[Solved] IoT VLAN has no internet access

Punaewele · December 6, 2020, 1:53am

Hey fellas! I need a bit of help.

Context

I am trying to add a VLAN for my IoT devices, accessible by WiFi, so that they cannot access the other devices on my network.

Problem

When I connect to the new SSID with my phone, it says I have no internet, and I can't load any websites.

What I've Done

I started by creating a new wireless SSID, assigning it to a new interface, and then assigning that interface to a new firewall zone.

My main LAN interface has the static IP of 10.0.0.1/8, and my IoT interface has the static IP of 172.16.0.0/16, so they shouldn't collide. Both use DHCP, and I verified that my phone does get assigned an IP address on the 172.16.0.0/16 subnet.

When configuring the firewall, I've set up the IoT interface to forward to WAN; no additional traffic rules, and everything set to "accept" for now.

Config Files

To protect some personal info, I've redacted the port forward entries, static IP assignments, hostnames, and WiFi passwords. I've also renamed the SSIDs but they're easier to understand this way.

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.0.0.0'
        option ipaddr '10.0.0.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option ipv6 'off'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option ipv6 'off'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'
        option vid '2'

config interface 'iotlan'
        option proto 'static'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list ipaddr '172.16.0.0/16'
        option delegate '0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option network 'iotlan'
        option input 'ACCEPT'
        option name 'iotlan'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

[config redirect entries redacted]

config forwarding
        option dest 'wan'
        option src 'iotlan'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option domain '[redacted]'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '6h'
        option dhcpv6 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

[config host entries redacted]

config dhcp 'iotlan'
        option leasetime '12h'
        option interface 'iotlan'
        option start '1'
        option limit '255'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key '[redacted]'
        option encryption 'psk2'
        option ssid 'main5ghz'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option channel 'auto'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key '[redacted]'
        option encryption 'psk2'
        option ssid 'main2ghz'

config wifi-iface 'wifinet2'
        option ssid 'iot2ghz'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option key '[redacted]'
        option network 'iotlan'

(Click the arrows to expand the files.)

Hardware

I am using an Archer C7 AC1750.

Thanks

Please let me know if you need more info. I really appreciate any help!

mk24 · December 6, 2020, 2:59am

That is not legal. The first and last IP's in a subnet (for a /16, x.x.0.0 and x.x.255.255) are not assignable to devices. So that ipaddr of the router should be 172.16.0.1. In order to specify the whole network in an abstract way (i.e. for a static route) it would be 172.16.0.0/16.

It is advisable not to use /16 or /8 subnets unless you are setting up something really large.

Punaewele · December 6, 2020, 4:23am

Woohoo! That worked. Thanks so much!

It is advisable not to use /16 or /8 subnets unless you are setting up something really large.

It's mainly an organization thing for me. This is a home network but I keep a spreadsheet of every single device on the network and assign static IPs to them. For example:

10.0.0.0/16 is network devices
10.1.0.0/16 is personal devices
10.1.0.0/24 is desktops
10.1.1.0/24 is laptops
... and so on.

The rationale behind 172.16.0.0/16 is that 172.16.0.0/24 is for smart plugs, ... you get the idea. Then the guest network would go on 172.17.0.0/16.

Is it way more addresses than I need, and a bit silly? Yeah, probably, but it satisfies my desires to stay organized and ensure every device will get a static IP. Then when I see a dynamically assigned device at 10.0.0.100-250, I know that something new is on the network and I can start figuring out what it might be. I enjoy it

system · December 16, 2020, 4:23am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.