Setting up an IOT Zone for home cameras and smart devices issue

Hello,

I'm currently attempting to set up a seperate Zone/Wifi network which will control my IOT devices and Smart cameras. For security reason I currently have both connected to my regular WiFi, but since this has client to client communication disabled, I think it affects some serious latency in smart devices like dimmer switches, since I imagine this forces any IoT interactions back through the vendor's servers, instead of a local interaction.

This IOT zone would be identical to the WiFi, with the same traffic rules, but with client-to-client communication enabled. It would also have traffic rules and port forwards allowing clients on the regular WiFi to interact with the IoT clients.

It's been some months since I touched networking or Openwrt, and I seem to be missing something basic. The IoT wifi has no access to the internet, which I do want to avail of the vendor's cloud services. I figured that setting up identical traffic rules to allow DNS would be enough, but I've clearly misremembetred/forgotten something basic.

I'm not certain which configs I should post, or which would be oversharing, but I'll post them as soon as possible if anyone knows which would be helpful.

Thanks in advance for any support.

let's start here:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Ok,

I forgot to mention that this setup will include two devices: FutroS920, which is my router, and HomeAP, which is acting as my wireless AP. Both sets of configs are below:

FutroS920:

root@FutroS920:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:6a68:a309::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.3'
	option ipaddr '192.168.2.1'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '0'

config interface 'UntrustedLAN'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.255.255.0'
	option device 'br-lan.9'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '0'

config interface 'SecureIOT'
	option proto 'static'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

config interface 'PublicIOT'
	option proto 'static'
	option ipaddr '10.99.99.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option device 'br-lan.99'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'eth0'
	list ports 'eth1'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:u*'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '33'

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'eth1:t'

config interface 'WAN'
	option proto 'dhcp'
	option device 'br-wan.10'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config device
	option type 'bridge'
	option name 'br-wan'
	list ports 'eth2'
	option mtu '1500'

config bridge-vlan
	option device 'br-wan'
	option vlan '10'
	list ports 'eth2:t'

config interface 'AdguardBypass'
	option proto 'static'
	option ipaddr '10.55.55.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option defaultroute '0'

root@FutroS920:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'X'
	option path 'X'
	option cell_density '0'
	option country 'X'
	option disabled '1'

root@FutroS920:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option localuse '1'
	option cachesize '1000'
	option rebind_protection '0'
	list server '192.168.2.1'
	option port '57'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.2.1'
	list dhcp_option '3,192.168.2.1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'UntrustedLAN'
	option interface 'UntrustedLAN'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4'

config dhcp 'SecureIOT'
	option interface 'SecureIOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'PublicIOT'
	option interface 'PublicIOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'WAN'
	option interface 'WAN'

config dhcp 'AdguardBypass'
	option interface 'AdguardBypass'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4'

root@FutroS920:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option name 'TrustedLAN'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN'
	option input 'DROP'
	option forward 'DROP'

config forwarding
	option dest 'wan'
	option src 'TrustedLAN'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'TrustedLAN'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'TrustedLAN'

config zone
	option output 'ACCEPT'
	option forward 'REJECT'
	option name 'UntrustLAN'
	option input 'REJECT'
	list network 'UntrustedLAN'
	list network 'AdguardBypass'

config zone
	option name 'SecureIOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'SecureIOT'

config zone
	option name 'PublicIOT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'PublicIOT'
	option input 'REJECT'

config forwarding
	option src 'TrustedLAN'
	option dest 'PublicIOT'

config forwarding
	option src 'TrustedLAN'
	option dest 'SecureIOT'

config forwarding
	option src 'UntrustLAN'
	option dest 'wan'

config rule
	option name 'Untrusted DHCP and DNS'
	option src 'UntrustLAN'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'UntrustLAN'
	option dest 'PublicIOT'

