Isolated IOT Network help

iot-idiot · December 13, 2024, 4:16am

I've been pulling my hair out for WEEKS trying to get this to work, and I'm so confused. I would appreciate any help.

There's a lot of conflicting information out there, only made harder by the apparent change in how bridging is handled in a recent update.

I've read the documentation on the OpenWRT guest network pages, and read countless guides and YouTube videos.

The problem:

I've created a separate network for IOT devices which shouldn't be connected to the internet (because I use TuyaLocal and LocalTuya on Home-Assistant) which are connected to a seperate WiFi device / network.

Everything seems to work;

My IOT devices are assigned an IP from 192.168.2.*
I can access my IOT devices from my server/Home-Assistant (which are connected to my LAN network at 192.168.1.*)
When I connect to the IOT network with my phone or TV, I am unable to access the internet (good).

Except; If I log into the Tuya Cloud Platform, I am able to control my devices from the Tuya web portal (this isn't intended, it should only be accessable from Home-Assistant).

My devices:

Basically, my home network consists of:

One router with OpenWRT, no extra access points.
One home-server, which is connected to my LAN network via WiFi.
IOT devices (lights, fans, smart-TV), which are connected to my IOT network via WiFi.
My home-server runs Home-Assistant with LocalTuya and TuyaLocal, and is able to control my devices.
My home-server also runs Jellyfin, and I am able to access it, but I need to set my IOT firewall zone to allow access from (and to) my LAN network (not sure why, but it works - currently disabled for diagnosing the Tuya Cloud issue)

My Current OpenWRT setup:
Ideally, someone can tell me the correct way of doing things and I can just delete everything and start again.

Basic Summary

All settings are stock from the 23.05.5 branch, except for the settings below.

Devices:
 - Device Name: br-iot
 - Bring up empty bridge: True

Interfaces:
 - Interface Name: IOT
 - Device: br-iot
 - Protocol: Static addresses
 - IPv4 addresses: 192.168.2.1 (my LAN network is at 192.168.1.1)
 - IPv4 netmask: 255.255.255.0
 - Firewall: IOTfirewall
 - Dynamic DHCP: enabled

Firewall:
 - Name: IOTfirewall
 - Covered networks: IOT
 - Allow forward to destination zones: unspecified (currently disabled for diagnosing the Tuya issue, but I need to set it to LAN to access Jellyfin)
 - Allow forward from source zones: LAN (so I can control my devices from Home Assistant)

Traffic Rules:
 - Name: IOT-DHCP
 - Source zone: IOTfirewall
 - Destination zone: device
 - Destination port: 67

Wireless:
 - Name: IOT-WIFI
 - Network: IOT

Firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'internet'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'https'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.157'
        option dest_port '443'

config zone
        option name 'IOTfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'lan'
        option dest 'IOTfirewall'

config rule
        option name 'IOT-DHCP'
        option src 'IOTfirewall'
        option dest_port '67'
        option target 'ACCEPT'

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1f:0c95:1acd::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '***'

config device
        option name 'lan2'
        option macaddr '***'

config device
        option name 'lan3'
        option macaddr '***'

config device
        option name 'lan4'
        option macaddr '***'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr '***'

config interface 'internet'
        option proto 'pppoe'
        option device 'eth1'
        option username '***'
        option ipv6 '0'

config interface 'IOT'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option delegate '0'
        option device 'br-iot'

config device
        option type 'bridge'
        option name 'br-iot'
        option bridge_empty '1'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '***'
        option encryption 'sae-mixed'
        option key '***'
        list maclist '***'
        list maclist '***'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '***'
        option encryption 'sae-mixed'
        option key '***'
        list maclist '***'
        list maclist '***'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IOT-WIFI'
        option encryption 'sae-mixed'
        option key 'iotdevice'
        option network 'IOT'
        list maclist '***'
        list maclist '***'

uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '0'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'defaults'
        option days '730'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

eduperez · December 13, 2024, 6:17am

My two cents:

Post the actual configuration files, not a summary, so we can see them.
Move the HA device to the IoT network, so it can detect and reach all the devices easily, and allo access only from LAN to HA.
Use "tcpdump" to watch the traffic and see how can Tuya control the devices remotely, but most probably the devices are calling home.

iot-idiot · December 13, 2024, 6:49am

Thanks for the quick reply,

config files have been amended to the original post, did I miss anything?

