IoT VLAN firewall & interface questions

I set up a separate VLAN for a few IoT devices. Forwarding from LAN to IoT is set up, so HomeAssistant (which sits on the LAN) can talk to the IoT VLAN. The DHCP server on the VLAN hands out DNS and gateway information to the clients on the VLAN.

Questions:

  • I read masquerading (or a static route) is needed for clients to have WAN connectivity. Since I set up an interface on the router for that VLAN, I'm wondering if I still need masquerading? I suppose not?
  • Is an interface for the VLAN on the router really needed? I suppose not, but then I would need masquerading or a static route?

Network config (router):

config bridge-vlan 'iot_vlan'
	option device 'br-lan'
	option vlan '40'
	list ports 'p2:t'
	list ports 'p7'

[...]

config interface 'iot'
	option proto 'static'
	option ip6assign '60'
	option ipaddr 'xxx.xx.40.1/24'
	option device 'br-lan.40'
	option ip6hint '40'

Firewall config:

config zone
	option name 'iot'
	list network 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'IoT DNS'
	option src 'iot'
	list src_ip 'xxx.xx.40.7'
	list proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option name 'IoT DHCP'
	option src 'iot'
	option dest_port '67-68'
	list proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'IoT WAN HTTPS'
	option target 'ACCEPT'
	option src 'iot'
	option dest 'wan'
	list proto 'tcp'
	option dest_port '443'

config rule
	option name 'IoT WAN Awair'
	option target 'ACCEPT'
	option src 'iot'
	option dest 'wan'
	list proto 'tcp'
	option dest_port '8883'

No, only the upstream network needs masquerading (typically the wan).

An interface is needed, but masquerading and static routes are not needed.

1 Like

Thanks @psherman!

You're welcome. If you'd like me to review the full config, feel free to post it here. Otherwise, hopefully everything is working as you want.

Did you consider looking at the problem a tad differently?

How about exposing homeassistant to both of your networks, lan and IoT (be it via two VLANs over one interface or using two network cards)?

Again, I only want to nitpick:
If an interface has a network assigned to it, it gets a static route "on link" (scope link) automatically. It's a route without a gateway but with an interface as it's destination... :wink:

1 Like

Yes, good to point out. I should have said that "no static routes need to be added or otherwise manually specified" since a network that is directly connected to the router (i.e.the router has an interface and address on said network) will have the routes automatically established.

I did, someone suggested that actually in an earlier thread. That would be the easier way, but it feels like that would broaden the attack surface if some rogue device got on the IoT network. But I might be overthinking it.

@psherman It's running like expected, and it's not my first VLAN setup, but it is the first I need to interact with from the LAN. Kind of you to offer though. (I seem to be hitting an issue with Netflix on a separate VLAN for the 'smart' TV - I will open another topic for that if I can't sort that out myself.)