Hi,
I want to setup a secure WLAN for IoT devices as follows:
+-----------------+
+---------------------+ LAN |MQTT |
|FRITZ!Box |-----------|192.168.178.10/24|
|192.168.178.0/24 | |Port: 1883 |
| | +-----------------+
|IP: 192.168.178.1/24|
|GW: 192.168.178.1 | LAN +-------------------+ WPA2: IoT
|DNS: 192.168.178.1 |------------------------------------|OpenWRT 21.02.0-rc3|-----------------
+---------------------+ SSH Port 22 ----> |FRITZ!Box 4020 |
<---- MQTT Port 1883 +-------------------+
|
| MESH WPA3
|
+-------------------+ WPA2: IoT
|OpenWRT 21.02.0-rc3|-----------------
|FRITZ!Repeater 1200|
+-------------------+
Here some input:
- I have a FRITZ!Box as displayed configured in the 192.168.178.0/24 network (Home-Network).
- I have a FRITZ!Box 4020 + a FRITZ!Repeater 1200 - both installed with OpenWRT 21.02.0-rc3.
- One of these should be connected to the FRITZ!Box over a LAN connection.
- Both should be connected with each other over MESH based on a WPA3 connection.
- Both should build a WLAN based on WPA2 for the IoT's (IoT-WLAN).
- The firewall on the OpenWRT devices should be configured as follows:
- Enable a SSH connection from Home to IoT-WLAN.
- Enable the IoT devices (connected to the IoT-WLAN) to connect to the MQTT server in the Home network.
- The IoT devices should not be able to connect to each other.
- What do you think of the design? Suggestions?
- Let's assume that I start with the following setup:
+-----------------+
+---------------------+ LAN |MQTT |
|FRITZ!Box |-----------|192.168.178.10/24|
|192.168.178.0/24 | |Port: 1883 |
| | +-----------------+
|IP: 192.168.178.1/24|
|GW: 192.168.178.1 | LAN +-------------------+ WPA2: IoT
|DNS: 192.168.178.1 |------------------------------------|OpenWRT 21.02.0-rc3|-----------------
+---------------------+ SSH Port 22 ----> |FRITZ!Box 4020 |
<---- MQTT Port 1883 +-------------------+
If the IoT-WLAN is setup e.g. with a 192.168.1.0/24 network, then I have to add a route in the FRITZ!Box in my Home network in order to be able to reach out the IoT devices over SSH (port 22), right?
Thanks in advance!