I'm running HA as a docker container on my server, and I can't move it to the IoT network because it serves other purposes, which require internet access.

tcpdump -i br-iot

06:54:47.438331 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], ack 26840, win 2920, length 0
06:54:47.483230 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [.], seq 44450:45910, ack 26887, win 2271, length 1460: HTTP: HTTP/1.1 200 OK
06:54:47.484438 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [.], ack 45910, win 65535, length 0
06:54:47.486456 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [P.], seq 45910:46086, ack 26887, win 2271, length 176: HTTP
06:54:47.487525 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [.], ack 46086, win 65535, length 0
06:54:47.498542 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], seq 44450:45910, ack 26840, win 2920, length 1460: HTTP: HTTP/1.1 200 OK
06:54:47.499537 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [.], ack 45910, win 65535, length 0
06:54:47.501546 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [P.], seq 45910:46086, ack 26840, win 2920, length 176: HTTP
06:54:47.502546 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [.], ack 46086, win 65535, length 0
06:54:47.720641 IP z-home-mac.lan.55904 > tuya-fan-1.lan.6668: Flags [P.], seq 3000:3104, ack 1141, win 64072, length 104
06:54:47.733905 IP tuya-fan-1.lan.6668 > z-home-mac.lan.55904: Flags [P.], seq 1141:1169, ack 3104, win 2504, length 28
06:54:47.735071 IP z-home-mac.lan.55904 > tuya-fan-1.lan.6668: Flags [.], ack 1169, win 64072, length 0
06:54:47.739624 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [P.], seq 26887:27184, ack 46086, win 65535, length 297: HTTP: POST /app/request?seq=-1894685513 HTTP/1.1
06:54:47.739742 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [P.], seq 27184:27376, ack 46086, win 65535, length 192: HTTP
06:54:47.743093 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [.], ack 27376, win 1782, length 0
06:54:47.749561 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [P.], seq 46086:46377, ack 27376, win 1782, length 291: HTTP: HTTP/1.1 200 OK
06:54:47.750732 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [.], ack 46377, win 65535, length 0
06:54:47.754969 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [P.], seq 26840:27136, ack 46086, win 65535, length 296: HTTP: POST /app/request?seq=-738627110 HTTP/1.1
06:54:47.755087 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [P.], seq 27136:27328, ack 46086, win 65535, length 192: HTTP
06:54:47.758505 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], ack 27328, win 2432, length 0
06:54:47.765164 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [P.], seq 46086:46377, ack 27328, win 2432, length 291: HTTP: HTTP/1.1 200 OK
06:54:47.766727 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [.], ack 46377, win 65535, length 0
06:54:48.234548 IP z-home-mac.lan.37670 > tuya-fan-3.lan.6668: Flags [P.], seq 3000:3104, ack 1141, win 64072, length 104
06:54:48.336178 IP z-home-mac.lan.36136 > tuya-fan-2.lan.6668: Flags [P.], seq 3000:3104, ack 1141, win 64072, length 104
