Should I dare to click "isolate clients" for ioT

Hi, I'm running a VLAN for IoT, both wifi and ethernet, and I would like to isolate the devices. I have Google speakers and TV as well as several other things. Everything works with Google Home and Home Assistant. But I don't really dare to click "Isolate clients" in case everything on IoT fails. Does anyone have experience with this?

Two things to think about:

  1. Isolate clients only works for wifi, and only for those connected to the same radio. If you have multiple radios or APs, clients on one radio will still be able to see clients on the other and vice versa. They will also be able to see ethernet clients.
  2. Isolating clients is fine when the IoT device needs only straight internet access and doesn't need to setup local communication between devices. But this will become a problem if you have a "hub" device (like some smart lights and similar) where several devices need to talk to a central hub, or where devices need to be able to locally coordinate with each other, such as in the case of Home Assistant.

You should be able to try it, see what breaks, and then go from there. It is easy to revert the change -- just disable the isolate option if things go south.

Also, isolate is good when you have specific concerns about devices talking to each other -- for example, it is (or should be) standard practice at hotels/cafes/etc. to isolate clients because is a public space where the users of the network are not inherently trusted and should not be able to communicate with other nearby devices. But generally speaking, if you have an IoT network that is isolated from your trusted lan, there is typically not much to worry about in terms of devices talking to each other.

1 Like

I didn't know that. I have multiple radios and APs. I have tested a bit with the firewall traffic rules and isolated IoT from IoT, but I'm not sure if it works. Do you need to specify all IP addresses on IoT, or can you just block IoT from source zone to IoT destination zone?

Isolating your iot zone (from the trusted lan) means not allowing forwarding from iot > lan.

We can review your config if you want.

I must leave the computer. Back tomorrow, thanks so far.

Wifi isolation checkbox forces traffic between clients via bridge for ebtables filtering.

This screengrab doesn't really show us anything useful.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Okay, thank you. But that should be enough, right? That's what I'm wondering if it works. To, isolate any devices on my IoT VLAN.

config rule
        option name 'ioT to ioT BLOCK'
        option src 'iot'
        option dest 'iot'
        option target 'REJECT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        list proto 'esp'
        list proto 'igmp'
        list src_ip '192.168.1.107'
        list src_ip '192.168.1.53'
        list src_ip '192.168.1.4'
        list src_ip '192.168.1.10'
        list src_ip '192.168.1.60'
        list src_ip '192.168.1.65'
        list src_ip '192.168.1.119'
        list src_ip '192.168.1.120'
        list src_ip '192.168.1.125'
        list src_ip '192.168.1.145'
        list src_ip '192.168.1.34'
        list src_ip '192.168.1.111'
        list src_ip '192.168.1.144'
        list dest_ip '192.168.1.4'
        list dest_ip '192.168.1.53'
        list dest_ip '192.168.1.65'
        list dest_ip '192.168.1.111'
        list dest_ip '192.168.1.144'

This rule will do nothing. The reason is that the source and destination zones are the same (and I'm presuming that there is only one network in that zone). Traffic on the same network does not get routed (L3)... it is switched (L2), and the firewall is only involved when there is routing.

Okay, thank you so much. That was exactly what I was wondering about. Is there a suitable approach? I guess one way is to put some devices on another VLAN?

Yes, putting the devices into different networks will allow you to isolate them from each other.

There is something known as a bridge firewall, but it can only work under certain circumstances and isn't really a common approach.

Can I edit/change/expand it in OpenWRT so that I can choose which IoT devices to isolate?

Wifi isolation, in all implementations that I am aware of, is all-or-nothing.

1 Like

No fear in that button. Sorry it does not do thing you intended