Isolate IOT Devices

What I want to do:
I want to isolate my IOT devices from my primary network, but unsure of how to accomplish this. Maybe my basic setup needs to change?

My setup:
I have a GL-MT6000 / Flint 2 router with a TP-link mesh XE5300, with the primary TP-link AP connected to a Flint2 LAN port by ethernet cable. The Flint2 is acting as the router with DHCP and using both static and issued IP addresses. The TP-link mesh is in AP mode and allows clients to connect via WIFI. The WIFI radios on the Flint2 are turned off to avoid additional RF noise. All clients are getting IP addresses in a single subnet from the DHCP on the Flint2.

Questions:
With WIFI, I understand how to create unique devices/interfaces/SSIDs and give each their own DHCP IP range, even using different subnets.
How would I go about isolating clients, putting them on different subnets, that are interfacing with the router via a single LAN port that only has a single DHCP setup defined? Is this even possible?

FYI, the TP-link mesh in AP mode must have the primary AP connected to the openwrt router via ethernet.

Thank you in advance for any advice or suggestions.

This guy is good; at explaining VLANS too.

Not how to do it but its a good place to start.

Use the guest wifi guides, they are essentially using the same principle.
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start

How would all connecting clients on the same router LAN port be identified and known to be associated to a particular VLAN? It would seem that a list of IP or MAC addresses, to identify all IOT clients, would need to be maintained on the router.
It makes sense that segregation works via WIFI, because each client is connecting to a specific SSID.
What fundamental am I missing that is not letting me see how this works?

Maybe this helps:

I am not using WIFI on the openwrt router, all radios are turned off. No SSIDs on the openwrt router. Only the TP-link mesh has the WIFI enabled. All clients connect via WIFI to the TP-link APs. All clients use DHCP of the openwrt router. The primary TP-link mesh AP is connected by an ethernet cable to a single openwrt router LAN port.

I'm trying to understand how a VLAN works, with only an ethernet cable between the TP-link primary AP to a LAN port on the openwrt router. How does openwrt know which clients to flag/tag with different VLAN IDs?

Is the TP-Link mesh system VLAN aware? That will be a requirement for your goal to be realized.

Looking at the tp-link website and how to use the DECO app for configuration, it appears that setting up a VLAN is only meant for areas where the ISP requires this to connect to the internet: https://www.tp-link.com/us/support/faq/2465/
The 2nd caveat is that this function appears to only be available when the tp-link is set to router mode, not in AP mode.
So, I believe that the tp-link mesh is not VLAN aware.

If VLANs is not an option, what other method should I be considering to isolate the IOT clients on my network? Thank you.

Your options are:

• flash openwrt to your tp-link devices (if they are supported
• Replace your APs with vlan aware devices
• enable WiFi on your OpenWrt router and run that as your iot wifi ap. (Hopefully the range will work out)

You were given the simplest answer.

Your devices do not have available OpenWrt firmware.

Your TP-Links have three radios, so three guest networks. Rename one of the guest networks to whatever you want and put all your Iot devices, and only them, on the guest network and find the TP-Link equivalent of isolate clients.

Should I be concerned with IOT devices isolated on WIFI, but still all connected and able to communicate on the LAN of the router? Or does the isolation maintain even at the router?

You cannot achieve isolation with your current APs unless they have their own guest network mode or if they are vlan aware.

It is VLAN aware, the page they read is just situation specific.

On the bottom it asks if it helps: I suggest choosing no.

The tp-link DECO app and APs do have a guest network and by default "Allow Local Access" is turned off. I just don't know if those restrictions are maintained only on the APs or if that follows into the router? My thought is that once the traffic reaches the LAN of the openwrt router, all devices would see/talk to each other again. The guest network of the APs don't change the fact that at the router, everything is still on the same subnet.

It is only vlan aware for the wan when in routing mode.

It is not vlan aware as a bridged AP.

I don’t know if this will properly isolate, but if it the option is available when the mesh system is setup as a bridged-AP, it is worth trying.

Your openwrt router will be unaware of this entire config on the tp-link system. (And this topic will not be openwrt related anymore)

It seems that anyway we look at the current setup, any possible configuration to make the network secure and Isolate IOT is not going to be ideal. It also seems like the best case scenario would be having multiple WIFI 6 routers all with openwrt to do things right. Do you agree?

You can use any device/firmware that is vlan aware. This is true even if the devices are not running openwrt, but do work with VLANs.

If everything is openwrt based, your goal can be achieved.

Things can get considerably more complicated if you are using actual mesh (wireless backhaul).

Thank you very much to everyone. You've saved me a lot of additional time trying to figure all of this out. I appreciate it very much.

I went down this route recently, including adding MDNS reflector, blocking IOT from accessing Internet entirely and setting up IPv6 routing between VLANs. I wrote down some notes in this reply to my own question (I mostly figured things out myself before I got replies):

Currently the knowledge on how to do this is all spread out. You have to take guest WiFi and adapt, then add in VLANs for wired IOT devices, then set up firewall rules for forwarding the services you need, then add mdns reflector, etc

Each step isn't hard (though there are quite a few). But without a single central guide it is a bit of a pain.