Separate my network for IoT accesible from LAN (using LuCI)

Hi guys,

I'm not sure if there was already a subject about that but couldn't find it.

What I would like to have is to separate my network using subnet to get a LAN network where all regular devices will be, an IoT for all smart home devices with no internet connection and an IoT for devices with internet connection. I also have a guest network which is on a different ip range.
I would like to have it like so:

I made the interfaces/firewall/wireless network. I made a test connecting my phone to IoT network, I have an ip address in the range but no internet (so far so good) but I would like to have the possibility for LAN devices to communicate with IoT devices (one way). I tried making a traffic rule for that, whanging some things to firewall settings but cannot make it.

Do you have any suggestions ?

My first guess is that you don't have masquerading enabled on the lan firewall zone, or that you have the OpenWrt router connected via the wan port and are also setting up a lan with the same subnet as the wan.

Your config will tell us much more. Also, critically, how is the OpenWrt router connected to the ISP router? Is it LAN-LAN or LAN-WAN?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Did you set up different vlans or just static IP addresses and subnets?

Does your router actually have all those 3 IP addresses (192.168.1.1, 192.168.1.128 and 192.168.1.198)?

If not you might have placed your IoT devices in a subnet where they simply cannot reach the router IP for routing.

Sorry for the delay to answer, here are results from command lines:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd27:80ea:3b91::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	option netmask '255.255.255.128'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.121.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option defaultroute '0'

config interface 'mwan'
	option device 'usb0'
	option proto 'dhcp'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.1.128'
	option netmask '255.255.255.192'
	option defaultroute '0'

config interface 'iot_wan'
	option proto 'static'
	option ipaddr '192.168.1.192'
	option netmask '255.255.255.192'

config rule
	option in 'lan'
	option out 'iot'
	option src '192.168.1.1/25'
	option dest '192.168.1.128/26'
	option lookup 'default'

root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '2g'
	option channel '11'
	option htmode 'HT40'
	option country 'FR'
	option cell_density '2'
	option noscan '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option wds '1'
	option ssid 'Xiaomi_986A'
	option key 'passwd'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'FR'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option wds '1'
	option key 'passwd'
	option ssid 'Xiaomi_986A-5G'
	option encryption 'psk2'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt-Guest'
	option encryption 'none'
	option isolate '1'
	option network 'Guest'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IOT-Local'
	option encryption 'sae'
	option key 'passwd'
	option network 'iot'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'IOT-WAN'
	option encryption 'sae'
	option isolate '1'
	option key 'passwd'
	option network 'iot_wan'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option rebind_protection '0'
	option domain 'rbohanne.lan'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra 'hybrid'
	option dhcpv6 'hybrid'
	option start '5'
	list dhcp_option '6,192.168.1.2'
	list dhcp_option '3,192.168.1.2'
	option limit '127'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wan'
	option interface 'wan'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option leasetime '1h'
	option limit '120'

config dhcp 'iot_wan'
	option interface 'iot_wan'
	option leasetime '12h'
	option start '192'
	option limit '255'

config dhcp 'iot'
	option interface 'iot'
	option leasetime '12h'
	option start '128'
	option limit '191'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config include
	option path '/etc/firewall.user'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wan'
	list network 'mwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option family 'ipv4'
	list network 'iot'
	option input 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'iot_wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'
	list network 'iot_wan'
	option input 'ACCEPT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'Guest'
	list device 'wlan-guest'

config rule
	option target 'ACCEPT'
	option src 'guest'
	list proto 'tcp'
	list proto 'udp'
	option name 'Allow-DNS-Guest'
	option dest_port '53'

config forwarding
	option src 'iot_wan'
	option dest 'lan'

config rule
	option name 'Allow-DHCP-Guest'
	option family 'ipv4'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'guest'
	option dest_port '67 68'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Block Guest to LAN'
	option src 'guest'
	option dest 'lan'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.1.0/25'

