I am running Openwrt 24.10.6 on my Flint 2 MT6000.
My plan is to segregate my IoT devices and make sure they have no access to the other devices on my LAN. They do need external WAN access though.
I currently have a 2.4GHz and a 5GHz network broadcasting.
I thought I’d ask AI how to do this and I got 90% of the way there. The IoT WiFi network was broadcasting, brlan30 was configured but when I joined IoT I could not get an IP via DHCP.
Below is what AI provided, what did we do wrong?
============================
1. Create VLAN interface
============================
uci set network.iot="interface"
uci set network.iot.proto="static"
uci set network.iot.device="br-lan.30"
uci set network.iot.ipaddr="192.168.30.1"
uci set network.iot.netmask="255.255.255.0"
============================
2. Enable DHCP for IoT
============================
uci set dhcp.iot="dhcp"
uci set dhcp.iot.interface="iot"
uci set dhcp.iot.start="100"
uci set dhcp.iot.limit="150"
uci set dhcp.iot.leasetime="12h"
============================
3. Create IoT firewall zone
============================
uci set firewall.iot="zone"
uci set firewall.iot.name="iot"
uci set firewall.iot.input="REJECT"
uci set firewall.iot.output="ACCEPT"
uci set firewall.iot.forward="REJECT"
uci set firewall.iot.masq="1"
uci add_list firewall.iot.network="iot"
Allow IoT → WAN only
uci set firewall.iot_wan="forwarding"
uci set firewall.iot_wan.src="iot"
uci set firewall.iot_wan.dest="wan"
============================
4. Create IoT WiFi network
============================
uci add wireless wifi-iface
uci set wireless.@wifi-iface[-1].device="radio0"
uci set wireless.@wifi-iface[-1].mode="ap"
uci set wireless.@wifi-iface[-1].ssid="IoT"
uci set wireless.@wifi-iface[-1].encryption="psk2"
uci set wireless.@wifi-iface[-1].key="your_iot_password_here"
uci set wireless.@wifi-iface[-1].network="iot"
============================
5. Apply changes
============================
uci commit
service network restart
service firewall restart
wifi reload
This is a very bad idea. AI has almost never managed to prove itself correct for OpenWrt. And as you can see, it's not working now.
But we might be able to fix it.
Let's see your complete config in text form -- that is the best way to see what is happening.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
Due to ending up in a complete dead end with AI in regards to the firewall rules, I ended up factory resetting my router.
I am back at square one with my normal configuration now.
Happy to share the text file but the AI configuration is gone now.
Taking from what AI was trying to do, I need assistance in….
Create a dedicated 2.4GHz SSID for the IoT devices
Create a dedicated VLAN so IoT devices are not on 192.168.1.x
Configure the VLAN to use DHCP
Configure firewall rules so the vlan has zero access to the LAN but does have WAN access.
I feel confident in creating the SSID and VLAN, it’s just the DHCP and Firewall rules.
How do you expect devices on the iot network to get a DHCP lease then, if you REJECT all traffic from the iot network to the router itself? Your DHCP and DNS run on the router.
Either set this to ACCEPT or add a specific rule to allow both DHCP and DNS on the INPUT chains, otherwise your iot network clients won't be able to get a DHCP lease or resolve any domains.
Why are you masquerading here? The wan interface does the masquerading. All this line is going to do is to NAT the client's IP to the private IP of the iot interface 192.168.30.1. Remove this line.
We didn't see the config from the OP, so there could have been other problems. But at this point, it doesn't matter since they reset to defaults and are now working on using the guest wifi tutorial.
