What's new

VLAN Setup for IoT Devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

scrypt

New Around Here
Hello,

Newbie here, I am trying to setup a basic home network separating IoT devices and my personal devices.
I have a Asus RT-AC68U in Router mode running Merlin firmware 386.10 sitting behind my ISP router as the WAN.

I want IoT devices(both wired and wireless) to be on a separate VLAN with no internet access but still be reachable by other(personal) devices on a separate VLAN to setup/maintain IoT devices.

To this end, I setup 2 Guest Networks on the router - 2GHz and 5GHz. This created two VLANs 501 and 502 for me, I added ethernet port 4 to these VLANs so I can use port 4 with a switch for all LAN IoT devices.

Here’s the services-start script for that,

Code:
#!/bin/sh
logger "!!!!!start services start script!!!!!!!!"

robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 501 ports "4 5t"
robocfg vlan 502 ports "4 5t"

logger "!!!!!done service start script!!!!!"
logger "$(robocfg show | grep -v Port| grep -v Switch)"


Everything works fine, vlan setup is correct.
Now I setup the firewall to block all internet traffic going out of subnet 192.168.101.0/24 and 192.168.102.0/24 using firewall-start script,
Note 192.168.101.* and 192.168.102.* subnets are created by Asus for guest networks.

Code:
#!/bin/sh
logger "!!!!!!start firewall-start script!!!!!!!"
iptables -I FORWARD -m iprange --src-range 192.168.101.0-192.168.101.255 -j REJECT
iptables -I FORWARD -m iprange --src-range 192.168.102.0-192.168.102.255 -j REJECT
logger "!!!!!!done firewall-start script!!!!!!!"

logger "$(iptables -L FORWARD)"

This works well, none of the wifi/lan devices on VLAN501/502 can access internet.


Now I need help in accessing these IoT devices from other devices on VLAN1, I am not able to ping them with their IPs.
Enabling allow intranet access on guest network through UI doesn’t work, it removes VLAN501/502 when enabled.

Can anyone please help me with this? Also I am new to networking so your feedback on my setup is welcome, note that I am trying to keep my setup as simple as I can.
Thanks.
 
Hello,

Newbie here, I am trying to setup a basic home network separating IoT devices and my personal devices.
I have a Asus RT-AC68U in Router mode running Merlin firmware 386.10 sitting behind my ISP router as the WAN.

I want IoT devices(both wired and wireless) to be on a separate VLAN with no internet access but still be reachable by other(personal) devices on a separate VLAN to setup/maintain IoT devices.

To this end, I setup 2 Guest Networks on the router - 2GHz and 5GHz. This created two VLANs 501 and 502 for me, I added ethernet port 4 to these VLANs so I can use port 4 with a switch for all LAN IoT devices.

Here’s the services-start script for that,

Code:
#!/bin/sh
logger "!!!!!start services start script!!!!!!!!"

robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 501 ports "4 5t"
robocfg vlan 502 ports "4 5t"

logger "!!!!!done service start script!!!!!"
logger "$(robocfg show | grep -v Port| grep -v Switch)"


Everything works fine, vlan setup is correct.
Now I setup the firewall to block all internet traffic going out of subnet 192.168.101.0/24 and 192.168.102.0/24 using firewall-start script,
Note 192.168.101.* and 192.168.102.* subnets are created by Asus for guest networks.

Code:
#!/bin/sh
logger "!!!!!!start firewall-start script!!!!!!!"
iptables -I FORWARD -m iprange --src-range 192.168.101.0-192.168.101.255 -j REJECT
iptables -I FORWARD -m iprange --src-range 192.168.102.0-192.168.102.255 -j REJECT
logger "!!!!!!done firewall-start script!!!!!!!"

logger "$(iptables -L FORWARD)"

This works well, none of the wifi/lan devices on VLAN501/502 can access internet.


