This is a long form post. It includes lots of images. If you're viewing on a microblogging platform such as Mastodon, you may wish to click through to read it properly. That said, here goes.
Like many people, I have a bunch of smartphone stuff, or so-called "Internet of Things" devices. Some of them use proper smartphone protocols such as Zigbee or Thread, via a hub. Others connect directly via WiFi or Ethernet.
These things can variously be security risks (the recent story about toothbrushes making a botnet was fake, but illustrates the threat vector), or massive privacy invasions if they can just randomly probe stuff on your network (hi Alexa).
So I wanted a VLAN to segregate my stuff off. Of course, this also requires a bridge with a firewall between your LAN and IoT VLAN, which many people use their router for. I wanted a separate bridge though, for the learning exercise, for compartmentalising things, and also to reduce the traffic load on my router.
I was considering writing a long post about how to create VLANs and what they are, but this tutorial assumes you already know that, and how to do it. For my purposes, I created a VLAN tagged 10, a new WiFi network (2.4GHz only but no reason you couldn't enable 5GHz if you wanted) tagged with that VLAN, and forbade it from accessing my router.
In fact, the only places VLAN 10 can go are the backbone between the switches and access points, and the one port we are going to put out bridge on. That one allows both untagged and VLAN 10 traffic.
So now I need to create the bridge. The VLAN as set up has no DHCP server and no route to the Internet. If you join the VLAN's SSID, you will not even get an IP address at this point.
This is where the bridge comes in, and I wanted to build one using a spare Raspberry Pi 4 and OpenWRT. The nice thing about OpenWRT on a Pi 4 is that it's really lightweight. You can get away without a fan. I just stick heatsinks on the chips.
Anyway, the first thing to do is flash OpenWRT. There are instructions for getting an RPi 4 build here. Note that you don't need the USB Ethernet driver; we're going to build this using only the builtin ethernet port in a "router on a stick" configuration.
If you ask me nicely, I might give you a binary of my custom build, which has a bunch of nice stuff added to it.
Anyway, flash the Pi, and DO NOT CONNECT IT TO YOUR NETWORK. This is because, by default, the OpenWRT build is running a DHCP server. I assume you probably already have one of these on your LAN. You don't want another one.
Instead, get your laptop, or whatever, anything with an ethernet port, disconnect it from your local network, and plug it directly into the VLAN bridge, AND ONLY THE VLAN BRIDGE.
If, at this point, you can see your home network or the Internet, you are doing it wrong.
Power up the Pi, and wait a bit. Then navigate to:
http://192.168.1.1/
In your web browser. You will be asked for a login. The default username and password is root/root. Change it (system - Administration).
Now navigate to System - System and change the name of your device. I called mine "VLANBridge". Hit Save & Apply:
Now we need to stop that DHCP server I just talked about. Go to "Network - Interfaces" and you'll get a list of network interfaces. There may be a "Wan" here. If so, delete it. Then click the button to edit the settings for Lan:
You'll be presented with a bunch of option tabs. Under General settings, you want to change "Protocol" to "DHCP Client":
Under "Firewall Settings", make sure it's in Firewall zone, "lan":
And under DHCP Server, click "Ignore interface", and then under IPv6 Settings, just disable everything:
OK, you're good. Save everything, then on your laptop, pull up a shell and do:
ssh root@192.168.1.1
Enter the password you just set, then once logged in:
shutdown
Wait until everything stops. Power down the Pi, unplug it from your laptop, then you can connect your laptop back to your own network.
OK, now take the Pi which is now configured as a DHCP client and plug it in to the router port you intend to use. Configure that port to allow both VLAN 10 and the default LAN.
Power up the Pi. Now go to your own DHCP server and assign it a static IP address on your LAN.
Now the next bit is going to either be very easy, or very difficult, depending on the capabilities of your router. You will need to set up a new static route to the IoT VLAN so that stuff on your main network (like your phone) can still talk to it.
Now I'm going to assume that out IoT VLAN is 192.168.10.0/24. This means that the router needs to advertise the static IP address you just assigned as the destination for that route.
If your router can't do that ... well, you're gonna need to go away and solve that problem. It's beyond the scope of this article. If it's an ISP supplied piece of crap, put it into "modem mode" and get a more capable router.
I actually use OpenWRT for this as well, and it makes it really easy, It's just this:.
