VLAN configuration for iot wireless devices

Current Situation

I have a Fritz.Box that works as DHCP for 192.168.178.x. DNS is provided by a Pi-Hole using unbound recursive DNS. The Fritz.Box provides several wireless networks on 2.4g and 5.0g IPv4 and IPv6 are working.

A TP-Link WPA8630P is connected via powerline/dLAN to the Fritz.Box, it works with OpenWRT 21.02.05. It provides the IOT wireless network on 2.4g. DNS and DHCP are passed through from the Fritz.Box and Pi-Hole. IPv4 an IPv6 are working as well.

Goal

I want further segmentation for wireless IOT devices. They should not be allowed to access other network devices, but for configuration purposes and app support they need to have internet access.

Method

I tried to configure a VLAN on the WPA8630P that

• uses the device bridging the wireless and the powerline port while
• traffic from the Fritz.Box arrives at the IOT devices and
• traffic from the IOT devices can reach the internet and
• IOT devices can not reach other devices on the same network.

The problem

I found literally hundreds of guides, video tutorials and how-tos for configuring VLANs with and without OpenWRT, but not a single one fully answered my questions. All my attempts resulted in either locking myself out of the WPA8630p LuCI or in reverting configuration changes after applying these changes failed. By now, I am totally confused and completely lost, to be honest.

Why am I posting here?

What settings do I need to configure? Not on a theoretical level, more in the sense of "click here, check that box, add x, remove y". I really wanted to understand VLAN configuration on the WPA8630P beforehand, but right now I just want to have a working solution and understand what was configured afterwards. My head hurts from all the conflicting information, the Youtube-video-tutorials I followed and all the non-working solutions I already tried...

If needed I can provide further information about the OpenWRT configuration, of course, but please forgive me if I say it directly: I need a beginners guide to VLANs on the WPA8630P, as I seem to be not smart enough to understand the configuration steps myself.

The recpie for the "Guest wifi" will do what you want.

Do you need wifi+ethernet (or wifi over multiple APs) connectivity for these devices, or wifi only?

That actually sounds like a way easier idea. I will check the recipe right away, thanks a lot! My IOT devices are all wifi at the moment, 2.4g only. That's why I needed a separate wifi network in the first place, as I could not drive 2.4g/5.0g separately on the Fritz.Box guest network. With 5.0g active, installing the devices always was a pain.

Edit: Nope. I already failed following the recipe in the first step. I just can't get my around this as soon as the interface view does not match my LuCI. Usually, I am not that dumb, but this drives me completely insane

So, regarding your network setup - is the folowng diagram more-or-less how your setup is:

                         pi hole 
             (provide DNS for entire network)
                             |
internet --------------- Fritz!Box --------------- TP-Link WPA8630P 
                        (not openwrt)                 (openwrt)
                             |                            |
                 Gateway for non-IoT devices     Gateway for IoT devices
                    (ethernet, 2.4g, 5g)               (2.4g only)

If this is accurate, Im pretty sure your VLAN setups arent working because you need to set up VLANs on the Fritz!Box, not on the TP-Link WPA8630P. If the TP-Link WPA8630P is already only serving IoT devices there no real need for VLANs (unless you want to add another layer of separation between different IoT devices, though IDK how much security this adds over just using wifi isolation). From the TP-Link WPA8630P's point of view all the devices you dont want to communicate with it (i.e., the rest of your network) arent on LAN at all...theyre on WAN.

I started dumping the config files, maybe the initial setup of the device is part of the reason why my brain just stalls when trying to get this working...

ubus call system board

{
        "kernel": "5.4.215",
        "hostname": "iot.wlan",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link WPA8630P v2 (Int.)",
        "board_name": "tplink,tl-wpa8630p-v2-int",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.5",
                "revision": "r16688-fa9a932fdb",
                "target": "ath79/tiny",
                "description": "OpenWrt 21.02.5 r16688-fa9a932fdb"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '1234:1234:1234::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 4 3 2 5'
        option vid '1'

config interface 'IPv6LAN'
        option proto 'dhcpv6'
        option device '@lan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option type 'bridge'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option htmode 'HT20'
        option channel 'auto'
        option txpower '18'
        option cell_density '0'
        option country 'DE'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'some-iot-ssid'
        option hidden '1'
        option encryption 'psk2'
        option key 'some-iot-key'
        option isolate '1'
        option network 'IPv6LAN lan'

cat /etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option domain 'fritz.box'
        option quietdhcp '1'
        option local '/lan/'
        list server '/pi.hole/192.168.178.ip'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ra 'relay'
        option dhcpv6 'relay'
        list ra_flags 'none'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option ip '192.168.178.xx'
        option leasetime '120'
        option mac '11:AA:22:BB:33:CC'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

config dhcp 'IPv6LAN'
        option interface 'IPv6LAN'
        option ra 'relay'
        option dhcpv6 'relay'
        option ndp 'relay'
        list ra_flags 'none'

config host
        option name 'some-smarthome-device'
        option dns '1'
        option mac '11:AA:22:BB:33:CC'
        option ip '192.168.178.xx'
        option leasetime '120'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'IPv6LAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

Maybe this helps sorting out some good starting point to start over...

That ist absolutely accurate. Amazing you were able to draw this from my description. And... you may have a good point there. I am able to ping the iot device IPs from non-iot devices, though. EDIT: And from Network/Diagnostics within LuCI I can't ping the non-iot devices.

It looks like I actually confused everything up - the setup right now already serves my needs, as it seems. There is no real need for another layer of segmentation.

I'm sorry... I gave you the wrong advice before. If your OpenWrt router is not the main router, you need to set it up as a dumb AP and then for the iot network, you'll setup the guest wifi on a dumb ap

This looks interesting. I will have a look at it later this evening! Thank you for your advice!

I had a closer look at this solution tonight to further strengthen LAN/device-boundaries and implemented it with most of my original configuration. Turns out, this works a charm! Perfect solution, no need for VLAN segmentation (aka "overkill") anymore. The guide is super-awesome and easy to follow through AND in the end I got to learn the details - that's how I like it.

Thank you very much for your help, I am extremely pleased with the outcome!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.