Isolating specific IoT wired device

GSpock

Senior Member
Hi all,
I am looking for an easy way to isolate a specific IoT device (a Somfy Tahoma box) that has not wireless capabilities hence being connected to a LAN port on the router. It has a specific DHCP reservation, it needs accessing the internet and I would like to make sure that this box cannot access any other LAN devices. BTW I could not find a way to connect to this box other than using the android app provided.

Would this be possible with some iptables commands ? (I had a look at iptables -h, and I must say it will take me some time to understand how all these is working).

thanks,
GS
 

eibgrad

Part of the Furniture
Using strictly the Merlin GUI, you can't create a separate, wired-only IP network for IOT. It simply doesn't support it. In my own case, I use FT (FreshTomato) since it does. And it's relatively simply to configure. But w/ Merlin, you'd either have to use one of the AddOn scripts, or perhaps some other third-party solution.


The other option is to use a second physical router (perhaps an old and otherwise retired unit) and daisy-chain is behind your primary router, LAN to WAN respectively. But it's important that that router allows you to add firewall rules to prevent the IOT network from gaining access to any resources (other than the internet) on the upstream, private network.
 

GSpock

Senior Member
Thanks for your answer. I want to stick to Merlin, of course. Thanks for the link, this seems quite complex to/for me. And for the last option, I do not have any additional router available.
Rgds,
GS
 

eibgrad

Part of the Furniture
Thanks for the link, this seems quite complex to/for me.

I understand. But that's the price of NOT having the feature in the GUI. Things now get complex. That's why I usually suggest a second router, at least if one is available. It makes for a much easier and more understandable solution for most users.
 

GSpock

Senior Member
... I was hoping some iptables rules would do the trick, since the device has a DHCP reservation hence always gets the same ip address ... In addition, the device in question is not directly connected to the router, but via a switch. I did not mentioned this initially because I thought it was a detail.
 

Jack Yaz

Part of the Furniture
I'm considering adding LAN port separation to YazFi. The trouble is I need to build up knowledge of port to interface mappings for each model, e.g. eth1 is LAN 4, eth2 is LAN 3 and so on for 86U.
I'm undecided if I'll make the move to creating bridges rather than interfaces in isolation, to allow sharing of WiFi guest networks and LAN ports.
 

GSpock

Senior Member
I'm considering adding LAN port separation to YazFi. The trouble is I need to build up knowledge of port to interface mappings for each model, e.g. eth1 is LAN 4, eth2 is LAN 3 and so on for 86U.
I'm undecided if I'll make the move to creating bridges rather than interfaces in isolation, to allow sharing of WiFi guest networks and LAN ports.

Thanks, if the device had some wifi for sure I would have used YazFi ... :cool:
 

eibgrad

Part of the Furniture
... I was hoping some iptables rules would do the trick, since the device has a DHCP reservation hence always gets the same ip address ... In addition, trhe device in question is not directly connected to the router, but via a switch. I did not mentioned this initially because I thought it was a detail.

iptables is only for the purposes of firewall'ing one IP network from another. But in order for that to be effective, you first have to have the IOT devices on another IP network! And that's the problem w/ Merlin. There is no way to create a second wired IP network using the GUI. You need to do it using scripting. THEN you can use iptables to create the isolation between the IOT and private IP networks. Using a second router (if available) greatly simplifies the creation of that wired IOT network.
 

eibgrad

Part of the Furniture
I'm considering adding LAN port separation to YazFi. The trouble is I need to build up knowledge of port to interface mappings for each model, e.g. eth1 is LAN 4, eth2 is LAN 3 and so on for 86U.
I'm undecided if I'll make the move to creating bridges rather than interfaces in isolation, to allow sharing of WiFi guest networks and LAN ports.