config redirect 'adguardhome_dns_53'
	option proto 'tcp udp'
	option target 'DNAT'
	option name 'Adguard Home'
	option src 'TrustedLAN'
	option src_dport '53'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'Adguard Home Untrusted'
	option src 'UntrustLAN'
	option src_dport '53'
	option dest_port '53'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config redirect
	option target 'DNAT'
	option name 'Guest Printing'
	list proto 'tcp'
	option src 'UntrustLAN'
	option src_dport '9100'

config forwarding
	option src 'PublicIOT'
	option dest 'wan'

config redirect
	option target 'DNAT'
	option name 'Adguard Home PublicIOT'
	option src 'PublicIOT'
	option src_dport '53'
	option dest_port '53'

config rule
	option name 'PublicIOT DHCP and DNS'
	option src 'PublicIOT'
	option dest_port '53 67 68'
	option target 'ACCEPT'

HomeAP:

root@HomeAP:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd26:df77:5d6e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.3'
	list ports 'eth1.3'

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '3'
	option ports '0t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '9'
	option ports '0t 4 3 2 1 5t'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '99'
	option ports '0t 5t'

config device
	option type 'bridge'
	option name 'br-untrustedlan'
	list ports 'eth0.9'
	list ports 'eth1.9'

config interface 'UNTRUSTEDLAN'
	option proto 'none'
	option device 'br-untrustedlan'

config device
	option type 'bridge'
	option name 'br-publiciot'
	list ports 'eth0.99'

config interface 'PublicIOT'
	option proto 'none'
	option device 'br-publiciot'

root@HomeAP:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'X'
	option path 'soc/X
	option band '5g'
	option cell_density '0'
	option country 'X
	option htmode 'VHT80'
	option channel '36'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option band '2g'
	option htmode 'HT40'
	option cell_density '0'
	option channel '4'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'WiFi'
	option encryption 'psk2'
	option isolate '1'
	option dtim_period '3'
	option key
	option ieee80211r '1'
	option mobility_domain '123e'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'UNTRUSTEDLAN'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'WiFi'
	option encryption 'psk2'
	option isolate '1'
	option dtim_period '3'
	option key 
	option ieee80211r '1'
	option mobility_domain '123e'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'UNTRUSTEDLAN'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'AdminM'
	option encryption 'psk2'
	option network 'lan'
	option key 
	option disabled '1'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IOT-ZONE'
	option encryption 'psk2'
	option dtim_period '3'
	option key
	option ieee80211r '1'
	option mobility_domain '321f'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'PublicIOT'
	option disabled '1'

root@HomeAP:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@HomeAP:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

For all of your networks, you haave default route '0' - why is that? Do you have PBR or other routing configurations setup? Normally, this option is not used.

Also, on the DNS, you can remove those from all but the wan interface... they don't actually do anythign in the network stanzas for the downstream networks.

SecureIOT is wifi only, correct? Not connected to ethernet, and thus not broadcast on any other APs, either.

On your wan, you don't need to use a bridge... you can directly use device eth2.10

Meanwhile, back to your original issue -- which network is at issue here?

For all of your networks, you haave default route '0' - why is that? Do you have PBR or other routing configurations setup? Normally, this option is not used.

Honestly, I am not sure. I was following advice from someone else, and they advised me to turn "Use Default Gateway" off.
I am using Adguard Home for ad/malware blocking, could it be due to that, and routing DNS through it? Would it make a difference on or off?

Also, on the DNS, you can remove those from all but the wan interface... they don't actually do anythign in the network stanzas for the downstream networks.

Will do, thanks.

SecureIOT is wifi only, correct? Not connected to ethernet, and thus not broadcast on any other APs, either.

Well- it is 'WiFi only' insofar as that is the only way I wish for clients to access it. I want it to be broadcast on the Access Point device (My router device doesn't have the ability to broadcast WiFi in master mode)
This means I'll want it tagged on the LAN port of the router device that is connecting to the AP device. From there it will be broadcast to IoT clients.

On your wan, you don't need to use a bridge... you can directly use device eth2.10

Thanks, changed that now.