06:54:48.349356 IP tuya-fan-3.lan.6668 > z-home-mac.lan.37670: Flags [P.], seq 1141:1169, ack 3104, win 1832, length 28
06:54:48.349728 IP tuya-fan-2.lan.6668 > z-home-mac.lan.36136: Flags [P.], seq 1141:1169, ack 3104, win 2400, length 28
06:54:48.350521 IP z-home-mac.lan.37670 > tuya-fan-3.lan.6668: Flags [.], ack 1169, win 64072, length 0
06:54:48.350640 IP z-home-mac.lan.36136 > tuya-fan-2.lan.6668: Flags [.], ack 1169, win 64072, length 0
06:54:48.994983 IP tuya-fan-1.lan.49157 > 255.255.255.255.6667: UDP, length 172
06:54:49.873442 IP ec2-3-76-16-47.eu-central-1.compute.amazonaws.com.8883 > arovec.lan.40185: Flags [P.], seq 139:464, ack 138, win 3614, length 325
06:54:49.875414 IP arovec.lan.40185 > ec2-3-76-16-47.eu-central-1.compute.amazonaws.com.8883: Flags [.], ack 464, win 2920, length 0
06:54:50.092384 IP arovec.lan.6668 > z-home-mac.lan.59910: Flags [P.], seq 337:428, ack 1248, win 2712, length 91
06:54:50.093030 IP arovec.lan.40185 > ec2-3-76-16-47.eu-central-1.compute.amazonaws.com.8883: Flags [P.], seq 138:319, ack 464, win 2920, length 181
06:54:50.093471 IP z-home-mac.lan.59910 > arovec.lan.6668: Flags [.], ack 428, win 64068, length 0
06:54:50.430272 IP ec2-3-76-16-47.eu-central-1.compute.amazonaws.com.8883 > arovec.lan.40185: Flags [P.], seq 464:533, ack 319, win 3614, length 69
06:54:50.592941 IP arovec.lan.40185 > ec2-3-76-16-47.eu-central-1.compute.amazonaws.com.8883: Flags [.], ack 533, win 2851, length 0
06:54:51.019750 IP tuya-fan-2.lan.49157 > 255.255.255.255.6667: UDP, length 172
06:54:51.299664 IP tuya-fan-3.lan.49157 > 255.255.255.255.6667: UDP, length 172
06:54:51.370773 IP arovec.lan.65352 > 255.255.255.255.6667: UDP, length 172
06:54:52.420056 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [P.], seq 27376:27673, ack 46377, win 65535, length 297: HTTP: POST /app/request?seq=-1894685512 HTTP/1.1
06:54:52.420172 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [P.], seq 27673:28025, ack 46377, win 65535, length 352: HTTP
06:54:52.423945 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [.], ack 28025, win 1133, length 0
06:54:52.424487 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [.], ack 28025, win 2920, length 0
06:54:52.436305 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [P.], seq 27328:27624, ack 46377, win 65535, length 296: HTTP: POST /app/request?seq=-738627109 HTTP/1.1
06:54:52.436408 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [P.], seq 27624:27976, ack 46377, win 65535, length 352: HTTP
06:54:52.440140 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], ack 27976, win 1784, length 0
06:54:52.482697 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [.], seq 46377:47837, ack 28025, win 2920, length 1460: HTTP: HTTP/1.1 200 OK
06:54:52.483928 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [.], ack 47837, win 65535, length 0
06:54:52.485733 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [P.], seq 47837:48013, ack 28025, win 2920, length 176: HTTP
06:54:52.486788 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [.], ack 48013, win 65535, length 0
06:54:52.500650 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], seq 46377:47837, ack 27976, win 1784, length 1460: HTTP: HTTP/1.1 200 OK
