Firewall Rule for IOT Vlan Devices on Flint 2

Hi there,

Recently purchased a Flint 2 router, I have yet to install it to my WAN. Thus right now it is just plugged into my laptop where I have been learning about VLANs.

Scenario: I had a router that would not let me create VLAN, thus all of my devices even IOT where under the same network, and that was the reason I went with the Flint 2, I am fairly new using OpenWRT.

I have successfully created multiple Bridge VLAN filtering, I accomplish this by:
1 - Went to Devices > Add device configuration:
1.1: Device Type: Bridge Device
1.2: Device Name: DeviceName
1.3: Bridge Port: Ethernet Switch:“eth0”
I left the rest of the option emphy

2 - I moved to the Bridge VLAN Filtering, in here I added 3 VLANs ID

3 - Click on Save, and then I click on Save and Apply

3 - I went back to the Bridge Device I just created, and added all 3 new VLAN ID I just created. This is how it looks like after doing all of these steps

Screenshot 2024-03-30 at 12.42.01 PM2158×1370 226 KB

Screenshot 2024-03-30 at 12.39.43 PM2156×1196 186 KB

After that, I move onto creating a Interface

1 - I went to Network > Interfaces > Add new interface
1.1: Protocol: Static Address
1.2: Device: VirtLand.20
1.3: IPv4: 192.168.20.1
1.4: IPv4 netmask: 255.255.255.0
2 - Then I move onto DHCP Server Tab, Enabled it and just changed the “Start” vale to “1” so IPs are assigned from 192.168.20.1. Screenshots are below

Screenshot 2024-03-30 at 12.50.26 PM1878×1746 245 KB

Screenshot 2024-03-30 at 12.50.34 PM1882×1104 161 KB

Topic is already pretty long, but after I did all of that. I went to Network > Wireless. Added a new network under “radio0” (2.4 ghz)

• Mode: Access Point
• SSID: SSIDName
• Network: Picked the IOT instance I just created
• Added a WPA2/PSK Password

After that, I tried connecting to it but it was failing out, it was not assigning an IP, I read online that this might be due to Firewall rules within the router, thus I did the following:

I went over Network > Firewall:

• Under “Zones” Lan ===> wan, I click on “Edit”
• Under “Covered Networks” I added the “IOTs” instance I created before

After all that, I did a quick reboot, and connected to the wifi. and Bingo it worked.

Finally, to the question I wanted to ask
Is this the proper way to do this? Did I do something wrong?
Is what I did in the Firewall rule correct? secure?
Sorry, I am still learning about Firewalls.

Thanks in advance.

Just wondering if this is the correct way of doing it. Want to set up Vlans too for IOT and work.

You can also use br-lan, also if you use a tunnel device such as gre or vxlan, then the best option is to add the vx0 device or tr device into br-lan, and then tag it via bridge filtering.

What is supposed to be unsafe is:

lets say you tag vlan 50 on br-lan via bridge vlan filtering, then create another bridge called br-zigbee, and there you mix br-lan.50 and vx0.50, mixing of concurent vlan bridge devices might cause problems, from my observations it didn’t, but by OpenWrt means this mix is supposed to be unintended and may break deeper things with DSA

Here is a example which i use in my images for the non oem openwrt:

openwrt-flint2-testing/files/etc/config/network at main · xize/openwrt-flint2-testing · GitHub

Thank you, I am going to look into it this afternoon.