[Solved] Best practices for separate IoT VLAN

Hi,

What are the best practices for OpenWrt settings when IoT devices are on a separate VLAN (with its own firewall zone and SSID) - from your experience?

E.g. for IoT devices which require management / getting info on the IoT SSID from a phone app, with the phone itself "living" in lan.

I know the question is rather general, would appreciate your hints a lot. The focus of the question is on the day-to-day access to the IoT device (Iot zone) from the phone (lan zone).

So far I realised that the checked client isolation wifi setting will not allow the IoT device receive SSID info from the phone (temporarily joining the IoT SSID).

Under my current setup I allow forwarding from lan to IoT zone, but not the other way around. Can it be the reason that I cannot access / connect to an IoT device? Should the devices be assigned static IPs?

Thanks a lot.

It is called Guest SSID (another, not the one for humans)
For app you need to figure out protocols it uses.

1 Like

To be specific with the device. The device is Elgato Ring Light, controlled from an iPhone.

If both device and the phone are on the same SSID (Guest) and "Isolate Clients" is unchecked, the device can be found / controlled from the iPhone app. Checking "Isolate Clients" kills connection between the two.

However, if the iPhone is on another VLAN (lan) with its own SSID, no connection can be established to the device in Guest / IoT VLAN.

Protocols used by the device are Bonjour, Multicast and HTTP.

As mentioned earlier, forwarding is set up only from lan to Guest/IoT.

I would really appreciate hints how to make the two connect when in different VLANs.

You need to forward multicasts from iphone to iot subnet. tcpdump is your best friend

1 Like

Thanks for the hint. Slowly befriending tcpdump package now, quite a rabbit hole :slight_smile:
For forwarding will I need to install some new package, or the regular means of OpenWrt firewall will be enough?

There is no easy way to figure what multicast group they use besides bonjour.

I extracted the packets for the IoT device when it establishes connection with the phone (when the phone is in the same network and everything works):

15:04:36.892884 IP Elgato.lan.5353 > mdns.mcast.net.5353: 0*- [0q] 1/0/5 PTR Elgato Ring Light 5735._elg._tcp.local. (249)
15:04:37.246375 IP My-iPhone.lan > Elgato.lan: ICMP echo request, id 49091, seq 0, length 64
15:04:37.246511 ARP, Request who-has Elgato.lan (xx:xx:xx:xx:xx:xx (oui Unknown)) tell My-iPhone.lan, length 28
15:04:37.294022 ARP, Request who-has My-iPhone.lan tell Elgato.lan, length 28
15:04:37.295142 IP Elgato.lan > My-iPhone.lan: ICMP echo reply, id 49091, seq 0, length 64
15:04:37.295341 ARP, Reply Elgato.lan is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
15:04:37.298233 ARP, Reply My-iPhone.lan is-at yy:yy:yy:yy:yy:yy (oui Unknown), length 28
15:04:37.310853 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [SEW], seq 1241400912, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 355982920 ecr 0,sackOK,eol], length 0
15:04:37.311569 IP Elgato.lan.9123 > My-iPhone.lan.49892: Flags [S.], seq 40372, ack 1241400913, win 7300, options [mss 1460], length 0
15:04:37.315555 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [.], ack 1, win 65535, length 0
15:04:37.319081 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [P.], seq 1:253, ack 1, win 65535, length 252
15:04:37.328961 IP Elgato.lan.9123 > My-iPhone.lan.49892: Flags [P.], seq 1:421, ack 253, win 7048, length 420
15:04:37.336026 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [.], ack 421, win 65535, length 0
15:04:37.372465 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [P.], seq 253:506, ack 421, win 65535, length 253
15:04:37.375416 IP Elgato.lan.9123 > My-iPhone.lan.49892: Flags [P.], seq 421:680, ack 506, win 6795, length 259
15:04:37.379175 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [.], ack 680, win 65535, length 0
15:04:37.382462 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [P.], seq 506:750, ack 680, win 65535, length 244
15:04:37.386673 IP Elgato.lan.9123 > My-iPhone.lan.49892: Flags [P.], seq 680:864, ack 750, win 6551, length 184
15:04:37.391377 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [.], ack 864, win 65535, length 0
15:04:38.189864 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [.], ack 864, win 65535, length 0
15:04:38.190773 IP Elgato.lan.9123 > My-iPhone.lan.49892: Flags [.], ack 750, win 6551, length 0
15:04:38.408141 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [P.], seq 750:994, ack 864, win 65535, length 244
15:04:38.410734 IP Elgato.lan.9123 > My-iPhone.lan.49892: Flags [P.], seq 864:1048, ack 994, win 6307, length 184
15:04:38.415622 IP My-iPhone.lan.49892 > Elgato.lan.9123: Flags [.], ack 1048, win 65535, length 0
15:04:39.284054 IP My-iPhone.lan > Elgato.lan: ICMP echo request, id 49091, seq 1, length 64
15:04:39.287860 IP Elgato.lan > My-iPhone.lan: ICMP echo reply, id 49091, seq 1, length 64

What can I do with this knowledge to make the 2 devices communicate with each other from different networks?

One - allow multicast forwarding LAN-> IOT
https://openwrt.org/docs/guide-user/network/wan/udp_multicast
Two - allow icmp ping LAN->IOT
Allow TCP connection LAN-> IOT ?limited by port?

1 Like

To double-check: you mention LAN->IOT connections, but not the other way round. Why so?

My firewall is already set up to allow forwarding from LAN to IOT:

but not IOT->LAN.

try installing avavhi deamon. In avahi-daemon.conf set reflector to yes.

2 Likes

There is subtle message in the multicast forwarding topic to adjust ttl when forwarding, which is done silently by avahi daemon.

2 Likes

yeah i think so. I just have avahi and the generic LAN to IoT forwarding from zone to zone (to allow tcp connections). I dont think you even need to setup any other FW rules or other packages as once the packet gets reflect will get spread over the network (no routing needed anymore).

The package avahi-utils can be useful to check if packets get there.

2 Likes

What ultimately worked for my setup:

  1. set enable-reflector=yes in avahi-daemon.conf (obligatory)
  2. set allow-interfaces under [server] in avahi-daemon.conf to the networks of my choice (optional)
  3. configure firewall rule to allow UDP 5353 requests to the router from IoT network (obligatory):
config rule
        option name 'Allow-mDNS-IoT'
        list proto 'udp'
        option src 'iotZone'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'
  1. lock down the firewall rule above to the MAC of my device (optional):
    list src_mac 'xx:xx:xx:xx:xx:xx'

There is a blog post from 2020 which describes the above in greater detail.

@Ramon @brada4 Many thanks for your valuable insights!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.