Now I need help in accessing these IoT devices from other devices on VLAN1, I am not able to ping them with their IPs.
Enabling allow intranet access on guest network through UI doesn’t work, it removes VLAN501/502 when enabled.

Can anyone please help me with this? Also I am new to networking so your feedback on my setup is welcome, note that I am trying to keep my setup as simple as I can.
Thanks.

One thing you should fix, you shouldn't have two untagged vlans on the same port (port 4). Going to cause you issues. Just use one or the other for the wired devices, I'm using 502 but it doesn't matter, whatever you prefer.

Why are you wanting to block IOT devices from getting to the internet, isn't that what the "I" is for?

Anyway, Your firewall rules are blocking the response traffic. By default, you actually can access those subnets from VLAN 1, but you've added a rule to block all traffic from those devices, including replies to traffic from VLAN 1. So you'll need rules prior to those to permit traffic to VLAN1.
 
One thing you should fix, you shouldn't have two untagged vlans on the same port (port 4). Going to cause you issues. Just use one or the other for the wired devices, I'm using 502 but it doesn't matter, whatever you prefer.

Why are you wanting to block IOT devices from getting to the internet, isn't that what the "I" is for?

Anyway, Your firewall rules are blocking the response traffic. By default, you actually can access those subnets from VLAN 1, but you've added a rule to block all traffic from those devices, including replies to traffic from VLAN 1. So you'll need rules prior to those to permit traffic to VLAN1.
1. So, I will add port 4 to 502 or 501 only that should fix that. I still need to learn about tagged/untagged vlans.
2. My IoT devices are mostly IP cameras, I don't want them to ping their manufacturer etc. or be reachable by anyone on the internet.
I want them as pure LAN devices reachable on my network. I will setup a VPN server on the router to reach my devices over internet.
3. Could you help me with the firewall rules? Or point me to a post/blog that explains it? Thanks.

Also, another issue both my start scripts are not getting executed on startup(JFFS scripting is enabled in the router), I added sleep after shebang line didn't work either. They are both have execution rights chmod a+rx. Any ideas?
 
1. So, I will add port 4 to 502 or 501 only that should fix that. I still need to learn about tagged/untagged vlans.
Correct, you can leave the other one at default (which will have it tagged on that port and won't hurt anything). If you don't plan to use aimesh, for the one you don't use, just set the ports to "5t" so it isn't on any port, tagged or untagged. Cleaner that way
2. My IoT devices are mostly IP cameras, I don't want them to ping their manufacturer etc. or be reachable by anyone on the internet.
I want them as pure LAN devices reachable on my network. I will setup a VPN server on the router to reach my devices over internet.
Gotcha. As long as your VPN client receives an IP from the VLAN 1 range (or you have a PC on VLAN 1 that you connect to to manage the devices) should work.
3. Could you help me with the firewall rules? Or point me to a post/blog that explains it? Thanks.
I'm not an iptables guru but there is tons of info out there, you can probably specify an accept for vlan1 (since it is an interface) or keep it simple and have similar rules just above the ones you've added, but add a source IP range for VLAN 1 and "accept".
Also, another issue both my start scripts are not getting executed on startup(JFFS scripting is enabled in the router), I added sleep after shebang line didn't work either. They are both have execution rights chmod a+rx. Any ideas?

I use services-start on 68U variant and it works fine. Maybe remove those logger commands, they could be interfering. The scripts are located in /jffs/scripts right?
 
Thanks @drinkingbird

I got the firewall setup to work! Now devices in VLAN1 can ping VLAN501/502 devices and viceversa. And internet access to VLAN501/502 is cut off, perfect!

Code:
#!/bin/sh

sleep 5

#logger "!!!!!!start firewall-start script!!!!!!!"

iptables -I FORWARD -m iprange --src-range 192.168.101.0-192.168.101.255 -j REJECT
iptables -I FORWARD -m iprange --src-range 192.168.102.0-192.168.102.255 -j REJECT
iptables -I FORWARD -m iprange --src-range 192.168.101.0-192.168.101.255 -m iprange --dst-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -I FORWARD -m iprange --src-range 192.168.102.0-192.168.102.255 -m iprange --dst-range 192.168.1.0-192.168.1.255 -j ACCEPT
#logger "!!!!!!done firewall-start script!!!!!!!"

