Setting up IoT networks using 3006 firmware?

[XIII]

If I understand the new 3006 IoT networks correctly:

• when using the same VLAN as the main network, devices on the main network (PCs, phones, tablets) can see IoT devices (and vice versa)
• when using a different VLAN than the main network, devices on the main network cannot see IoT devices (and vice versa)

Is there also an easy way to let devices on the main network see IoT devices, but let IoT devices not see devices on the main network?

Or even a layered setup:

1. Main network (PCs, phones, tablets); can see devices in layers 1, 2, and 3
2. IoT "orchestrators" (HomeKit hub, Homey, etc.); can see devices in layers 2 and 3
3. IoT sensors/actuators (smart bulbs, smart plugs, temperature sensors, etc.; can see devices in layer 3 (or even not devices in layer 3)

How to do this using the 3006 firmware?

 

[OzarkEdge]

How to do this using the 3006 firmware?

Good question... I setup a custom 2.4 IoT VLAN (3 Wyze cams, 2 on MoCA2.5 wired node) and stopped to wait for the next VLAN release.

My non-default custom 2.4 IoT VLAN settings:
WPA2/WPA3-Personal
Access Intranet disabled
DHCP Server enabled (192.168.53.*)
VID 53
AP Isolated enabled
on all nodes

I eventually want to include some node LAN ports but not sure if the VLAN will work across my MoCA uplink(?)

Ping from Windows desktop on LAN to a cam IP address times out, no response.

Wyze app on mobile on main WLAN can access cams on IoT VLAN, but I believe this is by way of the Internet/Wyze cloud.

OE

 

[bennor]

Is there also an easy way to let devices on the main network see IoT devices, but let IoT devices not see devices on the main network?

There are several past discussions on trying to emulate YazFi's one way to guest under the 3006 firmware (likely requiring the use of IPTables entries) with mixed success:
https://www.snbforums.com/threads/yazfi-lite-with-router-in-ap-mode.75121/page-3#post-948055

Allowing main network to access guest networks

Hi everyone, Running on the 3006 firmware version, I have 3 guest networks that are isolated from everything. I'd like to have the main network (192.168.0.0/24 on br0) be able to reach one-way to those 3 guest subnets. I currently achieve this with a firewall-start script that runs the...

www.snbforums.com

YazFi - Allowing cast traffic from guest network to IoT (media) network

Hi, new to AsusWRT-Merlin and YazFi! (Not to mention iptables.) I'm trying to allow my "true" guest network (wl0.1, wl1.1) one-way access to my "media" guest network (wl0.2, wl1.2). The intent being to allow house guests to be able to cast music/video to my speakers/TV. Per Google's help page...

www.snbforums.com

Edit to add: Another discussion referencing a firewall-start script file.

https://www.snbforums.com/threads/r...l-while-access-intranet-set-to-disable.77461/

Edit to add2:
Probably something like the following in a firewall-start script file with the GN/VLAN IP subnet examples 52, 53, 54:

#!/bin/sh
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.52.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.53.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.54.0/24 -j ACCEPT

Not running the Asus-Merlin 3006 alpha on my RT-AX86U Pro so cannot test. Waiting for the Asus-Merlin beta firmware.

 

[XIII]

Probably something like the following in a firewall-start script file with the GN/VLAN IP subnet examples 52, 53, 54

Thanks.

Might experiment with that some day, but I first want to see whether the current setup (IoT on same VLAN as main network) is finally stable.

 

[Gary_Dexter]

Have also asked on several posts as well.

GT-AC2900 is having issues and want to replace, maybe with an AX-88u Pro, if I can get the same “1-way to guest” working, ideally without much script-tinkering.

Otherwise, I may have to jump ship to UniFi or Synology.

 

[sebid]

Hey all, long time lurker, and user of Asus routers for more than a decade.

Rather than open yet another thread, I'll leave my plight here, maybe someone has ideas to try... I've committed some time this weekend to switch from 3004 to 3006 on my GT-AX6000, as I was interested in the VLAN segregation/improved guest functionality, and being more up to date and secure. Well it took me a whole weekend of troubleshooting, let me tell you that...

On 3004, I had everything running smoothly, with the caveat that all of my devices/IoT were on the 2.4 Ghz Wifi, and I had to mix/match devices that were internet blocked/privacy filtered, with devices that were security related, with my own devices, or family's, on multiple visible SSIDs.

