Isolating IOT and other untrusted devices

I’d like to get your thoughts on my setup.

I had a fairly straight forward setup:

Internet —— modem ——- slate ——- 192.168.8.x ——- devices

I started to add a few IOT and other untrusted devices (like the tv) and I wanted to separate those to a dedicated network. So I did this:

Internet —— modem ——- slate ——- 192.168.8.x ——- devices —- ….
… —- mango router —— 10.0.0.x —— AP (access point)

Most of the untrusted devices connect via wifi using the AP, but I also have some other wired devices to improve performance.

Currently the devices in the 10.0.0.x network can talk to devices in the 192.168.8.x network. I don’t want that to happen.

I am reading a bit more about iptables so I can add a few rules (or rule) to block all the packets that go to any host in the 192.168.8.x network (other than .1 which is the router).

Anyway, I wanted to know if you have any thoughts or anyone has a similar setup. If so, what rules have you added to openwrt to block traffic?

-drd

Solution 1:

Slate has guest wifi, which is isolated from the private wifi.

Solution 2:

On Mango router, set up vpn and route all the IoT devices to VPN server.

Thank you for the reply.

Solution 1 is not an option since I have wired devices in the not trusted network.

Solution 2: How is that going to prevent the devices to access the trusted 192.x.x.x network?

-drd

Just simply make an allow rule for traffic going to 192.168.8.1 followed by a block or drop rule for traffic going to 192.168.8.0/24.

You can make VLAN and put all devices with another different IP with adding another network interface in Luci…and it will pass in the same LAN cable> make tagged and assign in that network interface.
Search in the net, there is a lot of easy tutorials on YT. How to make vlan openwrt.

When you have vpn on Mango, all data goes to the vpn and your IoT device cannot access 192.168.x.x network. This is how the routing is set

It would be really useful to have some ‘how-to’ guides for use-cases like this.

2 Likes

Thank you.

I was trying to do this for testing: dropping all icmp packets coming from the 10.0.0.x network and going to any machine in the 192.168.8.x network other than 192.168.8.1.

From a machine within the IOT network (10.0.0.x) I ping a machine on the 192.168.8.x network. I keep the ping running.

On another console, I ssh into the mango and run:

root@GL-MT300N-V2:~# iptables -I INPUT -p ICMP -j DROP
root@GL-MT300N-V2:~# iptables -I INPUT -d 192.168.8.1 -p ICMP -j ACCEPT
root@GL-MT300N-V2:~# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  anywhere             192.168.8.1
2    DROP       icmp --  anywhere             anywhere

The ping still runs and I get icmp packages.

What am I doing wrong?

I finally found how to to it:

# iptables -I FORWARD 1 -d 192.168.8.1 -j ACCEPT
# iptables -I FORWARD 2 -d 192.168.8.0.24 -j DROP

Here I am telling iptables:

Accept all the packages going to the router (.1). and reject the rest.

I am using the FORWARD chain. I am not sure why I wasn’t able to use the INPUT/OUTPUT chains.

Looking now into how to persists the new rules.

1 Like

You can add to /etc/config/firewall. Add one section like the following example.

image

Thank you. What about running the iptables save on the iptables systemd script?

Just a follow up on this.

I had a couple of port forwarding entries setup to give access to the http openwrt server and also ssh to a machine within the IOT network (10.0.0.0/24). Those two entries will not work if you only add those two iptables rules I sent earlier. We need to add one more rule to fix this. Here are the new commands:

# iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -I FORWARD 2 -d 192.168.8.1 -j ACCEPT
# iptables -I FORWARD 3 -d 192.168.8.0.24 -j DROP

Notice the first entry. That’s what does the trick.

I think the reason why that rule fixes the issue is because we are telling iptables to load the connection tracker. Then, let’s say I open a socket from a machine in the 192.168.8.0/24 network to port 8080 on the little mango. Rule #2 will kick in and let the packet pass. At that point, iptables tracks the connection. Incoming packages on that connection will go through now because rule #1 (since the packages belong to a ESTABLISHED connection), before that, rule #3 was kicking in and dropping all packets on that type of connections.

Let me know if that is accurate.

-drd

This is how I ended up saving the new rules:

# cat >> /etc/firewall.user 
# Only let traffic to the router from the IOT network
# But let established connections from the 192 network to the IOT network
iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -d 192.168.8.1 -j ACCEPT
iptables -I FORWARD 3 -d 192.168.8.0/24 -j DROP
<Ctrl-c>

I like /etc/firewall.user better than using /etc/config/firewall because /etc/config/firewall does not use iptables cmds but abstractions of them (check the file and you’ll see what I mean).

-drd

2 Likes

Maybe just switch mask 24 to another on the Mango and using as “router mode”, not AP?