#logger "$(iptables -L FORWARD)"

But no luck with firewall-start and services-start scripts, they are in jffs/scripts and chmod a+rx set but still don't run on start up :(
 
Thanks @drinkingbird

I got the firewall setup to work! Now devices in VLAN1 can ping VLAN501/502 devices and viceversa. And internet access to VLAN501/502 is cut off, perfect!

Code:
#!/bin/sh

sleep 5

#logger "!!!!!!start firewall-start script!!!!!!!"

iptables -I FORWARD -m iprange --src-range 192.168.101.0-192.168.101.255 -j REJECT
iptables -I FORWARD -m iprange --src-range 192.168.102.0-192.168.102.255 -j REJECT
iptables -I FORWARD -m iprange --src-range 192.168.101.0-192.168.101.255 -m iprange --dst-range 192.168.1.0-192.168.1.255 -j ACCEPT
iptables -I FORWARD -m iprange --src-range 192.168.102.0-192.168.102.255 -m iprange --dst-range 192.168.1.0-192.168.1.255 -j ACCEPT
#logger "!!!!!!done firewall-start script!!!!!!!"

#logger "$(iptables -L FORWARD)"

But no luck with firewall-start and services-start scripts, they are in jffs/scripts and chmod a+rx set but still don't run on start up :(

Try doing chmod a+rx /jffs/scripts/* to make sure everything in there is correct.

Also remove any blank lines or put a # on them - don't know if that matters anymore, used to be an issue in unix I think.

If you created it on a computer then transferred it, sometimes that can cause issues. If you are familiar with VI, just create it from scratch via SSH. You can use Nano too, that one is a bit more intuitive.

For VI
delete your current script
vi services-start
press "i"
paste in your script (copied from a raw text editor to make sure no non-standard characters get sent over)
press ESC
type :wq and hit enter

same as above but for firewall-start

then do the chmod a+rx /jffs/scripts/* again

You should not need to sleep the vlan script. Not sure about the firewall but don't think so there either.

You might be able to do them both under the firewall script. Don't think it matters if the VLANs don't exist before the firewall starts but I guess keeping them separate doesn't hurt anything either.

If all else fails, format jffs. Obviously save anything you want off it.
 
Try doing chmod a+rx /jffs/scripts/* to make sure everything in there is correct.

Also remove any blank lines or put a # on them - don't know if that matters anymore, used to be an issue in unix I think.

If you created it on a computer then transferred it, sometimes that can cause issues. If you are familiar with VI, just create it from scratch via SSH. You can use Nano too, that one is a bit more intuitive.

For VI
delete your current script
vi services-start
press "i"
paste in your script (copied from a raw text editor to make sure no non-standard characters get sent over)
press ESC
type :wq and hit enter

same as above but for firewall-start

then do the chmod a+rx /jffs/scripts/* again

You should not need to sleep the vlan script. Not sure about the firewall but don't think so there either.

You might be able to do them both under the firewall script. Don't think it matters if the VLANs don't exist before the firewall starts but I guess keeping them separate doesn't hurt anything either.

If all else fails, format jffs. Obviously save anything you want off it.
Ok I reformatted the jffs partition and wrote the scripts again using vi, I had been using vi anyway so no change there, but now the scripts work! And the logger works too so I can see my log msgs in system log.

I have one more issue to tackle now, the services-start script setups the LAN port 4 to be part of the guest network but the device connected to it doesn't get the new IP until I unplug/replug it again. It behaves like a guest n/w device i.e., doesn't have internet access but just doesn't get the new IP from 192.168.102. subnet, it still has 192.168.1. subnet IP. And the device doesn't show up in router UI.
The IP gets resolved/assigned correctly on unplug/replug. Any thoughts on that?
I added killall eapd and eapd lines to my script thinking that might help but no difference.