On 3006, I started with 2.4/5 Ghz SmartConnect with WPA2/3 on a single visible SSID to improve the experience, separating Guest on VLAN "2" "customized network", and setting an IoT network "main subnet". I started migrating devices, Guest seems to work well now with isolated devices that get curated, ad-blocked internet access (kids, work laptops, tvs, etc.). But I am having a lot of trouble with my IoT devices that no longer appear to be responsive on Matter, with HomeKit, nor do they work in HomeAssistant (Matter says network unreachable).

I've tried about a dozen troubleshooting tips, but stopped shy from creating iptables as I've not done this since a CCNA back in 08' haha. Perhaps could set up some documentation on best practices on segregating IoT, implementing necessary changes or scripts to get people's IoT networks working?

Perhaps someone can make a guide or share their success story on how to set up an IoT network, that a device from a main ethernet port can access.

I am at a point where I'm finding it a bit difficult to understand what's not working, but I'll try for a bit, though like the poster above, maybe a UniFi is less of a headache at this point.

 

[bennor]

Perhaps someone can make a guide or share their success story on how to set up an IoT network, that a device from a main ethernet port can access.

There are a number of running discussions on trying to allow access to/from a Guest Network Pro client to/from a main LAN client all with varying degrees of success. In addition to the previously provided links in my post above there are a few more here:

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...

www.snbforums.com

Iptables functionality on 3006.102.4

Dirty upgrade from 3004 to 3006.102.4 on my AX88u-Pro a couple days ago. All looked good so far, except I have some iptables rules in firewall-start that do not seem to work anymore. One set of rules dnat'd any DNS other than those in the cleanbrowsing ranges. Ie, if a device used any...

www.snbforums.com

Basically it boils down to this. Guest Network Pro doesn't support one-way to Guest Network Pro from the main LAN that one could accomplish using YazFi under the 3004 firmware. YazFi is not supported on 3006 firmware. Further the Access Intranet option under Guest Network Pro appears to be broken and doesn't work as expected.

When one initially sets up the Guest Network Pro profile, if they set Use same subnet as main network to enable, one may find that their Guest Network Pro Profile clients have full access to the main LAN (Intranet Access).

Otherwise one may have to resort to using a firewall-start script to configure iptables entries to allow for communications between main LAN and Guest Network Pro clients. How to do so is discussed in a number of other posts and discussion topics. For example see my post here for basic steps. However, some (depending on router model) have discovered, for what ever reason, trying to configure iptables scripting with Guest Network Pro doesn't work as expected on their router. Some have found that Home Automation and other programs may require additional configuration, see the mDNs / Bonjour / Multicast discussion link provided previously in this post.

More than a few are finding that Guest Network Pro is essentially beta at this point. It sometimes either doesn't work correctly, or doesn't work as one would expect. Like it or not some things like iptables scripting using a firewall-start file are likely going to require some trial and error to get working and may require some extra knowledge and skill to do so.

 

[jksmurf]

There are a number of running discussions

I just have to pause here and say this forum is incredibly lucky to have someone of bennor’s calm, measured and always clear and informative approach in their responses, even to often repeated questions (through no fault of the questioner).

Thank you @bennor you have selflessly helped myself and many, many others, very much appreciated.

 

[sebid]

Yeah, I appreciate the common knowledge that was gathered around and we can discuss, speculate and entertain tinkering, so kudos to people sharing!

Moving on with my IoT plight, I'll document in this post my findings.

Notes:
- 192.168.1.1 GT-AX6000 as gateway. One RP-AX58 for AiMesh coverage for a garage camera/sensor.
- I will control devices' internet access with Parental Controls > Time Scheduling, so I don't need to do anything else to restrict them from the internet, this is granular enough for me for when I want to update something, or allow something when configuring.
- I think I also need mDNS/IPv6 traffic to work between VLANs, but first let's try to get the Printer/HomePods/HomeAssistant to talk to each other.

