[SOLVED] IOT VLAN setup with downstream(?) switch with server access [SOLVED]

Hello,

I could use some help getting my IOT setup correct.

To start, my goal is to put my IOT devices on a VLAN that can be accessed by my server, but won't let the IOT devices access anything but the server.

Here is a diagram of the setup as it is now. There are actually 4 cameras, but I think once I have got one working, the rest will be easy repetitions.

Any help would be appreciated as I have no idea what I am doing. Ideally I'd like to use LUCI for most of this since it helps prevent locking yourself out of the router.

Have you already setup the VLAN for your IoT network? Or are you starting from essentially scratch?

You might start with the guest network configuration -- the forumla only needs to be tweaked a little bit to allow the use of ethernet and to adjust the firewall rules to allow specific access.

I am starting from scratch more or less. I can't use guest WIFI though since these cameras are POE only.

That is how I intend to connect my other WIFI only IOT devices, but those don't need to talk to the server.

Like I said, the recipe only requires a few tweaks to make it work with ethernet and to setup the firewall as you desire.

I'd recommend that you start by using the guest network and proving that it works as expected (with a wifi device like your phone or similar just to use for testing). From there we can make it work exactly the way you're asking.

My reasoning here is that I think you'll learn all the basics just implementing the wifi guest network methods, and then it will be pretty easy to make the final few tweaks.

So I went through the tutorial. My LUCI interface is slightly different in that I can't specify 'any' for source/destination ip. I decided to just leave it blank.

When I try to join from my iPhone it never seems to connect, but it does show up in Associated Stations.

Let’s take a look at the resulting config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfb:02d2:d84c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.1.1/24'
        list dns '1.0.0.1'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'iot_lan'
        option proto 'static'
        option device 'radio1.network2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option phy 'wl0'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID REDACTED'
        option encryption 'psk2'
        option key 'PASSWORD REDACTED'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option phy 'wl1'
        option channel '48'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID REDACTED'
        option encryption 'psk2'
        option key 'PASSWORD_REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'GUEST SSID REDACTED'
        option encryption 'psk2'
        option key 'PASSWORD REDACTED'
        option network 'iot_lan'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'moon'
        option mac 'REDACTED'
        option ip '192.168.1.15'
        option leasetime '3h'

config host
        option mac 'REDACTED'
        option ip '192.168.1.23'
        option leasetime '3h'
        list tag 'Driveway Camera (Eve)'

config host
        option mac 'REDACTED'
        option ip '192.168.1.12'
        option leasetime '3h'
        list tag 'Garage Camera'

config host
        option mac 'REDACTED'
        option ip '192.168.2.2'
        list tag 'Backyard Camera'
        option leasetime '3h'

config host
        option mac 'REDACTED'
        option ip '192.168.1.10'
        option leasetime '3h'
        list tag 'Doorbell Camera'

config host
        option mac 'REDACTED'
        option ip '192.168.1.239'
        option leasetime '3h'
        list tag 'Attic Switch'

config host
        option name 'REDACTED'
        option mac 'REDACTED'
        option ip '192.168.1.33'
        option leasetime '3h'

config host
        option name 'aurora'
        option mac 'REDACTED'
        option ip '192.168.1.16'
        option leasetime '3h'

config host
        option name 'Hallway-Thermostat'
        option ip '192.168.1.164'
        option mac 'REDACTED'
        option leasetime '3h'

config host
        option ip '192.168.1.244'
        option mac 'REDACTED'
        option name 'MR60'
        option leasetime '3h'

config dhcp 'iot_lan'
        option interface 'iot_lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

Firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Moon HTTPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.15'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Moon SSH'
        list proto 'tcp'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.1.15'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Moon HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.15'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP Tests'
        option src 'wan'
        option src_dport '1337'
        option dest_ip '192.168.1.15'
        option dest_port '1337'

config zone
        option name 'iot_lan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot_lan'

config forwarding
        option src 'lan'
        option dest 'iot_lan'

config forwarding
        option src 'iot_lan'
        option dest 'wan'

config rule
        option name 'IOT_DNS'
        option src 'iot_lan'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IOT_DHCP'
        option src 'iot_lan'
        option src_port '67'
        option target 'ACCEPT'
        list proto 'udp'

Thanks for the prompt replies btw.

Change all "_" underscores to "-" dashes.... basically every place that you see iot_lan in your config, and a few other places like in your firewall config. (be sure to get all of them -- it's critical that underscores are not in the configs)

Then... remove the device from below:

Add the following to the iot dhcp server:

        option dhcpv4 'server'

And finally restart the router and try again.

for the sake of curiosity why are the underscores bad?