Code:
#!/bin/sh
sleep 5
logger "!!!!!start services start script!!!!!!!!"
robocfg vlan 1 ports "1 2 3 5t"
#robocfg vlan 501 ports "4 5t"
robocfg vlan 502 ports "4 5t"
killall eapd
eapd
logger "!!!!!done service start script!!!!!"
logger "$(robocfg show | grep -v Port| grep -v Switch)"
 
Hello,

Newbie here, I am trying to setup a basic home network separating IoT devices and my personal devices.
I have a Asus RT-AC68U in Router mode running Merlin firmware 386.10 sitting behind my ISP router as the WAN.
Rather than messing around trying to write your own scripting, have you considered using the YazFi add-on script?

https://github.com/jackyaz/YazFi
https://www.snbforums.com/threads/yazfi-v4-x-continued.83846/

One downside to YazFi is it currently doesn't work on AiMesh nodes.
 
Rather than messing around trying to write your own scripting, have you considered using the YazFi add-on script?

https://github.com/jackyaz/YazFi
https://www.snbforums.com/threads/yazfi-v4-x-continued.83846/

One downside to YazFi is it currently doesn't work on AiMesh nodes.
Thanks @bennor.
Had I known about YazFi before I would have probably gone down this path, seems to fit my need well and has a GUI so much better! However, I would still have to deploy my firewall script to allow/deny access accordingly.

Now everything is setup for me correctly, except for 1 issue I highlighted above,
"I have one more issue to tackle now, the services-start script setups the LAN port 4 to be part of the guest network but the device connected to it doesn't get the new IP until I unplug/replug it again. It behaves like a guest n/w device i.e., doesn't have internet access but just doesn't get the new IP from 192.168.102. subnet, it still has 192.168.1. subnet IP. And the device doesn't show up in router UI.
The IP gets resolved/assigned correctly on unplug/replug. Any thoughts on that?
I added killall eapd and eapd lines to my script thinking that might help but no difference."
 
Ok I reformatted the jffs partition and wrote the scripts again using vi, I had been using vi anyway so no change there, but now the scripts work! And the logger works too so I can see my log msgs in system log.

I have one more issue to tackle now, the services-start script setups the LAN port 4 to be part of the guest network but the device connected to it doesn't get the new IP until I unplug/replug it again. It behaves like a guest n/w device i.e., doesn't have internet access but just doesn't get the new IP from 192.168.102. subnet, it still has 192.168.1. subnet IP. And the device doesn't show up in router UI.
The IP gets resolved/assigned correctly on unplug/replug. Any thoughts on that?
I added killall eapd and eapd lines to my script thinking that might help but no difference.

Code:
#!/bin/sh
sleep 5
logger "!!!!!start services start script!!!!!!!!"
robocfg vlan 1 ports "1 2 3 5t"
#robocfg vlan 501 ports "4 5t"
robocfg vlan 502 ports "4 5t"
killall eapd
eapd
logger "!!!!!done service start script!!!!!"
logger "$(robocfg show | grep -v Port| grep -v Switch)"

My guess is that the device is getting its DHCP before your script runs, and after that there is nothing to tell it to renew (port bounce, etc). Try removing the sleep statement. If that doesn't do it you may have to try to do it via a script that runs earlier, or see if you can bounce the ports somehow to tell the device to renew again.

I only have wireless devices that are regularly connected and they get the correct IP via services-start with no sleep statement. But I haven't tried rebooting with a wired device connected.

Issuing a DHCP renew on the wired device(s) should do it too.
 
My guess is that the device is getting its DHCP before your script runs, and after that there is nothing to tell it to renew (port bounce, etc). Try removing the sleep statement. If that doesn't do it you may have to try to do it via a script that runs earlier, or see if you can bounce the ports somehow to tell the device to renew again.