Meanwhile, back to your original issue -- which network is at issue here?
The network at issue at the moment is 'PublicIoT'. On both devices.

You can delete this -- it does nothing at all.

Turn off all of the 802.11r stuff for this SSID. Many devices, IoT in particular, don't work well with fast roaming enabled.

Thank you, I did both of those things. Unfortunately I still seem to be getting no access to internet when I connect to that Wifi SSID, which I'll need to use the vendor cloud functions.

Let's try this:

Connect with a computer to the IOT-ZONE ssid. Then...

• Check the IP address, subnet, router, and dns values that are provided by DHCP
• Run a ping test
  • ping 8.8.8.8
  • ping google.com

Report back the results from each of those tests.

Ok, connected to it.

From the laptop's terminal:
IP Address: 10.99.99.116
Subnet: 10.99.99.255
Default Gateway: 10.99.99.1

Not sure exactly what to do to get DNS information, but I ran nslookup for google.com and got this output:
Server: 127.0.0.53
Address: 127.0.0.53#53

**server can't find google.com: SERVFAIL

Pinging 8.8.8.8 worked perfectly, so it seems the issue is with DNS. Pinging google.com returned temporary failure in name resolution.

This should be the broadcast address... the subnet mask should (hopefully) be 255.255.255.0 -- please confirm.

Yes, it seems like you have a DNS issue. It is likely related to your AGH setup.

Two options:

1. figure out what is happening with AGH on this network and resolve it... take this path if you want this IoT network to be filtered by AGH
2. Specify option 6 and a public DNS (like 8.8.8.8 or 1.1.1.1) for the DHCP server on this network if you want to make it simple and just use a public DNS server.

This should be the broadcast address

Yes, it probably is. I'm not really sure what I was looking at and just assumed, or really what command to put in terminal for that matter..

Honestly, considering the extremely marginal benefits that would come from filtering their DNS requests, I think I will just specify a DNS in option 6.

And that seems to have completely solved the problem. Thanks a lot!

(Completely out of field question, by the way, but I played the original Deus Ex for the first time recently, and I remember hacking some emails addressed from a psherman, a Man In Black placed in interim charge of UNATCO. Any relation...? )

Nope... lol. I even predate Finding Nemo (PSherman 42 Wallaby Way)

Good to know, hah.

Although.. that is what someone working for Majestic 12 would say...

Apologies to reopen this, but it seems like I assumed it was resolved prematurely.

I was able to resolve DNS fine on my phone using the IOT-Zone SSID, but it seems like that had more to do with my VPN connection than a properly configured network.

I've specified those DNS servers, but pings with domain names don't resolve.

Apologies for the bump, but I'm still having this issue. I've been looking to find some reason that AGH may be preventing DNS- could it be to do with moving dnsmasq to port 57, and having 53 be assigned to AGH?

Set 192.168.2.1 as the DNS server for the PublicIOT network using DHCP option 6.
Make sure the DNAT rule 'Adguard Home PublicIOT' is removed or disabled.
Reconnect to the IOT network using your laptop and post the result of:

nslookup openwrt.org
nslookup openwrt.org 192.168.2.1
nslookup openwrt.org 8.8.8.8

Thanks,

Here they are:

user@deviceb:~$ nslookup openwrt.org
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225
Name:	openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

user@deviceb:~$ nslookup openwrt.org 192.168.2.1
Server:		192.168.2.1
Address:	192.168.2.1#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225
Name:	openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

user@deviceb:~$ nslookup openwrt.org 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	openwrt.org
Address: 139.59.209.225
Name:	openwrt.org
Address: 2a03:b0c0:3:d0::1af1:1

I see you've marked the topic as solved in the meantime, so any further comments are probably useless.

I don't know what operating system the test device is running, but it seems to use its own DNS service and the upstream DNS server remains unclear.

Anyway, if you set 192.168.2.1 to be advertised as a DNS server for the IoT network, the clients should work as expected using AGH.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.