Seperating IOT devices via Firewall or wireless VLANs?

Hey guys, I'm reworking my home network to a more optimized setup. I'm thinking of redoing my iot and guest network setup using VLANs on OpenWRT instead of making separate interfaces and subnets (IOT would use 192.168.4.1; guest would use 10.45.10.0), and then separating the traffic with firewalls. Anyone here know how I can create the VLANS? Additionally, I want the lan vlan (the one with my personal devices) to be able to look into the VLAN for the iot devices, is that possible to do, and if so, how can I do that? My router's a TP-link Archer A7 V5

The main goals I want to achieve are these:

  1. The IOT and Guest network devices to be separate from the LAN devices
  2. The LAN devices to be able to talk to the IOT devices (but the IOT devices shouldn't be able to talk to the LAN devices)
  3. The guest devices should be completely and totally separated from the LAN.
  4. Both the IOT and Guest devices should be able to talk to the internet
  5. IOT should have a more strict communication limit (to prevent something like DDOS or botnet)
  6. mDNS/Bonjour should work across each of the interfaces
  7. IOT and Guest should have their own seperate SSID
1 Like

This is a contradiction: VLANs are a method to create separate interfaces and subnets on a single ethernet port. Also, you need separate interfaces and subnets to achieve your goals. Additionally, VLANs are only for wired devices.

4 Likes

On my TP-Link access point I connect each SSID to any VLAN of choice, and one VLAN for managment.

Yes, you can bridge a wireless interface to a wired interface that uses VLANs, but only the wired interface will use the VLANs, you cannot use VLANs to have several networks on the same wireless interface, like you would do with a wired interface.

4 Likes

Ah ok, so I should stick to my original setup then. Thanks for the info :smiley: But now that leads me to my next issue.. I can't figure out why my duckdns domain won't work when I try to open my server with it while I'm connected on the network. I just keep getting RFC1918 errors, more details in this issue: Domain whitelist for Rebind Protection not working

Welp, as soon as I say it, of course the ddns starts working in the network again. Not sure what happened there; but still thanks for the info on the network setup!

1 Like

@eduperez Quick question, how do I get multi-cast DNS to work across subdomains? I want to change my domain name from .lan to .local but I heard that it isn't possible to have .local working across different subdomains/interfaces. Is there a way to make it work on different subdomains?

I never tried to do multi-cast DNS across subdomains... I am not even sure I know what is that...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.