I only have wireless devices that are regularly connected and they get the correct IP via services-start with no sleep statement. But I haven't tried rebooting with a wired device connected.

Issuing a DHCP renew on the wired device(s) should do it too.
I don't have the sleep statements in my script anymore.

Anyway, the IP issue seems manageable, issuing dhcpclient -r on the device side or rebooting the device does the trick. I can schedule a cron job on my linux device to do this if needed. Not sure how I am going to manage with the IP cameras and/or other not so powerful devices on the VLAN though.
Another thing I noticed was once the IP is assigned to the port/device say 192.168.102.* after doing the above step ONCE, restarting the router doesn't seem affect the IP which is good! This is due to same issue exactly(a new IP is assigned on router restart 192.168.1.* - but LAN port/device doesn't pick it up, and this IP gets changed again on startup script execution), but works to my benefit

One thing I would have liked for asuswrt-merlin to support is to bind the IP to a device, it does work for the main subnet IP's 192.168.1.* but not for other subnets, 192.168.102.* for example. The GUI throws an error - Invalid IP. I'm not sure if I can achieve this through scripting.
Binding IP to devices would help with working around the IP issue.

So far, everything looks good. My setup works fine. I will add IP cameras later today, hopefully the IP issue won't come in the way.
Thanks for you help.

EDIT: I also tried with "service restart_dnsmasq" at the end of my services-start script, didn't help with new IP reassignment.
The issue seems more likely on the devices side than on the router.
 
Last edited:
I don't have the sleep statements in my script anymore.

Anyway, the IP issue seems manageable, issuing dhcpclient -r on the device side or rebooting the device does the trick. I can schedule a cron job on my linux device to do this if needed. Not sure how I am going to manage with the IP cameras and/or other not so powerful devices on the VLAN though.
Another thing I noticed was once the IP is assigned to the port/device say 192.168.102.* after doing the above step ONCE, restarting the router doesn't seem affect the IP which is good! This is due to same issue exactly(a new IP is assigned on router restart 192.168.1.* - but LAN port/device doesn't pick it up, and this IP gets changed again on startup script execution), but works to my benefit

One thing I would have liked for asuswrt-merlin to support is to bind the IP to a device, it does work for the main subnet IP's 192.168.1.* but not for other subnets, 192.168.102.* for example. The GUI throws an error - Invalid IP. I'm not sure if I can achieve this through scripting.
Binding IP to devices would help with working around the IP issue.

So far, everything looks good. My setup works fine. I will add IP cameras later today, hopefully the IP issue won't come in the way.
Thanks for you help.

EDIT: I also tried with "service restart_dnsmasq" at the end of my services-start script, didn't help with new IP reassignment.
The issue seems more likely on the devices side than on the router.

When a device requests a "renew" it specifies the IP it has and as long as there is no conflict, the DHCP server will let it keep it. If you "release" the IP, reboot the router, then renew the IP, you'll get a new one.

I made my DHCP leases persistent by moving the file to JFFS so it survives reboots and everyone keeps the same IP no matter what (unless they move to a different subnet obviously, then the old IP is released from the router and they get the new one, next time they move to the other subnet they probably won't get the same one).

You can't do static leases for the guest wireless 1 networks via the GUI. They may add it at some point, but those subnets for Guest Wireless 1 are fairly new. You can add those reservations using dnsmasq.conf.add script easily though. Format is dhcp-host=00:00:00:00:00:00,set:00:00:00:00:00:00,<Hostname>,192.168.101.100 (Same MAC twice). Might be a good feature request for @RMerlin. However I don't think this will solve your problem as the request will come from the wrong VLAN and not have access to that DHCP range. But it is worth a try. Still a useful feature even if you have to solve the problem another way, you can still have your IOT devices get permanent IPs.