Assuming you've done all that, let's go and log in to your VLAN Bridge. Presumably it isn't using the static IP address you've assigned it yet. Find where it is (or browse to either:
http://VLANBridge.lan/
or
http://VLANBridge.local/
... one of them will probably work, and reboot it. It should now come back up with the IP address you assigned.
Log bak on. It's time to create the VLAN interface.
Navigate to "Network - Interfaces" and select the "Devices" tab. Add a device configuration.
The device type is "VLAN (802.1q)"
The base device is "eth0"
The VLAN ID is "10"
And the name is "eth0.10"
Probably go ahead and disable IPv6 as well for shits and giggles. Probably doesn't matter much. Don't touch anything under "Advanced device options", because there are dragons in the and they will break something if you bugger about with them.
That's created the VLAN Ethernet device, sharing the main ethernet port. Now we need to create an interface. Navigate to the "Interface" tab and select "Add new interface" at the bottom.
Under Name, we want "VLAN". Protocol is "Static address", and Device is "Software VLAN eth0.10". We then get to configure it. We'll get a page like this:
A couple of things to note: the IPv4 address and net mask are standard. The IPv4 Gateway is your Internet gateway on your main LAN. Mine is 192.168.1.1. Yours may be something else. Enter the right value, or nothing on your VLAN will be able to find the Internet.
Under "Advanced Settings", just make sure that "Use default gateway" is checked.
Under "Firewall Settings", assign it to the new firewall zone, "VLAN"
DHCP settings are nice and standard. The lease time may be a bit short. I set mine to "24h". These are the DHCP settings for your IoT VLAN, not your main network.
As before, go disable all the IPv6 stuff. Probably doesn't matter.
Save and apply. Now go to "Network - Firewall" and replicate this setup.
What's important are that you have two Zone forwarding rules: one from lan -> VLAN with "accept, accept, accept" and VLAN -> lan with "accept, accept, reject".
The last bit is what protects your main network from IoT things being naughty.
We're getting there. Now we need a few custom firewall traffic rules. Click through to the "Traffic Rules" tab and clear out any rules which are already there.
There are two rules you absolutely want. The first is to allow DNS queries to your local DNS server, which will likely be your router. I have two DNS servers locally: one on 192.168.1.1 and one on 192.168.1.3. I want to add them both. Here's what that looks like:
The next rule we need is a catchall-rule for denying access to any local subnet, other than stuff we explicitly allow.
Note that the order they are in matters. You can drag them up and down with the little hamburger icon next to "Edit".
OK. Save everything and we should now have a working network. There is one more thing we need to do, but I'm going to come to that in a minute. First let's test what we have got.
Take one of your devices and connect to the new VLAN SSID you have created.
Do you have Internet access? You should.
Can you ping devices on your main network? You shouldn't be able to.
Can you ping the device on your VLAN from your main network? You should be able to.
If it's not working, check your managed switch settings. You may be blocking packets at the hardware level.
If it's working, then well done!
There is something else we want to do. It's optional, but you will likely want it. A lot of smartphone stuff is found by systems like Alexa, Google Home, and Apple HomeKit, via multicast DNS (mDNS). Now stuff is going to be on a different VLAN, this won't work.
Fear not! We can fix it. There's a package for multicast DNS forwarding in OpenWRT based on Avahi.
I followed blog.christophersmart.com/2020… for getting Avahi to work as a multicast DNS proxy, but there's a snag.
The tutorial is written for an older version of OpenWRT, and the way Avahi is packaged has changed.
If you go to "System - Software" and then hit "Update Lists", click on "installed" and then type, "avahi" into the filter.
You want to see this, AND ONLY THIS. If these packages aren't installed, install them. If there are any others installed, remove them. These instructions are current as of OpenWRT 23.05.0
You will also want to ensure the "dbus" package is installed. Once you've done that, follow the tutorial but ignore the bit that says to type:
opkg update
opkg install avahi-daemon
You will need to add a firewall traffic rule, to allow multicast DNS to propagate, as per the tutorial. Here's my rule, which allows propagation in both directions.
And here's the order I have my rules in:
And that's it. I think I have remembered everything I did. If you try this and it doesn't work for you, ping me and we'll see if I can work out what I've forgotten. Now your network is set up, you should be able to start moving your IoT stuff over.
Happy networking!
