Isolating all wired IoT devices from each other

Discussion in 'Tomato Firmware' started by fonos, Nov 29, 2017.

  1. fonos

    fonos Serious Server Member

    My current network is using the Steve Gibson "three dumb routers" approach to isolating all IoT objects from my "real" network.

    It works just fine but, as things stand, wired devices within the IoT network are not isolated from each other, so there's at least the potential for nefarious activities between devices within the network. I'd prefer that my TV isn't being hacked by my cameras - or vice versa.

    What I'd like to do now is to partition off each wired device into a separate isolated network with the possibility of only one device per network, similar in principle to AP isolation with WiFi. Each device will see the WAN interface and nothing else. It should also be scalable and not limited by the number of physical ports, as would be the case with VLANs, where I'd be limited to four - or three in the case of this venerable old workhorse. Since I have only three working LAN ports, I'm already up to four devices so am having to use a dumb switch outside of the router.

    The device I'm currently using is a WRT54GL running v1.28.7636 Toastman-IPT-ND ND VLAN-Std.

    So is this doable?
  2. Sean B.

    Sean B. LI Guru Member

    A: Write your own iptables rules for each device.


    B: Purchase significantly upgraded hardware, possibly commercial grade depending on how many iot devices will need ports.
  3. Holy_Hunter

    Holy_Hunter Networkin' Nut Member

    How many Devices are you trying to isolate ?
  4. fonos

    fonos Serious Server Member

    I currently have 4 wired but that number is sure to increase over the next year or so. I could "silo" them into one of 4 VLANs (or 3 with the current hardware) but complete separation is my goal.

    Buying multi-port commercial-grade hardware is overkill and I wouldn't even begin to make use of its advanced functionality.
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    A $50-$60 ER-X router supports VLAN tagging and Netgear makes a sub-$50 switch that supports VLAN tagging, so you could have up to 7 attached devices each on individual VLANs, with the possibility of adding more in the future. You transition the 54GL into a wireless bridge/switch for your normal LAN, use ER-X as a router and switch for each of the VLANs you want and then expand out past that to the switch for more untagged VLAN ports. An ER-X has 5 ports so you could have LAN, WAN, and 3 additional untagged VLANs for wired devices, if you need more then plug in the 5-port switch for another 4 ports. Sub-$100 and for 99% of the stuff you do on the router will be done through a fairly easy to use web-based interface. The hardest part is configuring the damn switch because Netgear dumbed down the interface to the point that its actually more complicated to use than Cisco switches.
    Last edited: Nov 29, 2017
  6. fonos

    fonos Serious Server Member

  7. Sean B.

    Sean B. LI Guru Member

    My apologies, I autopilot to using different subnets as that's pretty well standard. I don't recall if Tomato comes with the macvlan kernel module or if that's one of many things I compiled in myself, I'd have to check the source. But that would be the only non-subnet non-new hardware way I'd know of ( see attached graphic below ). The concept @Monk E. Boy described would be my suggestion as well if you can scale your hardware to match your port count needs.


    Last edited: Nov 30, 2017
  8. jerrm

    jerrm Network Guru Member

    Correct. Iptables is useless to manage traffic within a subnet. The various VLAN suggestions would require a separate subnet for each device, and then iptables can manage the routing between the umpteen subnets.

    I hate the vlan idea since it's a management nightmare. A separate subnet for each device, The vlans would have to be configured on both the router and the switch.. Iptables rules for each subnet.

    A managed switch with port isolation or MAC ACLs is the proper answer, and it doesn't have to be crazy expensive. TP Link TLSG3210/TLSG3216/TLSG3324 should work - $110 for 8 ports, $160 for 24.
  9. fonos

    fonos Serious Server Member

    Thanks for the feedback guys.

    @Sean B. The MAC VLAN looks interesting. I see you mentioned in another post on this forum about enabling it in a Shibby build but Shibby's now too big for the WRT54GL - and building it seems to be problematic, judging by what others have written. I did come across this post where the authot mentions getting kmod-macvlan working with OpenWRT, so maybe I'll take a look there.

    @jerrm Thanks for the ideas. So it looks like L2 Managed switches is your favoured direction. It's not an area I have any experience with, so 'm going to have to expand my horizons - which is a good thing.
  10. jerrm

    jerrm Network Guru Member

    I'm not sure macvlan will really do what you want. Linux has no control over port to port access in the switch without splitting the switch into four separate interfaces (vlans).

    If you split the ports into separate interfaces anyway, you can place all the interfaces into the same "utility" vlan bridge achieve the isolation between switch ports without macvlan using ebtables (if your build includes ebtables). Macvlan might be slightly more efficient than using ebtables, but the ebtables options works and is in many Tomato builds by default(but probably not 4MB versions). It would require some robocfg, brctl and ebtables scripting. Not all that difficult, but still limited to the number of physical ports on the router.

    To get past the router port limitation you have no choice but a managed switch. If you have to invest in one anyway, spend the extra $60 or so to get the exact functionality you want in an easy to manage form.
    Last edited: Dec 1, 2017
    fonos likes this.
  11. Sean B.

    Sean B. LI Guru Member

    Perhaps I am mistaken, as I mainly deal with layer 3 policy rather than layer 2. However, if you split each port onto it's own interface and enslave those interfaces to a single VLAN bridge, without using macvlan each ports interface will have the same mac address as the parent interface ( therefore all interfaces enslaved to the VLAN bridge will have the same MAC address ). How exactly will ebtables enforce any type of isolation between ports when any communication between them will have the same destination mac?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice