Not another chromecast / IoT question

A little background first. Router is a Linksys EA8500. I have OpenWRT 19.07 running without issue. It has been WAY more stable than the later releases of dd-wrt.

My intent is to segregate the network traffic with 3 functional zones (LAN, IoT, Guest). I know, I know, everyone is thinking "Not this again", but trust me, it's different. The Guest will be on it's own subnet (10.0.2.0) and the will have internet access only. I have all the rules setup for this and it works as expected.

The LAN will have cell phones, laptops, my servers (OpenVPN, NAS, ESXi, WebServer, and other ESXi guests). The IoT will be mostly Google Home devices and some Wyze Cameras. I originally was going to run a separate subnet for the IoT, but could not get the casting stable enough using smcroute. So, I decided to go a different route. Since all of my LAN devices have reserved IPs, I decided to create reservations for the IoT also. This way, maybe I could just setup iptable rules to block traffic on the same subnet (hopefully). My thought is to have 10.0.1.2-10.0.1.100 as LAN, and 10.0.1.101-10.0.1.200 as IoT, and then anything new gets assigned in 201-250.

Now, I have a 25 year+ history in corporate IT infrastructure, not in Networking. I know the basics though.

The reason I want to keep everything one subnet is to avoid the issue of casting to devices. Currently I have OpenWRT serving the IPs for the Guest and current IoT interfaces, and I have PiHOLE serving DHCP for LAN and also DNS for guest, IoT, and LAN.

So, the question. Can I have the same subnet span multiple interfaces AND still create seperate firewall zones? This would likely be a zone for LAN+Wifi and a zone for IoT Wifi. I would need to have the IP Address segments handed out based which interface OR I could create IPTable rules based on their reserved IPs. Though a zone rule would be much easier.

So, am I reinventing the wheel here, or will none of this work and I just need to move the google devices back to the LAN?

This, by itself, is likely a problem.

If you have two interfaces on the same subnet, which should the stack select as the source? How does it know which of the two the target is attached to? (Routing typically works with IP addresses, not MAC addresses.)

While it is possible to overcome with a carefully constructed set of routing rules, the general practice is "one logical interface per subnet". The resulting routing rule is "if link-local, based on the subnet, route from this interface". For example:

192.168.1.0/24 dev enp9s0f0 proto kernel scope link src 192.168.1.49

If you want to have multiple subnets on the same physical interface, VLANs are a typical approach.

You could, for example assign:

• VLAN 10 -- "trusted LAN" -- 10.0.1.0/24
• VLAN 11 -- "guest" -- 10.0.2.0/24
• VLAN 12 -- "IoT" -- 10.0.3.0/24
• ...

This way routing and firewall rules are reasonably "sane".

Edit: You can have multiple subnets on the same interface. However, without VLANs you can't easily isolate them and firewall rules are more complex.

This won't work, as all intranet traffic will not hit the firewall.

Yes, if you mean physical interfaces, like 2 ethernet ports and 1 wifi or something like that. Otherwise one logical interface in OpenWrt, e.g LAN, must not be in the same subnet as another.

Yes. If you create a different SSID for the IoT and bridge it with an ethernet interface into logical interface IoT, then assign this interface to a new firewall zone "iot"

You can run one instance of DHCP server for each internal logical interface you have. So hosts connected to the LAN will get settings for LAN, Guest users and IoT devices the same.

I have the same setup with the same specs (LAN, Guest, IoT), however I have one physical interface per network. Your idea is not impossible, maybe needs a bit of fine tuning.

First off, thanks for the answers I am receiving so quickly, it is truly appreciated.

I am taking it in piece by piece and make a decision. Unfortunately, I think am starting to lean towards the idea of moving the Google cast-able devices (speakers, displays, etc) back to the LAN side and leave the nest, and other camera devices on IoT.

A few followup questions.

Just to clarify, I would not have the same IPs on each interface. I would split the range of IPs per interface. Example would be, on br-lan, it would only be IPs x.x.x.10 through x.x.x.100 and then on the IoT interface I would have x.x.x.101 through x.x.x.200. I wouldn't think that would cause an issue from the routing perspective, but wasn't sure if OpenWRT would support this? Every time I try, I lose WAN access on the interface that doesn't have x.x.x.1 as the interface IP.

Are you casting video/audio to any Google devices on the IoT network from the LAN? If so, how did you get it to span? Was it with smcroute and IpTables to mangle the TTL?

Non-overlapping IP ranges are not the same thing as subnets. Simply using non-overlapping IP ranges in the same subnet will cause quite a mess.

I Understand. I was just hoping to have the 10.0.1.0/24 split between the two logical interfaces (1/2 of the IPs on br-lan, and 1/2 on IoT). This way, I could use the two zones restrict traffic from IoT back to br-lan, but maintain the ability to case due to being on the same subnet. But if I am understanding your comments, this will not be possible.

You can differentially treat traffic in hand-crafted, firewall rules “any way” you want. However the subnet can’t reasonably be split over two, physical interfaces in any simple way for any common OS that I am aware of.

Yes, managed switches sometimes run an “OS”, but they also are designed to manage their ports at Layer 2.

No, the Android TV is in the LAN.

No, you cannot do that. You could split the 10.0.1.0/24 into 10.0.1.0/25 for LAN and 10.0.1.128/25 for IoT, if it makes you happy. But they will not be in the same broadcast domain anymore, so you should work out how the devices will communicate.