I
ianyp
Occasional Visitor
- Feb 10, 2021
- #1
I want to separate my IOT devices from the rest of the devices on my network. I don't entirely trust these cheap lightbulbs. The router is in AP mode, but doesn't seem to isolate the wireless networks from one another.
My network is currently like this:
Guest WiFi─AC68 in AP mode──Ethernet──OPNsense──Internet
Main WiFi ─┘
Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)
C
ColinTaylor
Part of the Furniture
- Feb 10, 2021
- #2
Network isolation doesn't work in AP mode. In fact IIRC the Access Intranet option is actually removed from the GUI in AP mode.
ianyp said:
Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)
There are some user created scripts that attempt to create VLANs for guest SSIDs. They may be what you want so search the forum for those threads.
B
- Feb 10, 2021
- #3
ianyp said:
Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)
Not sure about using the YazFi script on an AP, but YazFi works well on a non AP/non mesh router when separating IoT devices to the Guest WiFi from the main LAN when using the Asus-Merlin firmware.
YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client
J
jeff3820
Regular Contributor
- Feb 10, 2021
- #4
ianyp said:
I want to separate my IOT devices from the rest of the devices on my network. I don't entirely trust these cheap lightbulbs. The router is in AP mode, but doesn't seem to isolate the wireless networks from one another.
My network is currently like this:
Guest WiFi─AC68 in AP mode──Ethernet──OPNsense──Internet
Main WiFi ─┘Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)
You can do this if you setup a VLAN (or a 2nd network) on OPNsense and get another AC68U. I use Pfsense...just a different fork so it must be possible as I have done this with Pfsense.
Main WiFi─AC68(1) in AP mode──Ethernet──OPNsense──Internet
Guest WiFi─AC68U(2) in AP mode (use VLAN) ─┘
A second way to do this is to use an access point that supports the direct use of guest networks...like the TP-Link EAP245. You don't need the TP-Link controller...there is a built in web client. In that case, setup a VLAN for the guest network.
Main WiFi─TP-Link EAP245 AP──Ethernet──OPNsense──Internet
Guest WiFi ─┘
I used the TP-Link recently for my son and it worked out perfectly. Setup 3 WiFi SSIDs with one being a guest network. The EP-245 also supports VLANs if you want to go that route as well.
I
ianyp
Occasional Visitor
- Feb 15, 2021
- #5
Really I don't want to buy another piece of hardware to carry this out. It ought to be a simple enough thing to accomplish in software as far as I understand things in theory.
Unfortunately I can't make head-nor-tail of this robocfg tool. It looks like it's really poorly documented. This is the first time I've worked with VLANs so I'm unfamiliar enough with how it works as it is. I misconfigured something on Saturday and it took me hours to get my internet working again.
I modified a script I found that will successfully isolate the guest APs from the main network. Modified so I'm using vlan10 as main and vlan20 as guest.
Code:
# { WAN L1 L2 L3 L4 CPU } (Physical Ports)# { 0, 1, 2, 3, 4, 5 } (Robocfg ports)Code:
Switch: enabledPort 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 52:54:00:8f:e4:2aPort 1: 1000FD enabled stp: none vlan: 10 jumbo: off mac: 9c:c9:eb:12:f4:8dPort 2: DOWN enabled stp: none vlan: 10 jumbo: off mac: 18:03:73:26:07:6dPort 3: 1000FD enabled stp: none vlan: 10 jumbo: off mac: 9c:c9:eb:12:f4:8ePort 4: DOWN enabled stp: none vlan: 10 jumbo: off mac: 00:00:00:00:00:00Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 84:3a:4b:20:02:82Port 7: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00RTAC68UPort 8: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00VLANs: BCM5301x enabled mac_check mac_hash 1: vlan1: 0 1 2 3 4 5t 2: vlan2: 5t 10: vlan10: 0t 1 2 3 4 5t 20: vlan20: 0t 5tCode:
bridge name bridge id STP enabled interfacesbr0 8000.74d02b2fc5c4 no vlan1 eth1 eth2 vlan10 wl1.2br1 8000.74d02b2fc5c4 no vlan20 wl0.1 wl1.1This successfully stops wireless clients from talking to one another with a destination unreachable message, but I want to route those requests upstream to the firewall so I can make exceptions. At the moment nothing tagged VLAN20 is actually getting routed to the firewall. So I'm assuming they never make it out of the router with that tag.
edit: what I think I want to do is set the default gateway for the vlan to the firewall's VLAN ip address. I don't know how to do that.
Last edited:
I
ianyp
Occasional Visitor
- Feb 17, 2021
- #6
Okay. I got this working. It may have been firewall issues that prevented it working originally, although I'm not sure.
The process was roughly this:
Set up new vlans through robocfg. This configures which ports will contain vlan tags when data from interfaces on that vlan communicate.
Code:
robocfg vlan 20 ports "0t 5t"I did this three times. One for IOT(VLAN20), one for public internet(VLAN30), and one for my private network (VLAN10).
This also needs to be done with vconfig. I don't know why exactly. Maybe robocfg configures something at a driver level and vconfig does something else in the kernel.
Code:
vconfig add eth0 20ifconfig vlan20 upWhere 20 is the vlan from the robocfg step.
Then delete all the wlx.x interfaces from the default bridge that comes with the router.
Code:
brctl delif br0 wl0.1Now we create a new bridge to put the interfaces on, along with the vlan. Doing this tags all the traffic on those interfaces.
Code:
brctl addbr br1Add the interface to the new bridge:
Code:
brctl addif br1 vlan20And bring up the bridge
Code:
ip link set br1 upthen all this needs to be written to nvram. Not sure what this does.
Private / VLAN1 / 10 / physical ports
Code:
nvram set br0_ifname="br0"nvram set lan_ifname="br0"nvram set br0_ifnames="vlan1 eth1 eth2 vlan10"nvram set lan_ifnames="vlan1 eth1 eth2 vlan10"And an example of setting up br1 in nvram
Code:
nvram set lan1_ifnames="vlan20 wl0.2 wl1.2"nvram set lan1_ifname="br1"nvram set br1_ifname="br1"nvram set br1_ifnames="vlan20 wl0.2 wl1.2"Code:
killall eapdeapdFlush bridge firewall rules.
Code:
ebtables -FHere's the script I butchered to get it working:
gist:8e4ca1673c7e8cb22abff5fa6744ef7f
GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
If anyone can explain the significance of the nvram settings I'd appreciate it. Also not sure what eapd is. Or why there is a vlan2.
Last edited:
You must log in or register to reply here.
