Please peer review my IoT and Guest configuration

Hello everyone,

I would be very thankful if somebody peer reviewed my current configuration as I have managed to enable both Guest WiFi and IoT networks but I have the feeling that I may have inadvertedly generated backdoors due to my low networking skills.

This is the link to my current configuration. I have manually redacted my passwords just in case:

my setup looks like this:

  • main network
    -- interface: lan
    -- ssid: kitus
  • guest network
    -- interface: kitusguest
    -- ssid: kitus' guest
  • iot network
    -- interface: iot
    -- said: kitus24

What I'm looking for is:

  • iot devices (kitus24) should not be able to connect to devices located on my main network (kitus), except from my NAS ( and my home automation platform (


  • in general, I would like to limit the connection above by hardening the firewall rules so that unless the communication was initiated from within the main network, the communication between the it network and the lan is not possible. I understand that using the "stablished" flag is what I'm looking for.
    -- there is an exception to this: if my the communication is initiated by my projector (stating dhcp) from the iot network, it should get through to the NAS
    -- at some point I will want to block communication from certain devices within the iot network to the cloud but not at this point

if you've read to this point, I'm already thankful for your time!!!

Remove the forwarding from the iot to the lan zone and the traffic rule becomes redundant.

uci delete firewall.@forwarding[3]
uci delete firewall.@rule[16]

You should add the following:

uci set firewall.@rule[15].family='ipv4'
uci set firewall.@rule[15].proto='all'
uci commit firewall
fw3 restart
uci add firewall rule
uci set firewall.@rule[-1].name='IOT-restricted-devices'
uci set firewall.@rule[-1].src='iotzone'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='all'
uci add_list firewall.@rule[-1].src_ip=''
uci add_list firewall.@rule[-1].src_ip=''
uci set firewall.@rule[-1].target='REJECT'

Thanks a lot for your answer @pavelgl !!

Please allow me to process your answer just to muke sure I understand all your contributions well enough prior to applying them

But will I still be able to access my NAS and Home automation from the iot network? I would swear that I needed to include the forwarding rule because otherwise I was unable to access these devices

May I ask what those commands add to the configuration?

With these commands above you indicate what devices are whitelisted to go to the cloud, right?

Also, what about the rest of my configuration? do you see anything fishy in it?

One last question: what should I add to my configuration in order to make sure it works the way I want:

in general, I would like to limit the connection above by hardening the firewall rules so that **unless the communication was initiated from within the main network**, the communication between the it network and the lan is not possible.

Thanks a million @pavelgl !!!

No need to masquerade the lan
@pavelgl has covered the rest you need to fix.

Adding a forwarding will allow all iot to access the lan. The rule is enough to let only a few devices access these 2 servers in the lan.

Adding the IPv4 will not trigger a warning when loading the IPv6 part of the firewall.
The proto='all' could be omitted I think and is the default.

Blacklisted, the action is to reject.

It's fine as you have it. Only open the access you need. Forwardings allow all devices in one zone to access another zone. If you need fine tuning you can create more specific rules.


If the protocol is omitted, fw3 creates by default separate iptables rules for tcp and udp, and there are no rules for icmp.


@pavelgl @trendy can I buy you guys a coffee ??


1 Like

You may donate to the project!


Your link and the donate section brings me here:

1 Like

Just in case you need it [OpenWrt Wiki] Donations


Thanks, I updated the link.

1 Like

hi again @pavelgl or @trendy, any idea how to implement this restriction that I mentioned in my earlier messages?
Is it possible to implement a global restriction for all the iot network but allow that just one of the hosts is able to initiate the communication?

thanks again!

Remove the IoT > lan forwarding in the Zone settings, then add an individual firewall traffic rule that accepts a specific IP within the IoT network to connect to the lan.

If you want the lan to be able to initiate connections to the IoT network, just make sure you have forwarding from lan > IoT (but not the other way, per my above comment). This way, IoT can respond, but not initiate (with the exception of the IP in the rule above).

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.