I don’t want my iot devices to send data to internet or be easily access from internte.
My idea is to put all the iot devices in an isolated vlan that lets them interoperate, but not let them connect to internet, just to the router.
I want to minimize the number of routers or gadgets installed (to reduce the risk of misconfiguration and the power consumption).
I have two routers at home:
-
The one connected to internet and provided by the internet provider. It is my gateway, but not provides other services like DHCP. It provides ethernet connection to a couple of computers and WIFI connection to devices in the back side of the home.
-
A router FritzBox router with openWRT installed that does the hard work. It provides DHCP, MQTT borker (mosquito) and DNS for local names, forwarding other DNS queries to internet.
I provides ehternet access to my NAS (where openHAB is installed in a docker container) and WIFI connection to devices in the fron of the home. Both WIFI poinst share SSIDs and passwords in order to be able to itinerate from back to front.
That would be my home network, were computers, tablets, phones… do connect.
It cannot be reached from outside, except using a VPN that provides my NAS.
I would like to have other WIFI SSID for the iot devices (both routers can create more than one wifi point) and a VLAN for it configured in a way that the iot devices won’t access internet and cannot be reached from outside.
It would be the iot network (most of the devices connected from wifi in one of the routers).
How should I configure it?
- I suppose iot devices should be able to interconnect among them.
- I think they should have a separate IP network with different address provided by the router using DHCP (but don’t know how to configure DHCP to provide address for devices in specific WIFI SSID).
- Of course iot devices should be accesible from router and from the NAS, but I think it would be good to be able to access them from any devices in the home in order to be able to interact with themo. But don’t know if it has some security risk.
I have been trying some tests with VLANs and creating another wifi but could not implement it correctly.