Why would you want to keep your devices from talking to each other on a local network?
I repair other people’s computers – other people who may not be too careful about what websites they visit. If I need to connect one of these computers to my home network, I want to make sure that they can’t reach any of my own devices to potentially infect them.
I also repair old vintage computers. These can be usefully networked for transferring files and stuff like that, but I don’t want them to have any access to the internet – I’ll want to have some firewall rules to cover that scenario too.
The following covers the steps taken to get everything set up to cover the above.
Creating a Separate Network
First, we need to create a new network to which these questionable devices will connect to. By default, there is a LAN network, so I’ll call this second network BADLAN.
Network -> Interfaces
…from the dropdowns at the top of the page.
A list of the existing networks/interfaces will be displayed – click on the Add New Interface button at the end of the list.
Enter the name for the new interface and set Protocol to Static address.
Click Create Interface.
Next, fill in the IP address for the OpenWRT router on the new network. My existing network uses a 10.123.123.0/24 subnet, so I’ll make this new network use the 10.123.124.0/24 subnet and assign the router 10.123.124.1 address. Make sure you also set an IPv4 netmask of 255.255.255.0.
Next, go to the Firewall Settings tab, click in the Assign firewall zone dropdown, fill in the custom name for the new firewall zone (in this case, ‘badlan‘), and hit enter. A new firewall zone with that name will be created for the new network so we can later direct traffic.
Click over to the DHCP Server tab and click Setup DHCP Server. The defaults will be fine, so go ahead and click save to finish.
Scroll to the bottom of the page and hit Save and Apply to finish this step.
Segregated WiFi Network
Many devices can host more than one wireless network on each WiFi interface. So I’m just going to add a second WiFi network to my OpenWrt Router and set it to not allow connected devices to talk to each other. This second WiFi network can then be assigned to the BADLAN interface created in the previous step.
First, navigate to:
Network -> Wireless
…from the navigation dropdowns.
You can see the existing ‘OpenWRT‘ network on the radio0 interface, which provides a regular wireless network.
Click on the Add button next to the radio0 interface to add a second WiFi network to it.
Fill out the ESSID (WiFi network name), click on the Network dropdown, and select the previously created BADLAN network. This will keep things separate from the LAN network. I’ve called my WiFi network ‘BadWiFi.’
Next, click on the Wireless Security tab and select WPA2-PSK from the dropdown, then enter a key (password) to be used when connecting to the network.
Finally, navigate to the Advanced Settings tab and check Isolate Clients – this will prevent WiFi clients from seeing each other.
Click on the green Save button, then click Save and Apply at the bottom of the page to confirm the changes.
We’re done! WiFi clients connected to the new network will be on a separate network and will not communicate with each other.
Not all devices will be stable when hosting multiple networks – your results may vary.
If your device doesn’t let you run more than one wireless network at once, you could add an additional WiFi interface using a USB WiFi dongle and host your segregated network from that.
If your device is struggling to host more than 2 WiFi networks, and you are using one of the WiFi interfaces as a wireless bridge, consider going wired to get internet to your OpenWRT box instead. Alternatively, you may have to live with a single, segregated WiFi network and simply turn your normal network on or off as needed.
Segregated Wired Network
This step is optional and only required if you plan to segregate devices connected to a wired network port.
This only works on the ports built into your OpenWrt Device – it won’t work on a connected network switch (unless it too is configurable, and you can set up VLAN flags on it).
I’m setting this all up on a BT HomeHub 5, which has multiple network ports, so it’s perfect for this situation.
In the previous step, we added a network called BADLAN, which is separate from the existing LAN network. If we want to segregate wired clients, we simply need to assign the physical ethernet port that client will be plugged into to the BADLAN network.
To do so, navigate to:
Network -> Switch
Click the Add VLAN button.
Make sure the CPU interface is set to tagged for the new VLAN so that it can be added to an interface later.
Set the ports for the new VLAN which you want to be assigned to your segregated network to untagged. Ensure those ports are set to OFF for any other VLANs:
In this case, I’ve set ports 3 and 4 on my router to be part of the segregated network by setting them to untagged.
It’s a bit confusing here – off obviously means the port is not part of the given VLAN – but tagged and untagged both mean that it is assigned to that VLAN. untagged is the one we want – it means the switch will accept normal ethernet traffic rather than VLAN tagged data from another managed switch.
Click Save and Apply.
Network -> Interfaces
Click the edit button next to the BADLAN network and go to the Physical Settings tab.
Check Bridge Interfaces so that multiple interfaces can be selected.
Click on the Interfaces dropdown and check Switch VLAN: “eth0.3” to add the VLAN to the segregated network.
Click Save and then click Save and Apply at the bottom of the page to confirm changes.
Unlike wireless clients, devices on physical ports will be separated from the main LAN network but not each other.
Enabling the Internet for Segregated Network
Your segregated network allows clients to connect but currently has no internet connection! Let’s get that working next.
Head over to:
Network -> Firewall
Scroll down to the Zones section – you’ll see a diagram and some dropdowns showing how traffic is to be forwarded between your different firewall zones. lan is your local network, wan is the internet, and badlan is the new segregated network, which is currently set to reject all traffic.
To allow traffic from badlan to wan, click on the blue Edit button to the right, and select wan from the Allow forward to destination zones: dropdown.
Your firewall table should now look something like this:
If things are yet to work, always try rebooting your router as the first troubleshooting step.
Hit the blue Save and apply button to finish up.
Local Connections Only
If you want a network where clients can talk to each other only and not the internet, repeat the steps above to create a new network with a different name, do not check Isolate Clients when creating the WiFi network, and simply skip the final internet-enabling step.