Help segregating IOT network from main

[AbOrigine]

Hello everyone,

Need help in setting up a segregated network for IOT devices for the following scenario.
I hope I am posting this in the right part of the forum.
I researched a bit and tried various ways, but does not seem to work in my application.
Would appreciate a guide on how to make this work.
So, basically I have an Arris SB8200 cable modem, which plugs to RT-AC86u WAN port (LAN IP 192.168.3.1 + DHCP pool), which provides wireless and wired access for my home networking devices. One of the LAN ports of AC86u goes into a Netgear GS908E managed switch (port one), it is then distributed to other wired home network devices through ports 2-7. Port 8 goes to AC68u's WAN port (LAN 192.168.33.1 + DHCP pool), which is meant to be used by IOT devices (I have over 70 of them, smart home devices, lights, outlets and etc).
What I am trying to do, is to have AC86u separate from AC68u network, I do not want them to talk to each other. I am trying to set this up in a way, that AC68u only has access to internet and not my local/main (3.1) network.
I tried various ways in the managed switch, (tagged, untagged and etc.), but the AC68u still either has access to my network, or no connection to network or internet at all.
Can this be done without scripting and just utilizing managed switch?
I have guest WiFi network setup in AC68u where most of IOT's connect, they do not seem to be able to access my main network -3.1 (I have "set AP isolated" turned on in AC68u), but all wired IOT's which are connected to AC68u, still are able to access my main network.
The way I am managing AC68u switch is: I have a Windows server 2012 with two ethernet ports, one of the ports is connected to 3.1 network and the other to 33.1. So I RDP in the 2012 server and then manage 33.1 (AC68u) network from there.
I am new to all this, apologies if the above explanation is inadequate.

Thanks in advance

 

[ColinTaylor]

Asus routers don't support VLANs (in any useful way), so you can ignore that.

I think you'll find that even though the WiFi guests are isolated from each other and the 68U's wired LAN they still have some access to the 86U's LAN. However, the firewall on the 68U should block access to its LAN from the 86U (unless you make exceptions). Going the other way you can block access to the 86U's LAN using the Network Services Filter on the 68U.

 

[eibgrad]

Can I use 2 Asus routers one as a actual router and the other as a Access Point ? Need both to provide Wi-Fi as well. Is it easy to do mostly?

This would be on AT&T Fiber. How does Asus routers determine which router to connect to over Wifi ? Does it work seamlessly ? The 2 routers I want to use is a new ASUS RT-AX86U AX5700 and a old ASUS RT-AC66U B1 Wireless-AC1750. Any disadvantages of doing this ? Should I just use the ASUS...

www.snbforums.com

 

[AbOrigine]

Asus routers don't support VLANs (in any useful way), so you can ignore that.

I think you'll find that even though the WiFi guests are isolated from each other and the 68U's wired LAN they still have some access to the 86U's LAN. However, the firewall on the 68U should block access to its LAN from the 86U (unless you make exceptions). Going the other way you can block access to the 86U's LAN using the Network Services Filter on the 68U.

Thanks for your reply.
I will try and block access to 86u via Network Services Filter, have not used this feature before, so will check it out.
Netgear GS908E is a managed switch which supports VLANs, would it be possible to segregate network from there (so that AC68u only has internet access and no access to 86u's network)?

 

[ColinTaylor]

Netgear GS908E is a managed switch which supports VLANs, would it be possible to segregate network from there (so that AC68u only has internet access and no access to 86u's network)?

No, because the 86U doesn't support VLANs so any VLAN segregation you setup using the switch will be lost once the traffic hits the 86U.

 

[CaptainSTX]

Since you are already utilizing a double NAT you could try putting your 68U as the Internet facing first router and then having all your IoT devices connect either to LAN ports or WiFi on the AC68. Then connect you AC86's WAN port to a LAN port on the AC68. Devices on the AC86 will be able to see devices on the AC68 but not the other way around. Depending on what your ISP delivered bandwidth is the AC68 should be able pass everything on to your more secure network second router behind the AC86. If the AC68 is a bottle neck put the AC86 first.

