Newb Alert: Want to segment my IoT. Asus AC68U

[Semantical]

Hi all. Needing some advice/help.

Currently I have an Asus AC68U running pretty much stock just fine, but I have a feeling that sticking all my IoT things (hubs etc) on the same network as my file stores, PCs etc is a bad idea.

Having done a bit of reading it sounds like I need to create a segment / VLAN for them. I was thinking that connecting an old Tenda W311R router (via Devolo ethernet over power plugs as I cannot run new ethernet) would give me the ability to just throw everything IoT on this Tenda box. BUT I suspect that will still allow them access to the rest of the LAN.

I can create a "guest network" WSSID on the AC68U, and I found a discussion on how to hard link a physical network port to that guest network allowing Internet access only. However I think what I need is:

IoT > Tenda > (via Devolo) > AC68U > Internet

In this situation is it possible to create a script (?) that will limit the MAC address of the Tenda WAN port onto the AC68U guest network? That way anything on the Tenda will ONLY have Internet access.

Does this make sense, and can anyone suggest if it is even possible / advisable?

 

[FatherLandDescendant]

Not that I have a lot of IOT's, an Alexa, a couple of plugs and a light bulb, plus my phone. But I have pretty much everything hard wired on my network through a switch, including an older Asus router (66u I think). The Asus is hard wired to the switch but has a static IP set at 192.168.2.1 that runs all of my wireless traffic including a neighbors computer since he helps pay for the ISP bill. Everything else is on a network on a 192.168.xxx.1 IP.

Probably not the best of setups but there it is.

 

[degrub]

wrong forum folks.

 

[Semantical]

Hey DeGrub any chance of at least pointing to right forum?

 

[degrub]

Try here
https://www.snbforums.com/forums/general-network-security.16/

Also look at the Howto on vlan setup.
You want to look at the firewall rules and maybe even run a different firmware such as Merlin.