Secure WLAN for IoT devices - 21.02.0-rc3

Installing and Using OpenWrt
1

Hi,

I want to setup a secure WLAN for IoT devices as follows:

                                  +-----------------+
+---------------------+   LAN     |MQTT             |
|FRITZ!Box            |-----------|192.168.178.10/24|
|192.168.178.0/24     |           |Port: 1883       |
|                     |           +-----------------+
|IP:  192.168.178.1/24|
|GW:  192.168.178.1   |            LAN                     +-------------------+   WPA2: IoT
|DNS: 192.168.178.1   |------------------------------------|OpenWRT 21.02.0-rc3|-----------------
+---------------------+          SSH Port 22  ---->        |FRITZ!Box 4020     |
                          <----  MQTT Port 1883            +-------------------+
                                                                    |
                                                                    | MESH WPA3
                                                                    |
                                                           +-------------------+   WPA2: IoT
                                                           |OpenWRT 21.02.0-rc3|-----------------
                                                           |FRITZ!Repeater 1200|
                                                           +-------------------+

Here some input:

  • I have a FRITZ!Box as displayed configured in the 192.168.178.0/24 network (Home-Network).
  • I have a FRITZ!Box 4020 + a FRITZ!Repeater 1200 - both installed with OpenWRT 21.02.0-rc3.
    • One of these should be connected to the FRITZ!Box over a LAN connection.
    • Both should be connected with each other over MESH based on a WPA3 connection.
    • Both should build a WLAN based on WPA2 for the IoT's (IoT-WLAN).
  • The firewall on the OpenWRT devices should be configured as follows:
    • Enable a SSH connection from Home to IoT-WLAN.
    • Enable the IoT devices (connected to the IoT-WLAN) to connect to the MQTT server in the Home network.
    • The IoT devices should not be able to connect to each other.
  1. What do you think of the design? Suggestions?
  2. Let's assume that I start with the following setup:
                                  +-----------------+
+---------------------+   LAN     |MQTT             |
|FRITZ!Box            |-----------|192.168.178.10/24|
|192.168.178.0/24     |           |Port: 1883       |
|                     |           +-----------------+
|IP:  192.168.178.1/24|
|GW:  192.168.178.1   |            LAN                     +-------------------+   WPA2: IoT
|DNS: 192.168.178.1   |------------------------------------|OpenWRT 21.02.0-rc3|-----------------
+---------------------+          SSH Port 22  ---->        |FRITZ!Box 4020     |
                          <----  MQTT Port 1883            +-------------------+

If the IoT-WLAN is setup e.g. with a 192.168.1.0/24 network, then I have to add a route in the FRITZ!Box in my Home network in order to be able to reach out the IoT devices over SSH (port 22), right?

Thanks in advance!

2

That is a firewall rule.

This one too.
Remember to reject by default all other traffic and allow only the traffic you need.

Enable client isolation on the wifi.

Yes.