Then by can connect your switch it either to your AC68 or AC86 where ever you need additional Ethernet ports, In addition if you set up a port based VLANs on the smart switch you can further isolate devices connecting to the switch.

 

[coxhaus]

If there are differences in firewalls then I would put the best firewall first at the front door. Older routers may not have all the updates as the newer ones. You would need to check. Maybe check firmware dates.

 

[AbOrigine]

No, because the 86U doesn't support VLANs so any VLAN segregation you setup using the switch will be lost once the traffic hits the 86U.

So, I tried Network Services Filter, but does not seem to have any effect. I am probably doing it wrong.

Since you are already utilizing a double NAT you could try putting your 68U as the Internet facing first router and then having all your IoT devices connect either to LAN ports or WiFi on the AC68. Then connect you AC86's WAN port to a LAN port on the AC68. Devices on the AC86 will be able to see devices on the AC68 but not the other way around. Depending on what your ISP delivered bandwidth is the AC68 should be able pass everything on to your more secure network second router behind the AC86. If the AC68 is a bottle neck put the AC86 first.

Then by can connect your switch it either to your AC68 or AC86 where ever you need additional Ethernet ports, In addition if you set up a port based VLANs on the smart switch you can further isolate devices connecting to the switch.

That would be tough, as 86u serves the whole of my internal network and I have a 1.2Gigabit connection. And as "Coxhaus" mentioned, I think 86u is better CPU/overall router. Plus I have an OpenVPN server setup on AC86 which connects to another AC86u and it is quite a bit faster than 68u.

Thanks for all your help, any other suggestions?

 

[CaptainSTX]

anks for all your help, any other suggestions

Put the AC86 as your Internet facing router. Convert your AC68 to an AP and then connect your smart switch to a LAN port on the AC86 and finally plug your AC68 into a port on the switch which has VLAN active. It will give you some protection.

 

[ColinTaylor]

So, I tried Network Services Filter, but does not seem to have any effect. I am probably doing it wrong.

Like this:

Note that this blocks TCP and UDP, but not ICMP (pings). If you also want to block pings (to all destinations) you'll need to set the Filtered ICMP packet types option.

 

[AbOrigine]

Like this:
View attachment 37585
Note that this blocks TCP and UDP, but not ICMP (pings). If you also want to block pings (to all destinations) you'll need to set the Filtered ICMP packet types option.

Did this on AC68u and it worked like a charm! (could not find "Filtered ICMP packet types" option though)
Thanks!

I guess this should be good enough for the IOT's not to be able to access my main (3.1) network right?

Put the AC86 as your Internet facing router. Convert your AC68 to an AP and then connect your smart switch to a LAN port on the AC86 and finally plug your AC68 into a port on the switch which has VLAN active. It will give you some protection.

I will stick with the above solution for now, looks like it is working.
Thanks for your help.

 

[ColinTaylor]

I guess this should be good enough for the IOT's not to be able to access my main (3.1) network right?

Correct.

 

[CaptainSTX]

I will stick with the above solution for now, looks like it is working.
Thanks for your help.

Just be sure to use a very secure log on credentials on the smart switch as any device connected either directly to the switch or to your AC68 AP by either WiFi or Ethernet cable will have the ability to attempt to login to your switch and change any settings including disabling the VLANs. It makes no difference to the switch if the connected device is on a VLAN or not. Also forcing a factory reset either by pushing a button on the switch or through the switches OS kills the VLANs.

 

[AbOrigine]

Just be sure to use a very secure log on credentials on the smart switch as any device connected either directly to the switch or to your AC68 AP by either WiFi or Ethernet cable will have the ability to attempt to login to your switch and change any settings including disabling the VLANs. It makes no difference to the switch if the connected device is on a VLAN or not. Also forcing a factory reset either by pushing a button on the switch or through the switches OS kills the VLANs.

Thanks!

 

[distilled]

This is a fortuitous thread, I was about to ask something very similar, but probably easier. Rather than start a new thread, I'll play off the good advice already given here.

