Hi!
I have a small suggestion for the new IoT mode you’re working on in firmware 4.9.
Many users (including me) run IoT devices in an isolated network for security, which is great. But sometimes two specific IoT devices need to talk to each other, even when client isolation is enabled.
A simple example is Amazon Alexa:
Two Echo devices may need local communication for features like multi‑room audio, but all the other IoT devices should stay isolated.
It would be very helpful if IoT mode allowed something like:
“Allow these two devices to communicate”
A small option where the user can pick:
Device A
Device B
…and the router automatically creates an exception so only those two can talk to each other.
Everything else in the IoT network would remain isolated as usual.
This would make IoT mode much more flexible while still keeping strong security.
Thanks for considering it — I think many users would appreciate this kind of control.
For me it’s Google Hub Displays that need to be able to communicate directly so they can figure out which one is going to respond to voice commands. For now I’ll turn client isolation off on the 5Ghz IoT and leave it on the 2.4 - but having the ability to do device groups that can communicate would be great to tighten security even more.
Google (not sure if Alexa is the same) needs mDNS and other Multicast services to run between Hub Displays (and also for example Nest Doorbells) for certain things to work (synchronized audio streams, automatically display doorbell video are two that I know of) - I don’t think the ACL controls would work for that (but I am happy to be proven wrong)…
That may require some kind of proxy, like avahi-daemon and then firewall traffic forwards from 224.0.0.251 with port 5353., then each masquaraded gateway where you routers ui hosts forms the mirror on other networks advertising the mdns broadcasts.
Avahi needs a bit of configuration though, because by default it also listens on wan.
deny-interfaces= in /etc/avahi/avahi-daemon.conf is what you want, there is also an allow-interfaces but it is broken for a extremely long time this issue also exists on avahi's direct GitHub repo.
