For some devices that have only one Ethernet port and give out WiFi. MAC based VLAN should be added to allow access to management control only through certain device which is never connected to the internet for security considerations in case there is infected device on the network. What are your opinions on this?

My opinions are

  • All IoT devices should be put on their own VLAN
  • IoT devices should not have any more access than they need, either to local services or to the outside services
  • IoT devices should be segregated by manufacturer, if possible
  • MAC-based anything provides little, if any, security benefit
  • You should be configuring for only HTTP-S for uhttpd
  • You should use strong passwords
  • Most users don't need their own CA for certificates
  • 802.1X is overkill for most users

Some facts are

  • Most OpenWRT hardware and drivers support multiple SSIDs and VLANs
  • 802.1X supports user/password or certificate-based VLAN assignment
  • OpenWRT supports 802.1X, including VLAN assignment
1 Like

As @jeff noted, this doesn't add much security against a malicious party with unlimited time and resources to work on compromising the target.

They simply have to discover what MACs are allowed on which VLANs.

The common advise for devices with a single Ethernet port is to:

  • Use a USB Ethernet to add another port (usually setting up WAN on this, since it tends to need the least bandwidth in most cases)
  • Use a managed switch to trunk all need VLANs to a device with available physical ports.