Isolating IoT on WIFI from WAN


I want to isolate IoT on WIFI from WAN, therefore so it can't connect to the internet, but i need to connect to it on local wireless network "over WIFI" from my phone. I Am not sure if IoT will even work after doing this, but I want to try! Don't want it unnecessarily be connected to internet all the time!

I Am running OpenWrt 22.03 on my router.

Thank you for help.

unplug the WAN cable for a while ?

You need to set up an IOT VLAN in addition to your regular LAN VLAN, and then set up firewall zones that enable the LAN devices to see the IOT devices (but not the other way round) and block the IOT devices from WAN access. This OneMarcFifty video should help:

1 Like

well, this is not entirely required: VLAN is useful if you have multiple devices you want to extend over your various networks, hence the technique is called virtual lan.

on single device just create a new iot interface and make sure it has its own firewall zone assigned. then you can control if this iot zone can have forward access to which other zone. if you don't need to access wan simply unset forwarding to wan.

But I need connect there from phone over wifi! I have to do that with forwarding to WIFI? What exactly forward to, from? I didn't use forwarding yet. Only firewall zones? I will need to see IoT with my phone, will i be able to connect to IoT zone, if I forward IoT zone to WIFI zone?

You said IoT interface, but IoT is wireless, it needs connect to WIFI. I don't know how this will be set up. So then add that interface to wifi and forward it somehow? How do i ensure when i connect to my IoT with phone over wifi, that it will stay in that zone? I have no idea how to set this up...

@grrr2 's statement about not requiring VLANs is accurate because VLANs are specific to ethernet. When you're only using Wifi, VLANs themselves are not necessary.

The simple solution here is for you to follow the same steps as shown in the guest wifi tutorial, and then make a few minor modifications.

Once you have this new network (IoT, in this case), SSID, and firewall zone configured, you can optionally allow zone forwarding from the IoT zone to the wan zone (this will be your coarse control over the internet connectivity for that particular network; you can also make more granular controls if needed). And, if you need to be able to connect from your phone, you can either have your phone join that new SSID, or you can set the firewall to allow forwarding from your lan > IoT (this will allow your trusted lan to initiate connections to IoT devices, but not vice versa).

If you get stuck creating the guest (IoT) network based on the link I've just provided, let me know what is causing the confusion and we'll work through it.

1 Like

I have question: why when I create Firewall Rules for my new briot5 interface (to allow DHCP and DNS) I have created by OpenWrt unnamed rule with creation of each rule?

EDIT: I noticed i have 1 unnamed rule from before yet, it is for outgoing IPv4 and IPv6 connections. But I suspect it was there by default. It doesn't seem right, that now it would create this rule, each time new firewall rules is created. I did same thing before and it didn't create any such rule!

Also LAN2 is my firewall zone I use for WIFI. While briot5 (sorry not good with names) i named my bridge, interface and its particular firewall zone zone. So this entry "briot5" here will be linked to my new WIFI SSID.

Is this correct? You can see from LAN2 it is forwarded to "wan" and "briot5" zones. I Am not sure if i need to select "forward" from box and set it to "accept" for briot5 zone yet, so it can be reached from LAN2! I have bad memory and chronic pain, and I didn't do this last time. I don't even remember how i did other things the last time, had to check from my existing interfaces, luckily it should be easy, there weren't many parameters to set up!

I tried to read manual, but it is not explained what forward means on zone page (first tab). Incoming, outgoing is obvious... I mean on overview page as on screenshot, not where you edit forwarding to firewall destinations, that I get!

PS: Sry didn't even realize it was you! Writing this first time...

EDIT 2: also now i realized, since i connect my IoT through phone app, it connects to phone first and then on WIFI. But how do i force it to SSID i created for my IoT? Because my phone will be connected to my main SSID. That i have no clue!!! (just before i forget)... But first things first, lets set this network up first!

I need to see the text configs -- the screenshots don't tell the whole story.

It's hard to tell exactly what you're asking for at this moment... so it would be best for you to describe in simple terms what you want to happen.

Just as an example:

  • Guest network can reach the internet, but nothing else
  • IoT cannot reach the internet or anything else
  • lan can reach the internat and the iot network
  • [and so on... also more granular rules are fine[

Also, please make it clear if:

  1. you're having any specific issues
  2. Just want a verification that things are right

I sent config in DM, because it was 368 lines and i didnt know if there was something sensitive sry...

Well that is hard if I don't know how one would even accomplish what i am asking in OpenWrt, which would answer this question for myself. If you want formally describe that. But i thought it was simple enough, have hard time saying anymore more about it...

In common terms I want WIFI network, or isolated bridge that can be reached by WIFI rather to be precise, i have problem with language articulating it right now (again i suffer from aphasia):

  • where i can isolate an IoT device from internet and all other networks ofc.

  • I must be able connect to my IoT from phone over WIFI, but (IoT on separate network created for a IoT device) cannot see/connect to WIFI by itself, unless other device initiates connection

Now there is a problem. I need to connect to IoT through WIFI on app on a phone. So previously both devices were on same network. But now I have BRIOT5 bridge and firewall zone, how do i force my IoT to BRIOT5 network? Since I would assume it would just connect on my existing WIFI! Can I set perhaps by MAC some rule that, device with this mac if tries connect to WIFI gets redirected to separate network? Or I will have to use separate SSID for that!

Well again I didn't even figured this out yet, as I don't know OpenWrt and IoT and unless i figure it out, I don't even know how it will be yet, so you understand I can't give you exactly what i want to do formally in OpenWrt.

What i did so far:

  1. created bridge and interface (assigned firewall zone to it) called BRIOT5
  2. created zone and forwarded my WIFI (called lan2) => briot5
  3. created briot 5 firewall zone and firewall rule for DHCP

BTW I Am more afraid about messing up something in firewall recall it less then other parts... MB. I didn't set much in BRIOT 5 firewall zone setting, i am worried now, even tho there was no much to set, only like destination zone no? Which I don't remember too in this setting page what was for! I have also huge trouble with memory!