'Guest' Network on spare router (RT-AC87U)

[archiel]

I have my main network (10.x.x.x) running happily (AX88U router, AX58U Aimesh node) - my thanks to everyone on this forum who have helped me get this far.

My next thought is to add various IOT devices (security cameras, light switches, etc.) and as I have an old AC87U, I thought I could use this for the job, rather than clutter up the existing machines. I will admit that I am not sure if this is a good idea at all, or if it is how I should best configure it.

What I want to do is allow the IOT devices internet access and if necessary to be able to talk to each other, but not the the devices on the rest of the 10.x.x.x. network.

So far I have updated the AC87U with the latest (last) merlin firmware, connected it via the wan port, setup a new subnet (192.168.x.x) and ssids and then routed any traffic going through routers WAN IP (its LAN IP on the main network) though VPN5 on the AX88U - using browserleaks.com it all looks good. IPv6 is enabled on the main network, but disabled on the AC87U to prevent this type of leakage.

However when I look at Tools > Network, although I can see the WAN port connected as VLAN2 I also see Last Device Seen cycling through MAC addresses of the other devices on the main network.

What I would like to understand is

• what are the security issues, this is a home network, but my wife and I also connect to our work networks?
• what can I do to improve matters / mitigate the risks?

Or is the proposed setup fundamentally unsound?

 

[ColinTaylor]

You would need to use the Network Services Filter on the RT-AC87U to block all access to the 10.x.x.x subnet. At the moment it has unrestricted access to it. Make sure your 10.x.x.x subnet does not overlap with your VPN network addresses.

 

[archiel]

You would need to use the Network Services Filter on the RT-AC87U to block all access to the 10.x.x.x subnet. At the moment it has unrestricted access to it. Make sure your 10.x.x.x subnet does not overlap with your VPN network addresses.

Thanks for the quick reply. As the main network is 10.44.55.x 255.255.255.0, I assume I add a Blacklist Filter with 10.44.55.1/24 to the Destination IP (TCP) and leave the other fields blank (Source IP, Port range, Port Range). I can confirm that there is no overlap on any of my VPN clients or servers.

 

[ColinTaylor]

Yes, that's correct. You might want to create a second rule for UDP as well just to be safe. You could also filter ICMP packets but that's unnecessary IMHO.

 

[archiel]

Yes, that's correct. You might want to create a second rule for UDP as well just to be safe. You could also filter ICMP packets but that's unnecessary IMHO.

Belt and Braces it is! Thank you again.

 

[ColinTaylor]

Note that I changed my comment about the ICMP packets because I realised it would also effect guest traffic destined for the internet.

 

[archiel]

Note that I changed my comment about the ICMP packets because I realised it would also effect guest traffic destined for the internet.

Noted - I just added the UDP rule.