firewall / iptables with an IoT network

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

fbicknel

Occasional Visitor
I set up a separate router for my IoT devices. It runs on the 192.168.8.0 network and my main network is 192.168.2.0.

I'm trying to firewall it off from my main network, but apparently no luck.

I tried the blacklisting in the firewall section of the main router, but that did nothing. Here's how I tried it:
2021-01-12 1148 Screenshot.png


I also enabled the firewall in the General tab.


Since this did nothing, I tried reverting to iptables. I used this:
Code:
iptables -I FORWARD -s 192.168.8.0/24 -d 192.168.2.0/24 -j DROP

This produced this in the table:

Code:
Chain FORWARD (policy DROP)                         
target     prot opt source               destination
DROP       all  --  192.168.8.0/24       192.168.2.0/24
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
other2wan  all  --  0.0.0.0/0            0.0.0.0/0                         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0               
ACCEPT     all  --  192.168.2.0/24       192.168.8.0/24                 
logdrop    all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
SECURITY   all  --  0.0.0.0/0            0.0.0.0/0 
NSFW       all  --  0.0.0.0/0            0.0.0.0/0                       
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0                                     
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
OVPN       all  --  0.0.0.0/0            0.0.0.0/0            state NEW
logdrop    all  --  0.0.0.0/0            0.0.0.0/0

How should I be doing this? Any suggestions as to what I'm doing wrong would be helpful.

Complete output from iptables -L -n is here.


---

I would eventually like to start a guest network on my IDIoT router. The guest can have access to the internet (and presumably my IoT). But with the firewall there, they'll not be able to access my main network. I tried this out starting a guest network on the main network, but that Internet access went through my VPN (configured on the main network) and I want guests to not have to deal with VPN-hating services like Hulu and their ilk. That's why I decided to go with the IDIoT network above. It's not using the VPN, since many of my IoT things are VPN-snobs like Hulu and the likes of them.
 

eibgrad

Very Senior Member
Please always use the -vnL arguments when dumping iptables. As you specified the options (without the verbose (-v) option), we can't tell if those rules are getting hit!

I *assume* you connected this IOT router w/ its WAN to a LAN port on the primary router, correct? It's the IOT router that needs the firewall rules!

When using the Network Services Filter of the GUI, I assume you would have to specify the network too (e.g., /24), and NOT just leave it as 192.168.8.0 or 192.168.2.0. IOW, 192.168.8.0/24 and 192.168.2.0/24.
 

Mutzli

Very Senior Member
Did you look into Skynet and its option of blocking IoT devices?
 

Jeffrey Young

Very Senior Member
Have you given any thought about creating a guest network on your main router and put your IoT devices on the guest? You can also look at YzFi addon to further enhance the guest network (including isolation).
 

fbicknel

Occasional Visitor
Please always use the -vnL arguments when dumping iptables. As you specified the options (without the verbose (-v) option), we can't tell if those rules are getting hit!

I *assume* you connected this IOT router w/ its WAN to a LAN port on the primary router, correct? It's the IOT router that needs the firewall rules!

When using the Network Services Filter of the GUI, I assume you would have to specify the network too (e.g., /24), and NOT just leave it as 192.168.8.0 or 192.168.2.0. IOW, 192.168.8.0/24 and 192.168.2.0/24.
ok - thanks. Yes, the IoT router WAN is plugged into a LAN port on the primary (actually a LAN port on the AiMesh remote, but it works.) Where to put the rules might make a difference, eh? I think I tried CIDR notation and it barked back at me, but I'll give it another go. Might have been some other place I tried that.

So... if you put rules on the router you're trying to keep OFF your network, that seemed like the wrong place to put them (what if someone pwned your IoT router?) You're trying to protect the main network, so that's where I thought they belonged. I will most definitely try your suggestion, though. Thanks.
 

fbicknel

Occasional Visitor
Have you given any thought about creating a guest network on your main router and put your IoT devices on the guest? You can also look at YzFi addon to further enhance the guest network (including isolation).
I tried that, but the VPN problem remains: the guest network still uses the VPN and I don't want that since some IoT things are VPN-averse. That's also why I wanted the guest network on the IoT network: sometimes guests like to watch Hulu or what have you and those lot most certainly are VPN haters.

I'll look into YzFi: never heard of it.
 

ColinTaylor

Part of the Furniture
So... if you put rules on the router you're trying to keep OFF your network, that seemed like the wrong place to put them (what if someone pwned your IoT router?) You're trying to protect the main network, so that's where I thought they belonged.
The rules have to go on the IoT router because that's where the firewall is between the two devices. Remember that the IoT router is connected directly to the LAN switch of the upstream router.

