So I was wanting to know how to configure an IOT "guest" network to isolate/firewall off IoT devices. Right now I only have a regular Chromecast hooked via Ethernet to my router, and a Canon MG6600. I'm not as worried about the Chromecast because it seems like it gets regular enough updates, but the MG6600 hasn't had an update for years and could have who knows what vulnerabilities.
Network is very simple:
Cable modem (no router)
|
TP-Link Archer C7v2
| ------wifi MG6600
| ------Chromecast ethernet
| ------Wifi laptop 1
| ------Wifi laptop 2
| ------Wifi laptop 3
| ------Wife's Android phone (Samsung S9)
| ------My iPhone 12
| ------Wifi iPad
Now I'm used to corporate networking where isolation is done using VLANs,but since it's all in the same device I don't really need it I think provided the firewall blocks it.
Ideas of how to do this:
- Separate SSID guest like network called "iot" that Canon and Chromecast connect to.
- Just create specific static IPs for Chromecast and Canon and create individual firewall rules
- Separate SSID on separate subnet.
- ???
- Profilt (sorry couldn't help myself)
Why am I doing this? Simple. Security. I don't trust both devices because they don't get regular updates (especially the printer), and I don't print enough to justify a newer printer.
I tried doing a separate VLAN/firewall rule using several threads and guest network guide, but it gets confusing. Eventually I got to where I firewalled myself from the Internet and router (SSH AND web interface were connection refused) and the wife wasn't happy either.
I am used to Linux but suck at iptables and honestly the GUI on OpenWRT is more comfortable for me. Also, it seems like the Chromecast requires some fancy protocol handling. Also, I'm thinking keeping all devices in same subnet (default 192.168.1.0/24) because then I can print from my iPhone for example.
There isn't a clear guide that makes sense, and a requirement is getting printing/Chromecast to work, but not allowing those devices to see anything else in the network.
Thank you in advance