I certainly appreciate the effort. We'll all take what we can get. But let's be honest. This stuff really belongs in the GUI. I can't tell you how many times I've offered scripting solutions to users only to have their virtual eyes roll over when they see the complexity, the sausage being made. It just plain turns them off, even if it works. But I understand Merlin's position; it's NOT his intent to support it. But I just get concerned when there are *so* many third-party scripts that we need an AddOn subforum! IMO, it's just not a good sign when so many important features remain outside the scope of the GUI. I'm frankly amazed there are so few conflicts among all these scripting options, combined w/ the less formal, private scripting of end-users.
 

coco

New Around Here
Hello, just created an account to voice my support of this functionality. I also have a handful of IOT devices that are not wifi capable that reside on my primary LAN instead of the 'guest' IOT network. @Jack Yaz do you think there is a light at the end of the tunnel for this type of LAN ethernet port segmentation within YazFi? If not, I may have to take a stab at the manual method described above when I have enough time to break something. :)
 

Tech9

Part of the Furniture
I also have a handful of IOT devices that are not wifi capable that reside on my primary LAN instead of the 'guest' IOT network.

Move them all to a Wireless Bridge (Media Bridge) and connect it to your Guest Network.
 

CaptainSTX

Part of the Furniture
A better option than a Wireless Bridge is just to spend US$30 and add a smart switch to your network. Smart switches let you set up VLANs through using the GUI.
 

Jack Yaz

Part of the Furniture
Hello, just created an account to voice my support of this functionality. I also have a handful of IOT devices that are not wifi capable that reside on my primary LAN instead of the 'guest' IOT network. @Jack Yaz do you think there is a light at the end of the tunnel for this type of LAN ethernet port segmentation within YazFi? If not, I may have to take a stab at the manual method described above when I have enough time to break something. :)
re-writing YazFi to use bridges (and thus include LAN ports) is on the to-do. it's not a small bit of work though so I have no ETA
 

Markster

Senior Member
Hello, just created an account to voice my support of this functionality. I also have a handful of IOT devices that are not wifi capable that reside on my primary LAN instead of the 'guest' IOT network. @Jack Yaz do you think there is a light at the end of the tunnel for this type of LAN ethernet port segmentation within YazFi? If not, I may have to take a stab at the manual method described above when I have enough time to break something. :)
Check this https://www.snbforums.com/threads/lan-port-isolation.70989/
It is very easy to create LAN port bridge and isolate it from the rest of the network. It works better than VLAN since most of the Asus routers do not support VLAN.

I have my NAS with Plex isolated on a separat LAN segment using this method.
 

coco

New Around Here
Wow, thanks everyone for your responses. I have an old Linksys E2500 that is flashed with DD-WRT. I set it to repeater bridge mode this afternoon and after a few tries, I got it to work! For some reason I couldn't get it to cooperate with the 5GHz IOT-guest network, but I reconfigured it for 2.4GHz and it worked with no issues.

A few downsides to this approach:
1) My throughput on the wired IOT devices is definitely lower, quick speedtests show anywhere from 25-50% throughput reduction - although my garage door and light switches likely won't mind. This could be mitigated somewhat by moving the bridge into the same room, but then I would need to convince my wife why we need another black box in the family room. :)

2) Reduced visibility to my IOT network. When I list devices in YazFi over SSH, I only see the MAC address of my router-bridge and I can't see any of the devices connected to it. Someone here smarter than I may be able to find out a way around this.

3) It's another box to leave plugged in. My killawatt estimates it will cost me $3.28 to run all year (the horror :eek:). I would much rather tip Jack Yaz a few years before paying my electric company. ;)

I'll maybe take a look at @Markster's approach next week. I'm definitely interested in streamlining the setup. Thanks again for the help.
 

sarmenator

Occasional Visitor
On my ax86u due to lack of robocfg I went with a 2nd bridge approach.
Mostly borrowed from here. I can provide my scripts if needed.

 

L&LD

Part of the Furniture
Yes, please share.
 

slidermike

Regular Contributor
Please and for searchability it would make sense (to me) to create a dedicated thread to the LAN port isolation process.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top