As far as your clients getting main LAN before guest, you may have to toy with it. Maybe @RMerlin or @ColinTaylor or someone knows a way to bounce the switch ports via SSH which should force the clients to renew their IPs and get one of the guest subnet IPs. In my case, I'm assuming the wireless comes up later in the boot process so it isn't an issue, so it is probably only wired that are able to get an IP before your script runs. Or maybe there is a command where you could have the router force the client to renew, but I don't believe there is any easy mechanism in DHCP to do that, it is all based on client requests and nothing is initiated by the DHCP server. Try just init-start first and if that doesn't work, do it in both.

Restarting dnsmasq won't do it as that does not tell the client to renew its IP.

My only thought is to run your robocfg commands in an init-start script (the earliest script you can run). If that gets overwritten, run them again in services-start. Maybe having it done in both will be enough for your clients to be in that VLAN when their DHCP request is sent. Don't know if it will work, worth a try. You can play with various different scripts (see https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts for the different ones) and see if you can get the behavior you want.
 
When a device requests a "renew" it specifies the IP it has and as long as there is no conflict, the DHCP server will let it keep it. If you "release" the IP, reboot the router, then renew the IP, you'll get a new one.

I made my DHCP leases persistent by moving the file to JFFS so it survives reboots and everyone keeps the same IP no matter what (unless they move to a different subnet obviously, then the old IP is released from the router and they get the new one, next time they move to the other subnet they probably won't get the same one).

You can't do static leases for the guest wireless 1 networks via the GUI. They may add it at some point, but those subnets for Guest Wireless 1 are fairly new. You can add those reservations using dnsmasq.conf.add script easily though. Format is dhcp-host=00:00:00:00:00:00,set:00:00:00:00:00:00,<Hostname>,192.168.101.100 (Same MAC twice). Might be a good feature request for @RMerlin. However I don't think this will solve your problem as the request will come from the wrong VLAN and not have access to that DHCP range. But it is worth a try. Still a useful feature even if you have to solve the problem another way, you can still have your IOT devices get permanent IPs.

As far as your clients getting main LAN before guest, you may have to toy with it. Maybe @RMerlin or @ColinTaylor or someone knows a way to bounce the switch ports via SSH which should force the clients to renew their IPs and get one of the guest subnet IPs. In my case, I'm assuming the wireless comes up later in the boot process so it isn't an issue, so it is probably only wired that are able to get an IP before your script runs. Or maybe there is a command where you could have the router force the client to renew, but I don't believe there is any easy mechanism in DHCP to do that, it is all based on client requests and nothing is initiated by the DHCP server. Try just init-start first and if that doesn't work, do it in both.

Restarting dnsmasq won't do it as that does not tell the client to renew its IP.

My only thought is to run your robocfg commands in an init-start script (the earliest script you can run). If that gets overwritten, run them again in services-start. Maybe having it done in both will be enough for your clients to be in that VLAN when their DHCP request is sent. Don't know if it will work, worth a try. You can play with various different scripts (see https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts for the different ones) and see if you can get the behavior you want.
I had been busy for the past couple of days so didn't make any changes to my setup, except rebooted my router and devices a few times to check on the IP statuses. Good news is like you mentioned when the device renews it gets the same IP as before!
But I like the idea of having a file in JFFS to allocate the IPs, can you share what you did there?

Having robocfg in init-start and services-start scripts is a good idea, I will not do that unless I start seeing issues with IP assignments.
But maybe having the rule file in JFFS solves this problem already?
Thanks.
 
I had been busy for the past couple of days so didn't make any changes to my setup, except rebooted my router and devices a few times to check on the IP statuses. Good news is like you mentioned when the device renews it gets the same IP as before!
But I like the idea of having a file in JFFS to allocate the IPs, can you share what you did there?

Having robocfg in init-start and services-start scripts is a good idea, I will not do that unless I start seeing issues with IP assignments.
But maybe having the rule file in JFFS solves this problem already?
Thanks.

