Hello, I am already running OpenWrt on my router, but would like to expand my network to have a separated VLAN for IoT devices, since I heard it's impossible to achieve that just with a router. For that I think I need a switch and a AP, which supports OpenWrt. Any recommendations?
The IoT network so far will only contain my vacuum cleaner robot.
My criteria:
Available in the EU (at best on Amazon)
Support 2.4GHz, 5/6 GHz is completely optional (I would rather save money, since I don't need that for IoT devices)
Obviously support VLANs
Runs latest OpenWrt and will in the future
Must be priceworthy
Can be from the used market, I just need the recommended models
Nice to have: the flashing doesn't require UART/SPI etc. flashing just SFTP or via the interface
That's incorrect. In fact, you need your router to be able to segregate networks via VLAN. Luckily, OpenWrt can do that.
It would be helpful to know which maker and model you are running OpenWrt on right now. Is it really just a router, no Wifi?
A switch is only needed if you need a bigger number of network ports than the router can provide, and/or if your network is spread farther out. You didn't mention the router on which you are running OpenWrt.
As for the AP, it doesn't have to be anything special. Virtually any OpenWrt-supported access point (or router, demoted to AP) can do what you want. The selection mainly depends on what exactly you expect from the access point.
The screenshots in the guide are a tad outdated, but basically you want to set up a guest network, just for a "special kind of guest".
As a sidenote: While you can absolutely run regular and guest/iot networks on the same Wifi, with two SSIDs, I found it unnecessary since some of my IOT devices are the only ones that still depend on 2.4GHz while my regular devices all want to use 5GHz anyway. If it is the same for you, you can spare yourself the VLAN separation entirely, just hook the 2.4GHz wifi up to the IOT-LAN, and the 5GHz wifi to the regular LAN, no VLANs required because you actually don't need to separate anything that isn't already separate.
An "IOT network" is just a "guest network" by another name, both are networks that are separated from -- and don't have access to -- the main network. They work and are set up completely the same. If it makes you feel better, you can just name it "iot" instead of "guest"
OK, I followed the tutorial, setup the new radio and setup a new interface but now the device is unmanaged for the IoT interface and there are no IP address options for me like in the screenshot... What do I need to do next then? I tried selecting the IoT Wireless network as the device but it did not help it seems...
I also tried setting the Protocol to DHCP Client but still it fails when connecting because it doesn't get a IP handed out and I don't see how to setup that...
I think the 'iot' gateway address is pingable because it is on the C7 router so the routing and IP processes in the kernel/drivers sees that it is itself and replies.
If the hosts on the regular network are trusted by you, you may not need to try to stop the ability to ping the 'iot' gateway address from them.
For the DNS sinkhole issue, if it is a case of having DNS running on the C7 with an additional DNS sinkhole, but the C7 is not redirecting/forwarding to your sinkhole there are probably a few options depending on your setup.
Each time you get something new working, I recommend that you save the config to your pc. Adjust the name of the backup file so you know what is working so you can restore to it if you want.
Select "Backup" in the "System" menu.
Click on "Generate archive"
On your pc, add a bit of description to the file name or track the description in a document etc..
If you just want all DNS queries from every device in your 'iot' network to go to your sinkhole then setting the DHCP server to provide the sinkhole IP for DNS to the 'iot' DHCP clients.
Optionally add firewall rules to allow regular DNS to the sinkhole from the 'iot' devices but be blocked elsewhere including the C7 itself.
It this looks like what you want and the C7 is the DHCP server, then the following might do it:
In the Luci network page: (Select "Interfaces" in the "Network" menu) https://192.168.1.1/cgi-bin/luci/admin/network/network (Change the IP address as appropriate for your C7)
Click the "Edit" button on the 'iot" interface.
Click on the "Advanced Settings" tab.
Type in the IP address of your sinkhole in the data entry box for "Use custom DNS servers".
Click the "Save" button and check for error messages.
When back out at the "Network" page in Luci, click "Save and Apply" and check for error messages.
Reboot all your 'iot' clients connected to the 'iot' network and test.
If the above doesn't fit your use case then see the OpenWrt guides and forum posts on pi-hole and also "blocking DNS" or whatever fits your use case for specifics.
These might be a starting point for your searches:
Once you have your new 'iot' network working with connectivity, it may be good to mark this thread "Solved" and open new question threads specific to any additional DNS sinkhole or firewall question etc.
I'm not familiar with the Archer series so if you know there is a problem with the switch supporting DHCP then by all means look at alternatives.
That might not solve your problem. A switch and an AP doing just wifi relying on DHCP from the C7 connected to the integrated switch on the C7 may leave you in same situation.
If your C7 is getting old and/or is barely meeting the RAM or flash size, you may want to consider replacing it as it might not be supported in a near future release as kernels/drivers etc keep getting larger.
I did a quick search on DHCP issues with wifi on Archer C7 and the situation I found had a workaround. You might look deeper or ask for help on your setup and not spend any money on new hardware.
This post and the three posts following it provide a high level blueprint for something a little more complicated than what you want to accomplish, and the main router in the example is using DSA, and your C7 is still on swconfig. So there are some differences configuring the vlans in your network file and connecting your WiFi SSID's to the vlans. I recently set up a swconfig EA8500 for a friend, so I'll post that configuration in a little bit, but this will get you started with the basic ideas.
It is much easier, at least for me, to do this from the command prompt and edit the network, dhcp, firewall and wireless configuration files in /etc/config directly. It can be done from luci, but there are a lot of luci menus to click through to make it all happen.