config rule
	option src 'iot'
	option target 'ACCEPT'
	option dest_port '67 68'
	list proto 'udp'
	option family 'ipv4'
	option name 'Allow-DHCP-IOT'

config forwarding
	option dest 'iot'

config forwarding
	option dest 'iot_wan'

config rule
	option src 'lan'
	option dest 'iot'
	option target 'ACCEPT'
	list dest_ip '192.168.1.128/26'
	option name 'Allow-LAN-to-IOT'
	list proto 'all'
	list src_ip '192.168.1.0/25'

config rule
	option name 'Allow-DNS-IOT-WAN'
	option src 'iot_wan'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'Allow-DHCP-IOT-WAN'
	option src 'iot_wan'
	option dest_port '67 68'
	option target 'ACCEPT'
	list proto 'udp'
	option family 'ipv4'

config rule
	option src 'iot_wan'
	option dest 'lan'
	option target 'DROP'
	option name 'Block-IOT-WAN-To-LAN'
	list proto 'all'
	list dest_ip '192.168.1.0/25'

config rule
	option name 'Allow-LAN-TO-IOT-WAN'
	option src 'lan'
	option dest 'iot_wan'
	option target 'ACCEPT'
	list src_ip '192.168.1.0/25'
	list proto 'all'
	list dest_ip '192.168.1.192/26'

There are several things going on.

First, are you sure your upstream is actually a /25?

This is unusual for most home router configurations, especially those from ISPs (almost always /24).
It's okay if it is, but you should check the upstream because consistency is important.

Aside from that, you need to add DNS to the lan interface (likely 192.168.1.1 or the addresses you've used for the guest interface are fine).

Remove the dns entries and the default rout from the guest interface. It should look like this:

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.121.1'
	option netmask '255.255.255.0'

Likewise, let's remove the default route line from the iot network. And let's also change the address and subnet so that it cannot possibly conflict with the upstream lan (in the event that it is actually a /24). Make it look like this:

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'

And similarly, let's make iot_wan changes to look like this:

config interface 'iot_wan'
	option proto 'static'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'

And delete this entirely:

Next, the DHCP file needs to be adjusted
If your ISP router has an active DHCP server, you must disable the dhcp server on your OpenWrt device for the lan interface. (you can ignore this bit if you've disabled the DHCP server on the ISP router). If you need to disable the lan DHCP server, this is what it should look like:

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option start '5'
	list dhcp_option '6,192.168.1.2'
	list dhcp_option '3,192.168.1.2'
	option limit '127'
	option ignore '1'

The DHCP server for the guest network is fine, but the following two are invalid:

The reason is that the limit is too high. The limit is not the stopping number, but rather the size of (number of addresses in) the DHCP pool. The range of the DHCP pool is defined by this equation:

[start] to [start + limit - 1]

Now that we changed these networks to /24's, I'd recommend using the default values of start = 100, limit = 150. That makes a range of 100-249.

In the firewall file, remove the wlan-guest device from the guest zone - it should look like this:

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'Guest'

Coming backto the question about the upstream network being a /24 or /25 -- if it is a /24, you need to adjust that here:

Remove these lines:

Remove this next section... it won't work with masquerading enabled on the lan zone anyway (if you need access this from lan -> iot, your ISP router needs to be configured differently... let's get this working now and we can adjust if the ISP router supports the settings required):

Same questino about the upstream being a /25 or /24:

and you can delete this section fror the same reason I mentioned before -- it won't work:

Make all those changes, reboot your router and try again. If it doesn't work, post your latest config files. Also, I didn't bother looking at the wireless file -- these need to be right before we worry about any errors there.

I think what you want to do is fairly straightforward, and since you want to configure it over LuCi, I'll be lazy and post screenshots of my own setup where I call the zone DMZ:


First of all, the forwarding rules here allows lan to have unfettered access to both wan and dmz, whether by IP address or by the hostname the IoT devices declare when requesting DHCP.


Allow DHCP if you're not doing static IP for your IoT devices.


And finally, define your interface which will be in your IoT zone, which is, IIRC, wifinet3.