06:54:52.501875 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [.], ack 47837, win 65535, length 0
06:54:52.503847 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [P.], seq 47837:48013, ack 27976, win 1784, length 176: HTTP
06:54:52.504988 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [.], ack 48013, win 65535, length 0
06:54:52.725976 ARP, Request who-has tuya-fan-1.lan tell OpenWrt.lan, length 28
06:54:52.739213 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [P.], seq 28025:28322, ack 48013, win 65535, length 297: HTTP: POST /app/request?seq=-1894685511 HTTP/1.1
06:54:52.739233 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [P.], seq 28322:28514, ack 48013, win 65535, length 192: HTTP
06:54:52.742760 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [.], ack 28514, win 2431, length 0
06:54:52.749704 IP tapo-plug-monitor.lan.80 > z-home-mac.lan.40204: Flags [P.], seq 48013:48304, ack 28514, win 2431, length 291: HTTP: HTTP/1.1 200 OK
06:54:52.750841 IP z-home-mac.lan.40204 > tapo-plug-monitor.lan.80: Flags [.], ack 48304, win 65535, length 0
06:54:52.751285 ARP, Reply tuya-fan-1.lan is-at 38:1f:8d:e0:59:a4 (oui Unknown), length 28
06:54:52.757590 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [P.], seq 27976:28272, ack 48013, win 65535, length 296: HTTP: POST /app/request?seq=-738627108 HTTP/1.1
06:54:52.757606 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [P.], seq 28272:28464, ack 48013, win 65535, length 192: HTTP
06:54:52.761065 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], ack 28464, win 1296, length 0
06:54:52.761608 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [.], ack 28464, win 2920, length 0
06:54:52.767805 IP tapo-plug-pc.lan.80 > z-home-mac.lan.49704: Flags [P.], seq 48013:48304, ack 28464, win 2920, length 291: HTTP: HTTP/1.1 200 OK
06:54:52.768873 IP z-home-mac.lan.49704 > tapo-plug-pc.lan.80: Flags [.], ack 48304, win 65535, length 0
06:54:52.841593 IP z-home-mac.lan.55904 > tuya-fan-1.lan.6668: Flags [P.], seq 3104:3208, ack 1169, win 64072, length 104
06:54:52.887013 IP tuya-fan-1.lan.6668 > z-home-mac.lan.55904: Flags [P.], seq 1169:1197, ack 3208, win 2400, length 28
06:54:52.888080 IP z-home-mac.lan.55904 > tuya-fan-1.lan.6668: Flags [.], ack 1197, win 64072, length 0
06:54:53.285980 ARP, Request who-has tuya-fan-3.lan tell OpenWrt.lan, length 28
06:54:53.365663 ARP, Reply tuya-fan-3.lan is-at 38:1f:8d:e0:6b:c9 (oui Unknown), length 28
06:54:53.457509 IP z-home-mac.lan.37670 > tuya-fan-3.lan.6668: Flags [P.], seq 3104:3208, ack 1169, win 64072, length 104
06:54:53.457626 IP z-home-mac.lan.36136 > tuya-fan-2.lan.6668: Flags [P.], seq 3104:3208, ack 1169, win 64072, length 104
06:54:53.571319 IP tuya-fan-2.lan.6668 > z-home-mac.lan.36136: Flags [P.], seq 1169:1197, ack 3208, win 2296, length 28
06:54:53.572282 IP z-home-mac.lan.36136 > tuya-fan-2.lan.6668: Flags [.], ack 1197, win 64072, length 0
06:54:53.601664 IP tuya-fan-3.lan.6668 > z-home-mac.lan.37670: Flags [P.], seq 1169:1197, ack 3208, win 1728, length 28
06:54:53.602789 IP z-home-mac.lan.37670 > tuya-fan-3.lan.6668: Flags [.], ack 1197, win 64072, length 0