If you do not know how to get to the command prompt on your router and edit configuration files, there is no time like the present to learn if you are going to keep using OpenWrt
Click here for more detail to see an example login to edit the network file.
# ssh root@192.168.1.1
root@192.168.1.1's password:
BusyBox v1.35.0 (2023-01-25 15:45:14 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.3, r20028-43d71ad93e
-----------------------------------------------------
root@EA8500-1:~# cd /etc/config
root@EA8500-1:/etc/config# vi network
If you do not know how to edit text files with vi, some find the nano editor easier to use. Here is how to install that:
Configuration files for a basic all-in-one gateway WiFi router on swconfig (not DSA) with LAN on VLAN 1, WAN on VLAN 2, Internet of Things Network on VLAN 10 and Guest network on VLAN 20 follow.
Cautions and Notes:
The swconfig example is based on an EA8500. In this example, the WAN is tagged to CPU port 0 ("0t"), and the LAN, GST and IOT networks to CPU port 6 ("6t"). Pay attention to how this is set up on your C7 and adjust accordingly in your network file.
For completeness, a network file showing the setup for a device migrated to DSA is also provided. The dhcp, firewall and wireless files are from the EA8500 swconfig example, but these three files do not materially differ between swconfig and DSA.
The network files are configured to send only lan traffic (untagged) to physical ports 1 and 2, IOT traffic (untagged) to port 3 and GST traffic (untagged) to physical port 4. Obviously configure this however you like it is just an example.
Do not use these files as direct replacements! Use them as guides. For example MAC addresses in the network file have been over-written with xx:xx:xx:xx, etc. That won't work well
Notice configuring br-lan, br-GST and br-IOT bridges for these VLANs in the EA8500 swconfig network file is more complicated than in the DSA example, but these bridges are needed to connect up the WiFi SSID's for each VLAN.
/etc/config/network (this example is for a device still using swconfig)
Next we need to set up firewall zones and rules so that our GST and IOT networks can get DHCP and DNS service. The additions start with: config zone....option name 'iot'.
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iot'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
option input 'REJECT'
config zone
option name 'gst'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GST'
option input 'REJECT'
config forwarding
option src 'gst'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option name 'Allow-iot-DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-gst-DNS'
option src 'gst'
option dest_port '53'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-iot-DHCP'
option target 'ACCEPT'
list proto 'udp'
option src 'iot'
option dest_port '67-68'
config rule
option name 'Allow-gst-DHCP'
option src 'gst'
option dest_port '67-68'
option target 'ACCEPT'
list proto 'udp'
Finally, let's attach some unique WiFi SSID's to our new Guest and Internet of Things VLANS.
Ports 1 and 2 are the first and second lan ports on the back of the device
Ports 1 and 2 are untagged and port 6 is the CPU, which is left tagged as in the default OpenWrt configuration.
The "t" after the port number designates "tagged" on swconfig devices. On a DSA device, you would tag with ":t" like this instead:
list ports 'lan2:t'
The main LAN is assigned to ports 1 and 2 untagged. Since no other VLANs are assigned to these ports in the rest of the configuration, tagging is not necessary for devices plugged into these ports to distinguish which packets belong to which VLAN. In this example, devices plugged in to lan ports 1 or 2 on the back of your router do not even need to be VLAN capable - they will only see the main lan, because ports 1 and 2 have only the main LAN assigned to them.
Now notice port 3 is mapped only to IOT and port 4 is mapped only to Guest. In this example, if you plug a device into lan port 3, it can only see the IOT network, nothing else. Similarly, a device plugged into lan port 4 can only see the Guest network and no other. Again, they are not tagged, since no port has access to more than one VLAN. If you would like lan port 4 to access both IOT and Guest vlans, then you would need to add port 4 to the list, and at least tag it so the two VLANs can be distinguished from each other (you could tag 3 and 4 also - it all depends how you want to set up your network), like this:
A common variation of this theme is plugging a second VLAN capable all-in-one wifi router to function as a dumb AP on the other side of your home (or another floor) into your main all-in-one router, attached by a very long Ethernet cable wire run. Let us assume you are plugging this device into lan port 1. In this case, you would probably want to map lan port 1 to every VLAN on your network tagged (technically, you could not tag the port under one of the VLANs, but only one could remain untagged). This way the second all-in-one router can have access to every VLAN on your home network, thus its WiFi SSID's can be on the exact same networks as the main router. The tagging allows it to distinguish the VLANs from each other and segregate them.
In this example, the WAN is tagged to CPU port 0 ("0t"), and the LAN, GST and IOT networks to CPU port 6 ("6t").
Isn't Port 6 WAN though? Also would it be possible to make a GUI tutorial? This manual config editing seems to bug me out, since I don't know what's relevant to my hardware and what's not.
and ports 1 through 4 (labeled 1 through 4 on the back of the router) are the LAN ports. Here in the network file is where LAN ports 1 and 2 are assigned to the main LAN VLAN network.
If you get things in a jumble, reset your C7 to defaults and stare at the network file a bit - it will eventually make sense. Your C7 may assign the same switch/CPU port to your WAN and LAN, or different ones like on the EA8500 (0 and 6 on the EA8500). The default configuration will assign 1 port to your WAN, and the other 4 to your LAN.
There are already GUI tutorials to be found on you tube and web pages elsewhere, and they take quite a bit of effort to produce. It may not feel that way now, but it's worth the effort to learn to use the configuration files when configuring more than a few simple changes easily captured in a screen shot or two.
