Set up dedicated VLAN and SSID for LAN-only-access for iOT devices

I've seen a couple of sets of instructions for setting up guest networks and VLANs for iOT devices that are meant to allow devices connected to that sequestered network to be able to access the WAN but not other devices on the LAN. I want to do the opposite. I need to be able to connect to my devices from the LAN, but I don't want the devices to be able to access the WAN.

The longer version of this tale is that I have a bunch of cheap wifi devices that I'd like to use only on the local network, and that I want to block from accessing the internet (and perhaps sending back information to their countries of origin, or downloading new firmwares, etc). I've been blocking them from WAN access via firewall rules that target each device's MAC ID, but I'd rather set up a separate SSID on my router that shunts those devices into a VLAN that only has access to the LAN.

I'm guessing this is possible, but I've had no luck figuring out how to set it up. I've managed to create additional VLANs and SSIDs via Luci, but they never seem to work properly. Maybe it's a little complicated in that I do not set up a DHCP server on the VLAN and want the existing DHCP server on the LAN to assign addresses to the devices on this additional VLAN that are contiguous with the addresses of the devices on the rest of the LAN so that they can all reach each other?

I'm on a TP-LINK Archer C7 v4 running OpenWrt SNAPSHOT r7904-6b4ba11. I've got wpad rather than wpad-mini installed as I'm using "802.11r Fast Transition" and an additional archer C7 (running the same openwrt, with DHCP disabled) to extend my wireless networks. I suppose once I get a lan-only VLAN working on the main router, maybe I'd be able to also set up that same SSID with 802.11r on the other router?

Any help or information would be very much appreciated. I'm a bit out of my depth.

The "point" of a VLAN is to isolate the networks, at least to the point where the firewall at the router has control over which clients on which networks can "talk" with which. As soon as you put them all into one subnet, your routing will likely fail.

In most configurations, each VLAN pretty much needs to be assigned to its own subnet, with DHCP (either directly or with a DHCP relay) on that subnet (link local), and services such as DNS being supplied on the network, or permitted through routing.

Set up a guest network, but do not forward it to the WAN like you usually would want to so the guests have Internet.

As @jeff said, you need a separate DHCP server for each network where its devices need to be served DHCP. This is inherent in LuCI where you automatically get a DHCP server with each new network unless you check the box to disable it.

I have a setup where every guest is firewalled out of the router CPU except UDP port 67 (for DHCP requests) and TCP/UDP port 53 (for DNS). Some IoT situations use various broadcast discovery protocols instead of DNS names, in which case you don't need a DNS server.

That makes sense. So if I can't do it with VLANs, is there any way to set up an additional SSID such that any device connected to that SSID has access to the LAN but not the WAN?

Maybe I just need to continue setting up firewall rules for each MAC ID that block them from the WAN.

VLANs are likely the "right" way to do this, it's just that the traffic needs to be routed between the VLANs.

You'll have to decide what risks you want to take if you want to manage your IoT devices directly.

Many IoT devices provide both on-link access and access through a remote server (MQTT over TLS, or the like). Those that don't have a remote server can be very challenging to "isolate" due to broadcast protocols that inherently don't span multiple networks.

IP- and MAC-based firewalls (as opposed to using the interface and ensuring that all the addresses you see on that interface are "expected") are very weak security. It's trivial to capture a MAC address off the air, and equally trivial to change the MAC or IP address of a "rogue" device.

You're on the right track with VLANs.

Put everything you don't trust into a separate VLAN, and assign it to a different subnet from your trusted VLAN/subnet.

Configure your router to send traffic between your trusted and untrusted subnets. Configure your firewall to permit outbound traffic only from your trusted subnet, and to deny (or drop) outbound traffic from the untrusted subnet.

This diagram gives a high-level illustration of the concepts, showing the different components and their relation to each other:


Although the diagram shows three "devices" - two routers and a firewall - all three functions could be combined on a single device. I split them visually into three devices to show the concepts involved, to indicate the separation between the firewall (what traffic is allowed) and routing (where does the traffic go).

1 Like

Thanks for the information! Do the IP ranges used for the trusted and untrusted subnets matter? I assume since I'm to have two DHCP server that they need to be completely different, but if (for example) my untrusted is 192.168.1.x and trusted are 10.0.1.x - could they be bridged somehow such that devices on each subnet can see each other?

The subnets do matter, all networks should have different numbering.

If they get bridged, that a physical security issue in your network - you must control.

I'm not getting it -- For most, the point of separating them is so that you prevent them from talking to each other, except for very specific things that you allow. If you bridge them then (a) you've got a mess of subnets on the same link, and (b) there is no chance of isolating one class of clients from another.

You perhaps want to route the various VLANs at "Interior Router" with firewall rules that prevent everything, except the very specific things you choose to allow.

Maybe 'bridging' is the wrong term. What I want is for devices on my local network to be able to communicate with my untrustworthy iOT devices (say, cheap security cameras from Chinese brands like Digoo that feature terrible security), but I don't want those iOT devices to be able to phone home or be reached over the WAN. I want to connect the cameras to a wifi SSID that makes them local-only devices.

Horrid-security IoT VLAN = 666
"Trusted" VLAN = 1000

  • DNS for VLAN 666 "forged" so that all requests for NTP are sent to your personal NTP server on that subnet.
  • Firewall sketch
    • All packets that aren't from the "right" subnet dropped (so can't "forge" IP addresses)
    • No packets accepted from VLAN 666 that would be routed to anywhere but VLAN 1000 (including WAN)
    • No connections allowed to originate from VLAN 666 to VLAN 1000
    • No connections allowed to originate to VLAN 666 from anywhere but VLAN 1000
      • Only the "right" ports and IP addresses for the cameras allowed, even for VLAN 1000 clients
    • Only return packets with established connections from VLAN 1000 permitted to be routed from VLAN 666 to VLAN 1000

Note that I always make sure that the IP addresses on the interface are the "right" range ("anti-spoof") and I typically write firewall rules by interface, not by IP address.

It is. :smile: Bridging has a particular meaning to a network technician.

Quick digression into the OSI 7-layer model (if you ever get insomnia, read the full thing!)...

Bridging is joining two networks/VLANs at the layer 1/layer 2 level. This is independent of any IP addressing.

Routing is joining two networks at the layer 3 level. This is where IP addresses live.

Firewalls work at layer 3, with IP addresses. If you bridge two networks together, you'll permit traffic which the firewall won't be able to block.

Caveat: the above is an oversimplification which does not address (no pun intended) more advanced methods of traffic and network control. But for the purposes of setting up a simple two-subnet network with a firewall on OpenWRT, it's accurate enough.

So set up two VLANs and two subnets (one per VLAN), and stick a firewall in the middle of the two to control which traffic can flow, where it can flow from, and where it can flow to.

1 Like

I think I got it working -- thanks for all the help.

But after I got it set up, I realized why I'd plugged all the other cheap digoo cameras I've got into ethernet -- they work terribly over wifi. Dropped frames, dropped connections, etc. So I ran some Cat 5e to the camera (I'll save the Cat6 cable for devices that need it) and set up a rule in the firewall. I'm guessing I could go the VLAN route over ethernet if I connected all the insecure devices to the same ethernet port on the router, but it'd be very difficult to do that at the moment as I've got the router mounted in a different location with a long in-wall run of cat6 to a 24-port switch in a utility cabinet. I suppose if I had a managed switch I could set up a VLAN at that point.