This is my first time using tcpdump, I'm not sure if this is helpful information. The snippet includes the moment I activated my arovec device from the Tuya Cloud Platform at [06:54:49.873442].

From what I assume, the connection is being passed through my server (z-home-mac). But I don't know how to prevent this.

I considered isolating the docker container on my server, but I still want to access HA from external networks.

Doppel-D · December 13, 2024, 8:38am

Thanks for stating how I feel sometimes ;- ) Hope you get it fixed before all your hair is pulled out ; -)

eduperez · December 13, 2024, 9:10am

Looks like the device is only making local connections. Have you tried to control it from outside your network?

iot-idiot · December 13, 2024, 9:50am

When I log into the Tuya Cloud website, I can see all my connected devices, from both the internal and external networks.

brada4 · December 13, 2024, 9:52am

You fail to provide conf files. Tuya cloud questions you ask tuya support - ok?

iot-idiot · December 13, 2024, 9:58am

Conf files are provided at the bottom of the first post.

I don't see how this is a Tuya issue when it's my router which routes the traffic between my networks.

brada4 · December 13, 2024, 10:07am

Firewall configuration blocks all internet access from iot to the internet.
Nobody gets notified if you edit your posts.
Is there any record when devices last connected the cloud (ask tuya really maybe they are green for week or until sw version falls out of date)

iot-idiot · December 13, 2024, 10:22am

Firewall configuration blocks all internet access from iot to the internet.

I'm aware. This is why my firewall does not forward network traffic from the IOT network to the WAN network. Yet, it is evident that something is not working as I intended, because the IOT devices are connected to the internet.

Nobody gets notified if you edit your posts.

My config files have been attached to my original post for two hours now.

Is there any record when devices last connected the cloud

They're connected right now. I can control my devices through the portal. When I turn my lights on through the portal, my lights turn on in my house.

brada4 · December 13, 2024, 10:47am

Connected to cloud or app is connected to them?

iot-idiot · December 13, 2024, 11:09am

The Tuya Smart Life app has been uninstalled from my phone for weeks now; the app isn't involved.

The IOT devices are connected to the Router directly; my router is assigning them IPv4 addresses as I've dictated (192.168.2.*), the router lists the IOT devices as connected to the IOT wireless device, and blacklisting them with the MAC filter via the WiFi setting prevents me from being able to use them.

I could be wrong (likely), but I suspect that the IOT devices are binding to the Home-Assistant connection. If this is the case, surely there is a cleaner way to connect these devices so they don't have access the internet.

brada4 · December 13, 2024, 1:12pm

hass workings not openwrt, record conntrack -E for some hour while activating iot from cloud like every 5 minutes to discover what is happening.

iot-idiot · December 13, 2024, 11:38pm

Thanks for the advice.

The Tuya Cloud Platform should be coming from somewhere in Europe, but using Conntrack -E, I'm noticing connections from Brazil.

It appears like someone is trying to brute force into my server?

conntrack -E

   [NEW] tcp      6 120 SYN_SENT src=138.99.189.235 dst=192.168.1.157 sport=35017 dport=443 [UNREPLIED] src=172.20.0.4 dst=138.99.189.235 sport=443 dport=35017
 [UPDATE] tcp      6 60 SYN_RECV src=138.99.189.235 dst=192.168.1.157 sport=35017 dport=443 src=172.20.0.4 dst=138.99.189.235 sport=443 dport=35017
    [NEW] tcp      6 120 SYN_SENT src=138.99.188.122 dst=192.168.1.157 sport=45687 dport=443 [UNREPLIED] src=172.20.0.4 dst=138.99.188.122 sport=443 dport=45687
 [UPDATE] tcp      6 60 SYN_RECV src=138.99.188.122 dst=192.168.1.157 sport=45687 dport=443 src=172.20.0.4 dst=138.99.188.122 sport=443 dport=45687
    [NEW] tcp      6 120 SYN_SENT src=138.99.191.184 dst=192.168.1.157 sport=43707 dport=443 [UNREPLIED] src=172.20.0.4 dst=138.99.191.184 sport=443 dport=43707
 [UPDATE] tcp      6 60 SYN_RECV src=138.99.191.184 dst=192.168.1.157 sport=43707 dport=443 src=172.20.0.4 dst=138.99.191.184 sport=443 dport=43707
    [NEW] tcp      6 120 SYN_SENT src=138.99.188.154 dst=192.168.1.157 sport=52008 dport=443 [UNREPLIED] src=172.20.0.4 dst=138.99.188.154 sport=443 dport=52008
 [UPDATE] tcp      6 60 SYN_RECV src=138.99.188.154 dst=192.168.1.157 sport=52008 dport=443 src=172.20.0.4 dst=138.99.188.154 sport=443 dport=52008
    [NEW] tcp      6 120 SYN_SENT src=192.168.1.177 dst=192.168.1.157 sport=57804 dport=8096 [UNREPLIED] src=172.20.0.9 dst=192.168.1.177 sport=8096 dport=57804
 [UPDATE] tcp      6 60 SYN_RECV src=192.168.1.177 dst=192.168.1.157 sport=57804 dport=8096 src=172.20.0.9 dst=192.168.1.177 sport=8096 dport=57804
 [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.1.177 dst=192.168.1.157 sport=57804 dport=8096 src=172.20.0.9 dst=192.168.1.177 sport=8096 dport=57804 [ASSURED]
    [NEW] tcp      6 120 SYN_SENT src=138.99.188.138 dst=192.168.1.157 sport=238 dport=443 [UNREPLIED] src=172.20.0.4 dst=138.99.188.138 sport=443 dport=238
 [UPDATE] tcp      6 60 SYN_RECV src=138.99.188.138 dst=192.168.1.157 sport=238 dport=443 src=172.20.0.4 dst=138.99.188.138 sport=443 dport=238

