Isolating IOT and other untrusted devices

drio · July 8, 2021, 10:00pm

I’d like to get your thoughts on my setup.

I had a fairly straight forward setup:

Internet —— modem ——- slate ——- 192.168.8.x ——- devices

I started to add a few IOT and other untrusted devices (like the tv) and I wanted to separate those to a dedicated network. So I did this:

Internet —— modem ——- slate ——- 192.168.8.x ——- devices —- ….
… —- mango router —— 10.0.0.x —— AP (access point)

Most of the untrusted devices connect via wifi using the AP, but I also have some other wired devices to improve performance.

Currently the devices in the 10.0.0.x network can talk to devices in the 192.168.8.x network. I don’t want that to happen.

I am reading a bit more about iptables so I can add a few rules (or rule) to block all the packets that go to any host in the 192.168.8.x network (other than .1 which is the router).

Anyway, I wanted to know if you have any thoughts or anyone has a similar setup. If so, what rules have you added to openwrt to block traffic?

-drd

alzhao · July 12, 2021, 9:03am

Solution 1:

Slate has guest wifi, which is isolated from the private wifi.

Solution 2:

On Mango router, set up vpn and route all the IoT devices to VPN server.

drio · July 12, 2021, 10:27am

Thank you for the reply.

Solution 1 is not an option since I have wired devices in the not trusted network.

Solution 2: How is that going to prevent the devices to access the trusted 192.x.x.x network?

-drd

groentjuh · July 12, 2021, 11:13am

Just simply make an allow rule for traffic going to 192.168.8.1 followed by a block or drop rule for traffic going to 192.168.8.0/24.

David · July 12, 2021, 11:58am

You can make VLAN and put all devices with another different IP with adding another network interface in Luci…and it will pass in the same LAN cable> make tagged and assign in that network interface.
Search in the net, there is a lot of easy tutorials on YT. How to make vlan openwrt.

alzhao · July 13, 2021, 8:24am

When you have vpn on Mango, all data goes to the vpn and your IoT device cannot access 192.168.x.x network. This is how the routing is set

Duncan · July 14, 2021, 6:27am

It would be really useful to have some ‘how-to’ guides for use-cases like this.

drio · July 16, 2021, 6:24pm

Thank you.

I was trying to do this for testing: dropping all icmp packets coming from the 10.0.0.x network and going to any machine in the 192.168.8.x network other than 192.168.8.1.

From a machine within the IOT network (10.0.0.x) I ping a machine on the 192.168.8.x network. I keep the ping running.

On another console, I ssh into the mango and run:

root@GL-MT300N-V2:~# iptables -I INPUT -p ICMP -j DROP
root@GL-MT300N-V2:~# iptables -I INPUT -d 192.168.8.1 -p ICMP -j ACCEPT
root@GL-MT300N-V2:~# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  anywhere             192.168.8.1
2    DROP       icmp --  anywhere             anywhere

The ping still runs and I get icmp packages.

What am I doing wrong?

drio · July 19, 2021, 8:36pm

I finally found how to to it:

# iptables -I FORWARD 1 -d 192.168.8.1 -j ACCEPT
# iptables -I FORWARD 2 -d 192.168.8.0.24 -j DROP

Here I am telling iptables:

Accept all the packages going to the router (.1). and reject the rest.

I am using the FORWARD chain. I am not sure why I wasn’t able to use the INPUT/OUTPUT chains.

Looking now into how to persists the new rules.

alzhao · July 20, 2021, 8:03am

You can add to /etc/config/firewall. Add one section like the following example.

drio · July 20, 2021, 12:24pm

Thank you. What about running the iptables save on the iptables systemd script?

drio · July 20, 2021, 8:39pm

Just a follow up on this.

I had a couple of port forwarding entries setup to give access to the http openwrt server and also ssh to a machine within the IOT network (10.0.0.0/24). Those two entries will not work if you only add those two iptables rules I sent earlier. We need to add one more rule to fix this. Here are the new commands:

# iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -I FORWARD 2 -d 192.168.8.1 -j ACCEPT
# iptables -I FORWARD 3 -d 192.168.8.0.24 -j DROP

Notice the first entry. That’s what does the trick.

I think the reason why that rule fixes the issue is because we are telling iptables to load the connection tracker. Then, let’s say I open a socket from a machine in the 192.168.8.0/24 network to port 8080 on the little mango. Rule #2 will kick in and let the packet pass. At that point, iptables tracks the connection. Incoming packages on that connection will go through now because rule #1 (since the packages belong to a ESTABLISHED connection), before that, rule #3 was kicking in and dropping all packets on that type of connections.

Let me know if that is accurate.

-drd

drio · July 20, 2021, 9:10pm

This is how I ended up saving the new rules:

# cat >> /etc/firewall.user 
# Only let traffic to the router from the IOT network
# But let established connections from the 192 network to the IOT network
iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -d 192.168.8.1 -j ACCEPT
iptables -I FORWARD 3 -d 192.168.8.0/24 -j DROP
<Ctrl-c>

I like /etc/firewall.user better than using /etc/config/firewall because /etc/config/firewall does not use iptables cmds but abstractions of them (check the file and you’ll see what I mean).

-drd

la3y · July 21, 2021, 1:03am

Maybe just switch mask 24 to another on the Mango and using as “router mode”, not AP?