Send unknown devices to secondary VLAN

hello everybody.

I'm googling for some tutorial teaching how to implement these features, but can't find any. Could somebody point me a direction?

I currently have all my devices leased on OpenWRT DHCP server so they receive always the same IPv4 address, IPv6 suffix for ULA fixed prefix and dynamic global prefix, and a domain name under my LAN domain.

I'd like to create a new VLAN (wired and wireless) (IPv4 and IPv6 if possible, as I'm learning IPv6 and wish to implement it in practice). When a new device is found by OpenWRT, it will be leased to that VLAN and receive IPv4 and IPv6 addresses, being that no IPv6 GUA.

This device should be unable to access the router nor Internet and obviously no other device, while router and main LAN devices could access it (so that, in example, from my PC I can SSH or VNC this device).

I don't think it's possible, but if it sets a static IP on main LAN's subnet, it's still blocked out, at least from reaching router and Internet.

Somehow OpenWRT/Luci would point me this device got into my LAN, so I know this is happening. Then, when approved, I add this device to my devices lease list, and it's moved to main LAN and has full access.

These are some complex features and I suppose they'd need some extra module to work. If some feature isn't supported, just let it be, anything I'm able to get working will be worth it!

It’s a non-trivial thing to implement with any meaningful level of security, especially with wired clients. It is trivial to change a device’s MAC address or other characteristics.

You might want to look into 802.1X and a switch that supports port-based security.

Edit: One can't "assign" a wired client to a different VLAN, as that client's adapter needs to know which VLAN to use before it connects to the Ethernet at all. Like MAC addresses, a rogue device can pick its VLANs at will. With 802.1X, supposedly the wireless client's connection (there are no VLANs with 802.11) can be routed to an appropriate bridge by hostapd, though they are still connected to the same (VLAN-less) Virtual AP. Firewall rules might help, but a wired client will still have access to all other hosts on the subnet it is connected to, without an intermediary like a managed switch with port-based security enabled to limit it to that single cable. 802.1X is not supported by many consumer devices, especially IoT devices.


Thanks for you explanation on difficulties to implement this.

By changing MAC, do you mean it could clone its MAC to a recognized one? But wouldn't that make both of them go offline?

So, what can be done is create a secondary SSID for guests and place it on its own VLAN?

Anyway, leaving beside the access to devices on the same subnet. Is it possible to block Internet access to unknown devices?

Give even a rookie hacker one minute on your IPv4 subnet and they’ll know all your MAC addresses and IPs. Ten minutes for all VLANs. Preventing “attacks” once inside is nearly impossible.

A reasonable alternative is an isolated guest network and strong control of access to your sensitive networks (starting with strong passwords).

You can throttle your guest network (which has a password) if resource consumption is a concern, then move “trusted” devices to a different network with a different password. I keep all of my IoT devices on their own networks, segregated by manufacturer, many of which get no Internet access. Much easier to firewall by topology than by IP alone.

Yes, you can firewall by IP, but I don’t consider that, alone, more than a minor deterrence.


In this case, wifi is easier than wired. Just look for the "guest network" tutorial.

1 Like

I cited wired because it's easier to test than wifi, and my wifi is on same VLAN of my other devices.

My concern is if somebody crack WPA2 or something similar, as it seems far from being secure as said in

So I wonder what happens if somebody walks close to my home and hacks my WiFi. He'll have full access to my LAN (as my AP is now running OpenWRT too, in bridge mode) and internet.

It'd be great if from router I could isolate this attacker. But also I don't wanna have to find out a new device's MAC to only then have it seen by router and manually give it access.

No reason why all your hosts need to be bridged to your wireless. Think about segregating your network further if this concerns you sufficiently. You can never prevent an intrusion, but you can reduce its likelihood of occurrence, then try to minimize the damage that could be done when it happens. I treat all wireless devices as "hostile" and only a handful get access to a network that has limited access to very specific machines. Guest network, sure, have at it.

WPA2 with CCMP/AES is generally believed to be reasonably secure on a system with the various patches (such as KRACK) applied. WPA3 is virtually unsupported by consumer devices at this time.


Sorry I didn't understand what you mean. Could you give an example?

Maybe have 2 SSIDs and VLANs and only place on main VLAN those devices that really need to interact with it?

Yes, I think you've got it.

For example, picking some "round" VLAN numbers, just for clarity:

  • VLAN 100 -- Management VLAN, only my infrastructure devices and the two computers from which I can access them. No wireless. No off-net routing
  • VLAN 200 -- Main, internal network. No wireless. Routes to the Internet
  • VLAN 300 -- SSID "Private", has very limited wired access to the two macOS desktops (with a different IP number) for the two "allowed" iPhones. Routes to Internet. Routes to "internal services"
  • VLAN 400 -- SSID "Public", Routes to Internet
  • VLAN 500 -- SSID "TPL" -- Only for TP-Link wireless-controlled outlets and switches and the single interface on the server that controls them. No Internet access.
  • ...
  • VLAN 1000 -- Hosts internal servers, such as mail and web. Port-forwarded from the Internet. No outbound connections permitted to be initiated, just inbound.
  • ...
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.