does this seem like a plausible explanation for the connection attempts in the log above?

brada4 · December 14, 2024, 12:02am

There is nothing in your fw ruleset explaining SYN from IoT hitting the internet and getting replied.

@jow ?

brada4 · December 14, 2024, 12:12am

Add following to /etc/config/network

config route
        option interface 'loopback'
        option type 'blackhole'
        option target '172.16.0.0/12'
        option metric '12321'
        option disabled '1'

then enable sinking the private range you are not using in luci/network/routes

iot-idiot · December 14, 2024, 12:29am

appologies, the snippet from above was when I used conntracker on my server.

I just tested conntracker on my router and noticed a lot of amazon connections.

    [NEW] icmp     1 30 src=35.183.41.99 dst=<my-ip> type=8 code=0 id=12 [UNREPLIED] src=<my-ip> dst=35.183.41.99 type=0 code=0 id=12
 [UPDATE] icmp     1 30 src=35.183.41.99 dst=<my-ip> type=8 code=0 id=12 src=<my-ip> dst=35.183.41.99 type=0 code=0 id=12

   [NEW] icmp     1 30 src=15.223.184.98 dst=<my-ip> type=8 code=0 id=13 [UNREPLIED] src=<my-ip> dst=15.223.184.98 type=0 code=0 id=13
 [UPDATE] icmp     1 30 src=15.223.184.98 dst=<my-ip> type=8 code=0 id=13 src=<my-ip> dst=15.223.184.98 type=0 code=0 id=13

   [NEW] icmp     1 30 src=99.79.192.178 dst=<my-ip> type=8 code=0 id=13 [UNREPLIED] src=<my-ip>  dst=99.79.192.178 type=0 code=0 id=13
 [UPDATE] icmp     1 30 src=99.79.192.178 dst=<my-ip> type=8 code=0 id=13 src=<my-ip> dst=99.79.192.178 type=0 code=0 id=13

Not sure why Amazon would do this? I don't own any amazon devices. Are they simply trying to index my IP?

I'm noticing connections from Cloudflare too, but that's intentional, as they are my dynamic DNS updater.

Though I can't see any connections from Tuya.

brada4 · December 14, 2024, 12:34am

You show no timeframe,internet scans and hacks all public IPs like once a minute, nothin to do with tuya.

iot-idiot · December 14, 2024, 12:47am

I added the black hole, but I don't really know what it does or how to use it.

Do I click the edit button on the blackhole, and enter the IP addresses I want to block in the Advanced Settings > Source dropdown menu?

Or do I add them as new entries within the Routing > Static IPv4 Routes menu?

I don't want to play with this setting, it seems like doing the wrong thing could brick my router.

I didn't provide a timeframe because I just pasted the output of conntracker -E

I'm assuming internet scans are normal, and script-kiddies will try to get into any public IP address?

I assume these things aren't anything to worry about?

brada4 · December 14, 2024, 12:57am

Try to focus on YOUR tuya issue. Bye