They mess up the config file parser... not sure about the details under the hood, but underscores just don't work.

Ok I got that working.

I ended up obliterating any mention to IOT in my configs and did the walkthrough again.

Great.... now, we can connect the network with ethernet. Do you want to have both ethernet and wifi, or just ethernet?

What physical port on the router connects to the switch?

Post your configs again for review and suggestions about achieving the above.

Potentially both.

The WIFI devices, really just need to be isolated, and I think the WIFI we just setup will accomplish that goal, although they do need to talk to a homepod on my main wifi I think. (Not 100% sure how apple does the homekit stuff exactly). I imagine this can be accomplished through some firewall rules?

The ethernet cameras just need to be accessible by the Linux server alone and shouldn't be able to talk to anything else.

Port #1 on the router connects to the switch.

Will post configs shortly.

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfb:02d2:d84c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.1.1/24'
        list dns '1.0.0.1'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'iot'
        option proto 'static'
        option device 'radio1.network2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option phy 'wl0'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID REDACTED'
        option encryption 'psk2'
        option key 'REDACED'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option phy 'wl1'
        option channel '48'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED MAIN SSID'
        option encryption 'psk2'
        option key 'REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'REDACTED IOT SSID'
        option encryption 'psk2'
        option key 'REDACED'
        option network 'iot'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'moon'
        option mac 'REDACTED'
        option ip '192.168.1.15'
        option leasetime '3h'

config host
        option mac 'REDACTED'
        option ip '192.168.1.23'
        option leasetime '3h'
        list tag 'Driveway Camera (Eve)'

config host
        option mac 'REDACTED'
        option ip '192.168.1.12'
        option leasetime '3h'
        list tag 'Garage Camera'

config host
        option mac 'REDACTED'
        option ip '192.168.2.2'
        list tag 'Backyard Camera'
        option leasetime '3h'

config host
        option mac 'REDACTED'
        option ip '192.168.1.10'
        option leasetime '3h'
        list tag 'Doorbell Camera'

config host
        option mac 'REDACTED'
        option ip '192.168.1.239'
        option leasetime '3h'
        list tag 'Attic Switch'

config host
        option name 'REDACTED'
        option mac 'REDACTED'
        option ip '192.168.1.33'
        option leasetime '3h'

config host
        option name 'aurora'
        option mac 'REDACTED'
        option ip '192.168.1.16'
        option leasetime '3h'

config host
        option name 'Hallway-Thermostat'
        option ip '192.168.1.164'
        option mac 'REDACTED'
        option leasetime '3h'

config host
        option ip '192.168.1.244'
        option mac 'REDACTED'
        option name 'MR60'
        option leasetime '3h'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'

Firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Moon HTTPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.15'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Moon SSH'
        list proto 'tcp'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.1.15'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Moon HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.15'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP Tests'
        option src 'wan'
        option src_dport '1337'
        option dest_ip '192.168.1.15'
        option dest_port '1337'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config rule
        option name 'IOT-DHCP'
        list proto 'udp'
        option src 'iot'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IOT-DNS'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'iot'

Ok... so now we're going to make a bridge-vlan configuration:

add the following to the network file

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'

And edit the lan to use br-lan.1 instead of br-lan (and you can get rid of the dns entries there, they don't do anything)... it'll look like this:

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.1.1/24'

likewise, on the iot network, br-lan.2(note: never specify the radio/wlan devices in this file):

config interface 'iot'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Next up, configure your switch... you need to add VLAN 2 tagged to the trunk port (i.e. the uplink to the router), and then VLAN 2 untagged + PVID VLAN 2 on the port(s) that connect to your cameras and anything else that should be on that network (I recommend using a computer first so you can easily see the IP address and test the connection).

Should I remove the untagged from the port on VLAN 1?

To be more specific, if the device is on port X untag port X on VLAN 1.

Your switch should have untagged + PVID for VLAN1 on the uplink port (that connects to the router) as well as all ports that will operate on that network. It should be removed from the port(s) that connect to cameras.

VLAN2 should be tagged on the uplink port, and then untagged + PVID on the ports that will ultimately have cameras.

Great so I have the switch set to:

8 = router port
1 = camera / test port

VLAN 1
1  2  3  4  5  6  7  8
-  U  U  U  U  U  U  U
VLAN 2
1  2  3  4  5  6  7  8
U  -  -  -  -  -  -  T

PVID for Port 1 is also set to 2