I simply want to restrict a single hard-wired PC to internet only, I do not want this PC to have access to any part of my LAN. The user of the PC will have admin access to the PC, so this must be done between the PC and the router. I do have a smart switch capable of creating a VLAN, and also an old 66U that could be used to create a separate LAN for this PC. I do not have access to the PC to experiment with, and while I am capable of *planing* how to do this, I am not going to be able to test it, so I am hoping wiser minds might provide objective experience. I strongly dislike flying blind, but I trust the experience of the good folks here.

Should I just hang the spare 66U router, with WiFi disabled, off an open port on my internet-facing 86U and give it a separate subnet? The 66u supports Fresh Tomato, which, if memory serves, supports VLANs, would that be a way to go? Any advice is gratefully appreciated.

 

[eibgrad]

This is a fortuitous thread, I was about to ask something very similar, but probably easier. Rather than start a new thread, I'll play off the good advice already given here.

I simply want to restrict a single hard-wired PC to internet only, I do not want this PC to have access to any part of my LAN. The user of the PC will have admin access to the PC, so this must be done between the PC and the router. I do have a smart switch capable of creating a VLAN, and also an old 66U that could be used to create a separate LAN for this PC. I do not have access to the PC to experiment with, and while I am capable of *planing* how to do this, I am not going to be able to test it, so I am hoping wiser minds might provide objective experience. I strongly dislike flying blind, but I trust the experience of the good folks here.

Should I just hang the spare 66U router, with WiFi disabled, off an open port on my internet-facing 86U and give it a separate subnet? The 66u supports Fresh Tomato, which, if memory serves, supports VLANs, would that be a way to go? Any advice is gratefully appreciated.

If you're only considering the one VLAN, then it actually doesn't matter if the secondary router (66U in this case) supports VLANs, since the secondary router is, by definition, an additional VLAN! It just happens to be patched behind the primary router (WAN to LAN respectively), and therefore must be routed through the primary router's network to reach the WAN. The value of having FT (FreshTomato) installed on the 66U at that point is NOT the fact it supports VLANs, but that you can configure its firewall to prevent access to the primary router's private network over its WAN, thereby limiting any device connected to the 66U to the internet. Of course, if you decide you want even more VLANs, then yes, having VLAN support w/ FT will be useful.

 

[distilled]

I am almost following, but I am not quite there yet. I only need one VLAN, just a single machine that needs to be isolated. If I connect the WAN port of the old 66U (using default Asus firmware) to a LAN port on my internet facing 86U, anything I connect to the LAN ports of the 66U can still see my LAN, regardless of the IP scope. I want to give the isolated machine access to only the internet, and no access at all to the other machines on the LAN.

This is surely something painfully simple that I am overlooking, but for the life of me, I cannot make the LAN invisible to the isolated PC behind the 66U.

 

[eibgrad]

I am almost following, but I am not quite there yet. I only need one VLAN, just a single machine that needs to be isolated. If I connect the WAN port of the old 66U (using default Asus firmware) to a LAN port on my internet facing 86U, anything I connect to the LAN ports of the 66U can still see my LAN, regardless of the IP scope. I want to give the isolated machine access to only the internet, and no access at all to the other machines on the LAN.

This is surely something painfully simple that I am overlooking, but for the life of me, I cannot make the LAN invisible to the isolated PC behind the 66U.

Assuming the 66U is using FT, add the following to the firewall script.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
WAN_NET="$(nvram get wan_ipaddr)/$(nvram get wan_netmask)"

# optionally: deny access to *any* private IP networks over the WAN
iptables -I FORWARD -i br0 -o $WAN_IF -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -i br0 -o $WAN_IF -d  172.16.0.0/12 -j REJECT
iptables -I FORWARD -i br0 -o $WAN_IF -d    10.0.0.0/8  -j REJECT

# minimally: deny access to immediate upstream network over the WAN
iptables -I FORWARD -i br0 -o $WAN_IF -d $WAN_NET -j REJECT

 

[distilled]

Thank you very kindly, that was exactly what the proverbial doctor ordered. I was making it more complicated than it needed to be. Thanks again.