I've now remade the IoT network with the following Guest Network Pro settings:
- 192.168.52.0 /24 - IoT VLAN "52" for sensors, security/cameras, lights, power relays and other IoT devices that don't need an internet connection

2.4 Ghz, WPA2/3, 25 Mbit DL/UP limit, no intranet access, Hidden SSID, isolated AP, over AiMesh.

- 192.168.53.0 /24 - Guest VLAN "53", for TVs, work laptop, kids' devices, guests, basically devices that need internet connection

5 Ghz, WPA2/3, 100/100 Mbit DL/UP limit, no intranet access, Cloudflare Family DNS, isolated AP, over AiMesh.

I have these use cases:
- Home Assistant/PC on 192.168.1.x has to have access to VLAN 52 to orchestrate/control IoT.
- Printer on 192.168.1.x has to have access to VLAN 53 to print work/guest/kids' files.
- Two HomePods on 192.168.1.x have to have access to VLAN 52 to supplement HomeAssistant for notifications/control when not at home.
- DNS & NTP have to work from VLAN 52 to br0.

Let's get them talking first (https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts).
Let's start with nano jffs/scripts/firewall-start

# 192.168.1.2 PC
# 192.168.1.3 HomeAssistant
# 192.168.1.4 HomePod1
# 192.168.1.5 HomePod2
# 192.168.1.7 Printer
#
# br0 main; br52 IoT; br53 guest
#
iptables -I FORWARD -i br52 -o br0 -p udp --dport 53 -j ACCEPT    # DNS
iptables -I FORWARD -i br52 -o br0 -p udp --dport 123 -j ACCEPT   # NTP
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Return traffic
#
# Allow br53 to access br0 printer
iptables -I FORWARD -i br53 -o br0 -d 192.168.1.7 -j ACCEPT
# Allow response from br0 printer to br53
iptables -I FORWARD -i br0 -o br53 -s 192.168.1.7 -j ACCEPT
#
# Allow specific br0 devices access to br52 devices
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.2 -d 192.168.52.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.3 -d 192.168.52.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.4 -d 192.168.52.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.5 -d 192.168.52.0/24 -j ACCEPT
# Allow return traffic from br52 devices to br0
iptables -I FORWARD -i br52 -o br0 -s 192.168.52.0/24 -d 192.168.1.2 -j ACCEPT
iptables -I FORWARD -i br52 -o br0 -s 192.168.52.0/24 -d 192.168.1.3 -j ACCEPT
iptables -I FORWARD -i br52 -o br0 -s 192.168.52.0/24 -d 192.168.1.4 -j ACCEPT
iptables -I FORWARD -i br52 -o br0 -s 192.168.52.0/24 -d 192.168.1.5 -j ACCEPT
#
# Allow mDNS traffic between br0 and br52
iptables -I INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
iptables -I FORWARD -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
iptables -I OUTPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#

Make sure script is executable: chmod a+rx /jffs/scripts/*
Make sure firewall is restarted: service restart_firewall
Check if it's been added correctly with iptables -S (top of -A FORWARD lines)

I've also created an avahi-daemon.postconf with the following to help mDNS (you also have to chmod a+rx /jffs/scripts/* this and service restart_mdns):

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "use-ipv6=no" "use-ipv6=yes" "$CONFIG"
pc_append " " "$CONFIG"
pc_append "[reflector]" "$CONFIG"
pc_append "enable-reflector=yes" "$CONFIG"
pc_insert "deny-interfaces=eth0" "allow-interfaces=br0,br52" "$CONFIG"

Solution after restart:
- I was able to add the main printer, by IP, from a Guest device and successfully print.
- I was able to access IoT devices from PC (ping or http://ip, but not DNS set at GNP level) and by HomeAssistant (http://ip or MQTT access worked, with DNS or IP).

Questions & Problems:
- I was able to partially configure IoT devices on br52 to use DNS from br0 when addressing the router on it (router.lan) at least.
- Do I need iptables rules for PING/ICMP, as well as NTP/DNS between VLANs? Is there a better way to allow this "administrative" traffic?
- A device from the IoT VLAN 52 doesn't seem to be able to use 192.168.1.x:123 from br0, or router.lan for its DNS for NTP, seems to always time out... Is there like anything I can use, like 192.168.52.1 or something else for that VLAN specific NTP?
- Matter on HomeAssistant still doesn't work (Failed to advertise records: src/inet/UDPEndPointImplSockets.cpp:421: OS Error 0x02000065: Network is unreachable)...