Complete noob trying to create vlan to isolate IOT devices

[CivilAnchor]

Hi all,

I'm trying to subnet/separate my many IOT devices from my main machines for security purposes. I have several laptops (wifi), phones (wifi), a desktop (RJ45) and a media centre (RJ45) that I'd like to keep separate from my IOT devices (hubitat, wifi lights, hue, etc).

I also have two AC1900P (R68P) routers I have connected via RJ45 in a mesh configuration with the latest merlin running on the main router.

I've been reading a lot of these forums with similar posts (such as https://www.snbforums.com/threads/vlans-on-merlin-mini-howto.20529/) and I *think* what I'd need here is to create a separate vlan for my guest devices, but I'm a bit confused how to adapt the scripts that I've read to my specific configuration. Vlans still confuse me somewhat. Ideally I'd like for my secure devices to be able to initiate connections locally with my IOT devices (i.e. phone connecting to hubitat), but block connections initiated from my iOT devices from communicating with my machines.

If someone could give me pointers on how to go about this or at least how to start, that'd be awesome.

Many thanks!

admin@RT-AC1900P-9A78:/tmp/home/root# robocfg show vlan
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:17:10:93:c1:b0
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 1c:1b:0d:9a:30:48
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 38:f7:3d:4c:b0:9b
Port 3:  100FD enabled stp: none vlan: 1 jumbo: off mac: b8:27:eb:90:a3:1a
Port 4:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 34:d2:70:d4:00:bb
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 5t
   2: vlan2: 0 5

ifconfig
br0       Link encap:Ethernet  HWaddr 71:8B:CD:C9:9A:78
          inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1657492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:427152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:264783801 (252.5 MiB)  TX bytes:161444833 (153.9 MiB)

eth0      Link encap:Ethernet  HWaddr 71:8B:CD:C9:9A:78
          inet addr:192.0.119.145  Bcast:192.0.119.159  Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:33613905 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18161626 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2366742154 (2.2 GiB)  TX bytes:3578845172 (3.3 GiB)
          Interrupt:179 Base address:0x4000

eth1      Link encap:Ethernet  HWaddr 71:8B:CD:C9:9A:78
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:920740 errors:0 dropped:0 overruns:0 frame:888710
          TX packets:1374256 errors:13 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:111455646 (106.2 MiB)  TX bytes:1069254380 (1019.7 MiB)
          Interrupt:163

eth2      Link encap:Ethernet  HWaddr 71:8B:CD:C9:9A:7C
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:2622680 errors:0 dropped:0 overruns:0 frame:161208
          TX packets:3354640 errors:12225 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:193835983 (184.8 MiB)  TX bytes:1456125483 (1.3 GiB)
          Interrupt:169

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:766681 errors:0 dropped:0 overruns:0 frame:0
          TX packets:766681 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:199091060 (189.8 MiB)  TX bytes:199091060 (189.8 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

vlan1     Link encap:Ethernet  HWaddr 71:8B:CD:C9:9A:78
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:9875014 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3059304 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1478693587 (1.3 GiB)  TX bytes:337008032 (321.3 MiB)

wds0.3    Link encap:Ethernet  HWaddr 71:8B:CD:C9:9A:78
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8526 errors:0 dropped:0 overruns:0 frame:888710
          TX packets:167301 errors:15883 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1751148 (1.6 MiB)  TX bytes:27217417 (25.9 MiB)

wds1.2    Link encap:Ethernet  HWaddr 70:8B:CD:C9:9A:7C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17095 errors:0 dropped:0 overruns:0 frame:161208
          TX packets:191338 errors:22 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3524414 (3.3 MiB)  TX bytes:27813714 (26.5 MiB)

I was also looking at https://www.snbforums.com/threads/y...-guest-wifi-inc-ssid-vpn-client.45924/page-47 where a similar discussion is happening, but I'm a bit confused over why people are talking about separate switches? Shouldn't this be possible just with the one router?

I'd use guest network to achieve something similar and maybe some firewall rules, but it doesnt seem to apply to lan devices

 

[ColinTaylor]

This is complicated but possible to setup when there is only one router involved (there are existing threads about that), but you have three devices in an AiMesh setup. That makes things a lot more complicated. I'm not aware of anyone ever having tried to do that. You'd also need to specify exactly what devices connect to what and how you want each of them to interact with each other to stand any chance of making progress with this.

I read that guest network support for nodes in AiMesh is something that is being looked at by Asus so it might be easier to wait for that (although that doesn't address Ethernet clients).

 

[JaimeZX]

I guess I'm not clear on why a regular, separate Guest Network won't answer the mail here?

 

[heedfulCrayon]

I guess I'm not clear on why a regular, separate Guest Network won't answer the mail here?

A regular guest network does not work because isolated devices need to be able to connect to IoT devices for things like casting music or movies. A guest network blocks all of those connections, at least from my experience

 

[skeal]

Buy a 8 port TP-link smart switch, managed from a webui. 45$ Canadian dollars, and then do what you want. To easy. Model I bought was TL-SG108E from Amazon. If you choose to do so and live in one of the qualified countries, (US, Canada, UK) click the link on the SNBForums main page that send you to Amazon, a small contribution to the forum is made for your effort from Amazon. Cheers!

 

[heedfulCrayon]

Buy a 8 port TP-link smart switch, managed from a webui. 45$ Canadian dollars, and then do what you want. To easy. Model I bought was TL-SG108E from Amazon. If you choose to do so and live in one of the qualified countries, (US, Canada, UK) click the link on the SNBForums main page that send you to Amazon, a small contribution to the forum is made for your effort from Amazon. Cheers!

That doesn't help with wireless devices, unless you put an AP on that switch

 

[JaimeZX]

FWIW, my devices on the same Guest wifi can talk to each other. YMMV
May not be ideal from a "VLAN" point of view, but it seems to work for IOT.