Want to run another router/subnet for IOT without double NAT

[Eric Lieb]

Currently my network is FIOS ONT to my AX86U which has an ethernet backhaul to an AC86U acting as a mesh node. I want to move all of my IOT devices (mostly smart bulbs) to their own network/subnet and keep them off my main network (currently have 100+ devices actively on my network). I would like my main network to be able to access this second one but not vice versa (if possible) but atleast want to offload all of the IOT traffic to their own router (I have a spare AC68U sitting around that I want to use). Is it possible to do this without risking double nat?

 

[degrub]

nothing wrong with double NAT, particularly where latency probably doesn't matter ?
Or is the issue a server outside reaching in when the IOTs call home ?
Otherwise, VLANs would solve your issue. May take different hardware or possibly using the Guest Network.

 

[Eric Lieb]

nothing wrong with double NAT, particularly where latency probably doesn't matter ?
Or is the issue a server outside reaching in when the IOTs call home ?
Otherwise, VLANs would solve your issue. May take different hardware or possibly using the Guest Network.

The main issue I am having is where some of the devices don't seem to be randomly connecting (1 out of 3 lightbulbs in a fixture or a random google home). I have tried establishing static IPs thinking that is the issue but it keeps happening.

 

[drinkingbird]

The main issue I am having is where some of the devices don't seem to be randomly connecting (1 out of 3 lightbulbs in a fixture or a random google home). I have tried establishing static IPs thinking that is the issue but it keeps happening.

With the 386 code base, guest wireless 1 does exactly what you're looking for. Isolation to a dedicated VLAN and separate subnet. Compatible with Aimesh too so it is propagated to other nodes.

Your main network won't be able to access the guest since return packets will be blocked but you could probably do some iptables changes to allow that reply traffic. Actually not positive if that is the behavior of guest, maybe it is set up to allow reply traffic initiated from the main LAN, honestly never had a reason to try it.

 

[Eric Lieb]

I tried using Guest 1 but I keep getting issues where devices disconnect or cant connect to the internet. I remember having an issue with Guest 1 in the past which is why I use Guest 2 for my 5ghz guest network.

 

[drinkingbird]

I tried using Guest 1 but I keep getting issues where devices disconnect or cant connect to the internet. I remember having an issue with Guest 1 in the past which is why I use Guest 2 for my 5ghz guest network.

With FIOS there is a known issue with Guest 1 where DHCP requests from the Guest LAN go out the WAN port and take down your internet. Removing the guest VLANs (501, 502, and 503 if it exists) via startup script from the WAN port solves that, but not sure if that is something you want to toy with. I'm also not positive if this impacts the 8x series routers, but my guess is it probably does. Unfortunately VLAN configuration on those routers is a bit more complex, but there are threads here on how to do it.

If you want to use Guest 2 and have a separate subnet, then you're going to get even more into scripting to create a subnet, DHCP pool, vlans, etc. Far more involved especially on the 8x series routers.

If the requirement is to have a separate subnet without doing any scripting or messing in the CLI, there are a couple options, both require you to use the AC router(s) as standalone, not part of a mesh. The easiest is double NAT, the other option is to disable NAT on the AC router(s) and use them strictly as routers. With both you'll need to add a network services filter to block traffic from accessing your main LAN subnet (or some dummy static routes to blackhole the traffic). If you're willing to do some scripting with ebtables/iptables then it is more flexible allowing you to be able to access guests from LAN but not the other way around, but you'll need to get your rulesets just right and test it thoroughly.

I don't think you need to worry about double NAT especially if it only impacts IOT devices that don't require incoming access from the WAN. What little they do with the internet is not going to be hurt by multiple layers of NAT.

In cases like this I've seen people put their dedicated guest router(s) as the first hop off the ISP router, then their trusted router chained off that. That puts the guests outside of your LAN and they can't access your LAN unless you set up inbound port mappings and routing for them. But you may not want to try to run your AX through your AC before hitting the internet, depending what your internet speed is.

You do have a lot of devices but I don't know that you're at the point where you need to have separate subnets. In reality the limitation on these routers is more the AP portion, the number of wireless clients connected, not the number of flows or IPs etc. So having a mesh set up with GW2 or GW3 for your IOT devices may solve your problems since you'll be spreading out the load better (assuming they get balanced amongst 2 or 3 nodes), and a much simpler solution. Basically whatever solution you arrive at you want to try and keep it under 50 wireless devices per AP if possible, the less, the better. Not to say they can't handle more, but it is when you start seeing sporadic issues.

Actually NOT having a mesh, just configuring the AC routers as a couple standalone APs with their own guest SSIDs, gives you ultimate control, you can have 3 different guest networks for the 3 different routers, and tell each IOT device exactly which router to connect to (and even which frequency band), and it can never change.

I'm not positive with AImesh if you can have certain guest SSIDs on certain nodes only, but if so, that would work too, you could have a mesh but still the ability to lock devices to a certain AP.

 

[Ranger802004]

Currently my network is FIOS ONT to my AX86U which has an ethernet backhaul to an AC86U acting as a mesh node. I want to move all of my IOT devices (mostly smart bulbs) to their own network/subnet and keep them off my main network (currently have 100+ devices actively on my network). I would like my main network to be able to access this second one but not vice versa (if possible) but atleast want to offload all of the IOT traffic to their own router (I have a spare AC68U sitting around that I want to use). Is it possible to do this without risking double nat?

Just set up a guest network and make iptables rules for the access you want to allow back and forth. The guest network will also run on your node. It’s essentially another VLAN.