I think I tried CIDR notation and it barked back at me, but I'll give it another go. Might have been some other place I tried that.
You should leave the source IP field blank and specify the upstream network as the destination. Depending on the firmware version the syntax is either 192.168.2.0/24 or 192.168.2.*
 

CaptainSTX

Part of the Furniture
In the spirit of keeping it simple I use a two router double NATed setup.

The Internet facing router is the router where I connect my IoT devices and guest networks. All IoT devices connect to either a 5 Ghz or 2.4 Ghz guest network and the GUI restriction is set preventing access to the Intranet so the wired devices are isolated from each other. Hardwired IoT devices connected to this router are also unable to access my more secure second router. I use policy based routing so some IoT devices are routed using the VPN tunnel others the WAN.

A LAN port on the first router is connected to the WAN port on the second double NATed router. Again using the GUI, access from the WAN port to the router's admin functions is blocked. From the second router I can access the first router and administer devices on it. Each router is in its own subnet. I run another VPN client on the second router

Simple setup with no scripts or iptables required and the isolation is effective. Both the first and second routers have gig ports so no measurable reduction in speeds or increase in latency running in a double NAT setup. A double NAT will make running a server on the second router more difficult but not impossible.
 

eibgrad

Very Senior Member
So... if you put rules on the router you're trying to keep OFF your network, that seemed like the wrong place to put them (what if someone pwned your IoT router?) You're trying to protect the main network, so that's where I thought they belonged.

I understand your thinking. But that's *always* a possibility once your router is managing different types of users and you want/need to segregate them. Do you do so logically or physically? You can make a case for either one depending on what you trust.

In most instances, third-party firmware allows you to minimally create a guest network that shares the same physical router. So in that sense, this risk always exists. In the case of my own FreshTomato router (like Merlin, a tomato variant), I have the option to create all kinds of additional networks (including IOT) and isolate them via the firewall. And for my purposes, I'm willing to trust the use of the firewall to keep them isolated even though they share the same physical devices. But there is something to be said for keeping users isolated *physically* on separate routers, esp. when the router is doing a lot more than just routing (VPNs, proxies, etc.). IOW, the fact the router is also an applications platform *does* create a bit more risk should any of those processes be compromised.

For those that have such concerns, then yes, keep different types of users on different physical routers. But then you also have to change the way you physically arrange those routers! For example, perhaps place the IOT router *ahead* of the private network's router so the latter's firewall on the WAN never allows access to that router. Of course, it would then be prudent to run a VPN between the private network and internet to avoid IOT devices from snooping the private traffic as it traverses the IOT network. Or perhaps use *three* routers, so that the private and IOT routers can share a common router connected to the internet.

IOW, you have a valid point, but how far are you willing to take it? The above will *definitely* be a more secure solution because it adds *physical* separation, NOT just logical separation. But most ppl would consider it overkill, or at least something they'd rather avoid. But if you really want the most secure setup, using something like three routers is a valid consideration.
 

fbicknel

Occasional Visitor
...

IOW, you have a valid point, but how far are you willing to take it? The above will *definitely* be a more secure solution because it adds *physical* separation, NOT just logical separation. ...
Well, I have three routers: AC1900P, RT-AC68U, and RT-N66U. I will try your & @CaptainSTX's suggestions.

I did make a discovery in my foibles.

The N66U, configured on a different network, can be plugged into either the primary router or the AiMesh remote. In both cases, I have access to the Internet when there are no firewall rules set up. But the aforementioned rules applied? I get no access to anything when plugged into the primary router. But I still have full access to the Internet (and, alas, the primary network) from the AiMesh router. That was confusing me.

But I will try the suggestions made here. Something I'm sure will work.
 

fbicknel

Occasional Visitor
I read more about YazFi and it looked to be just what I needed to add functionality to the guest networks. Simplified the entire operation. I was even able to continue to use the AiMesh to extend the network upstairs AND the switch ports on the remote router are on the primary network, just like I had hoped, so Kodi could plug in there.

I hardwired the two routers together and the bandwidth is great.

I set up a guest network for the occasional guest that needs NOVPN access, one hidden one for IoT (also NOVPN), and one more 5GHz VPN network with the legacy SSID just so some existing connections wouldn't fail.

Only two routers needed.... seems like the perfect solution.

Thanks to all for the suggestions and help. I learned a lot these past couple of days.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top