For the persistent leases (and also extending lease time beyond 7 days if you want) - https://www.snbforums.com/threads/m...-dhcp-lease-time-beyond-default-limits.83060/

This won't help (or hurt) your issue though - if the client (wired mostly) requests a DHCP renew when the switch comes up, but before you've moved it to another VLAN, even if it asks for 192.168.101, dnsmasq isn't going to give it that, it is going to give it 192.168.1.x because that's the interface it came in over. I guess it is possible it might work since DNSmasq knows a scope for all 3 and the "renew" is a TCP request rather than a UDP broadcast, but if it does work, it would be a glitch (DNSmasq not honoring the interfaces the DHCP scopes are bound to). In your case, that might be a good glitch though. Broadcast requests (initial IP request) definitely would get a 1.x though during the time before your script runs.

Are your wired clients now keeping their 192.168.101 and 102 IPs after a reboot of the router?
 
For the persistent leases (and also extending lease time beyond 7 days if you want) - https://www.snbforums.com/threads/m...-dhcp-lease-time-beyond-default-limits.83060/

This won't help (or hurt) your issue though - if the client (wired mostly) requests a DHCP renew when the switch comes up, but before you've moved it to another VLAN, even if it asks for 192.168.101, dnsmasq isn't going to give it that, it is going to give it 192.168.1.x because that's the interface it came in over. I guess it is possible it might work since DNSmasq knows a scope for all 3 and the "renew" is a TCP request rather than a UDP broadcast, but if it does work, it would be a glitch (DNSmasq not honoring the interfaces the DHCP scopes are bound to). In your case, that might be a good glitch though. Broadcast requests (initial IP request) definitely would get a 1.x though during the time before your script runs.

Are your wired clients now keeping their 192.168.101 and 102 IPs after a reboot of the router?
Thanks for the link, nice trick on the lease extension!
It may or may not work for me like you said, I am going to bookmark it for the future.
Currently all my wired devices are retaining their 192.168.102 IPs, which is great! They all go through a network switch connected on port 4 now(which is part of the guest network), wonder if the switch is somehow helping with the retention?
Wireless devices are fine, they always get 101/102 IPs after the reboot, I don't touch them on reboot etc.
 
Thanks for the link, nice trick on the lease extension!
It may or may not work for me like you said, I am going to bookmark it for the future.
Currently all my wired devices are retaining their 192.168.102 IPs, which is great! They all go through a network switch connected on port 4 now(which is part of the guest network), wonder if the switch is somehow helping with the retention?
Wireless devices are fine, they always get 101/102 IPs after the reboot, I don't touch them on reboot etc.

Yes, the intermediate switch is solving your problem, since it does not bounce the ports when your router reboots (thus the client has no reason to renew its lease). If you reboot both, you'll probably have the issue, but that shouldn't happen often (never if you have a UPS).

Yes my wireless devices work fine with this setup too, I believe because the wireless radios come up later in the boot process, after the script has run. The physical switch ports are much sooner.
 
Yes, the intermediate switch is solving your problem, since it does not bounce the ports when your router reboots (thus the client has no reason to renew its lease). If you reboot both, you'll probably have the issue, but that shouldn't happen often (never if you have a UPS).

Yes my wireless devices work fine with this setup too, I believe because the wireless radios come up later in the boot process, after the script has run. The physical switch ports are much sooner.
Ya I am actually trying to cover for the corner case of a power trip, rare but happens. I don't have UPS backup, so when I am away from home this could be an issue.
If I manage to host a VPN server on the router and open the port to host PC on the main subnet I can reconfigure the IP Camera and other IoT devices etc. So, that's the next step, get the VPN server going on the router.
 
Ya I am actually trying to cover for the corner case of a power trip, rare but happens. I don't have UPS backup, so when I am away from home this could be an issue.
If I manage to host a VPN server on the router and open the port to host PC on the main subnet I can reconfigure the IP Camera and other IoT devices etc. So, that's the next step, get the VPN server going on the router.

Invest in a cheap UPS - power blips can fry these routers (or often the wall wart power supply) very easily.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top