 subnets (let's call them "Trusted" and "IoT"), you setup forwarding from Trusted > IoT, but not the other way around. This allows the Trusted network to initiate connections (and IoT can respond), but the reverse is blocked.
Further, if you want to block IoT network from reaching the internet (as a whole), that's really easy -- simply don't create a forwarding rule for IoT > wan.
The only caveat is that mdns and other similar autodiscovery protocols don't route across subnets. Often that can be resolved by configuring an mdns repeater/reflector.
2 Likes
Thanks for the answer. Can you link me to more info about mdsn repeaters, I can't find any info in the OWRT wiki.
look at the avahi packages.
2 Likes