Creating a custom Subnet/network for my IOT-devices with RUTX50

Hello

I have been trying to get a IOT-specific network up for my cloud connected IOT devices that rely on wifi Since those might have known and unknown vulnerabilities in them, I would like to segment them away from my primary home network.

I was following this guide:
https://wiki.teltonika-networks.com/view/How_to_set_up_a_guest_WiFi_network
but I managed to only reach step New LAN interface. After I did the shown steps, I got the following error on the new LAN interface:


I guess I need to setup some sort of bridging

I got it working with picking the br-lan.
I guess the guide needs to be updated on that little thing?

Here is my firmware version

For backup context
I have done some fortinet stuff and also Cisco CCNA ITN. You can get into pretty technical, worst case I will be looking up words, which is fine.

Thank you for your time!

Update
I encountered the issue

For some reason the IOT-lan still draws from the main lan IPv4 pool for addresses? Anyone aware of the configuration issue that I might have made?

Hello Parsnip,

For some reason the IOT-lan still draws from the main lan IPv4 pool for addresses? Anyone aware of the configuration issue that I might have made?

Issue is you chose interface br-lan, which is why it gets IPv4 from your main LAN. br-lan is made from wired LAN is eth0, 2.4 Ghz default AP is wlan0 and 5 Ghz default ap is wlan1.
What I am trying to say is that our network interface is wireless, so in this case we do not need to bridge anything, unless you would want that if any of the devices connect via LAN port, to be assigned to the same Guest network, but for that you would need VLAN configuration. For more information about VLAN you can read here: VLAN Set Up - Teltonika Networks Wiki

For our Guest Wi-Fi we need to keep the interface blank without any chosen interface.

but I managed to only reach step New LAN interface. After I did the shown steps, I got the following error on the new LAN interface:

As for this issue, I tried replicating it from my side and the only time I got this error was when I had my Guest Wi-Fi disabled, once I enabled my Guest Wi-Fi, the Status went up, so try checking out if you have enabled your guest Wi-Fi.

As of the setup, I can provide you the steps for RUTX50:

  1. In your WebUI go to Network → Wireless → SSIDs → Add new SSID configuration with your chosen SSID/Password and other settings, Network choose Add a new and write the name for your new interface (“guest”), click “Save & Apply” and you will be prompted to your newly created interface.

  2. There for the IPv4 address write 10.10.10.1 (or whichever you are using) and click “Enable DHCPv4”, so we can assign it to our guest’s IPv4 address. After that “Save & Apply”.

  3. Make sure that Router’s Wireless Access Point is running by checking it in Network → Wireless → SSIDs, once we made sure, move on to firewall settings.
    Go to Network → Firewall → General Settings → in Zones section add a new zone → name “Guest_Zone”:

  Input: "Drop"
  Output: "Accept"
  Forward: "Reject"
  Covered networks: The name of a newly created interface("Guest")
  Allow forward to destination zones: wan

  1. Then move onto the “Traffic Rules” section, and create a new traffic rule for “Add new forward rule” from our newly created zone (“Guest_Zone”) to Destination zone “Device (input)”. Configure the settings accordingly:
Enable: On
Source zone: Guest_Zone
Protocol: TCP, UDP
Destination zone: Device (input)
Destination port: 53 (DNS)
Action: Accept


And another rule if we need DNS for IoT devices(if devices are connecting to server via domain name, not IP):

Enable: On
Source zone: Guest_Zone
Protocol: UDP
Destination zone: Device (input)
Destination port: 67, 68
Action: Accept

  1. If your guest interface is not assigned to Guest_Zone automatically, then you can move it manually. For that we need to assign our Firewall zone to Guest_Zone. Move onto Network → LAN → Guest interface edit → Firewall Settings section → Create / Assign firewall-zone.: Guest_Zone

After this configuration, you should not be able to reach your router’s local network, only assigned guest network.

Let me know if you have any further questions,
DziugasS

1 Like

A huge thanks for your time @DziugasS!

I think I managed to find a second reason for this issue. The laptop I was using had a reserved IPv4 address in the Home LAN subnet, which probably is the reason that it showed that reserved address even on a different subnet.

I am going to give making that WLAN-only IOT subnet another try with your guide!
A huge thanks for your time and knowledge!

Allright, I just ran through the guide above. In short to me looks like the DHCP is having some issues still, since my phone claims that it cannot receive a proper IP-address whilst connecting to that SSID/WLAN-network.

Here is the DNS&DHCP configuration I am running in the Network > Firewall Traffic Rules-page
Here is the DHCP:

Here is the DNS:

And here is the internet access, since devices connected to this subnet / WLAN-SSID are cloud connected IOT, that operate using the OEM cloud…


I know it is a potential risk have them open to the internet without limitations, but I have not found enough time to check which ports these devices actually employ to work properly.

I also configured the DHCP on that Subnet as below
image
And here is the Subnet-interface:


I just checked the issue with authentication I got from my Phone. Here is the TLDR

Auhentication failure

Connection failed
There was an issue encountered between the aunthentication of the phone 
and the access point. 

The funny thing is that the aunthentication works when connecting to the other two WLAN-networks that are connected to the Home LAN, not the new IOT-LAN.

Any ideas or things to look into?

Thanks again for your time and effort!

More updates

I got a Windows 10 client to properly connect to the network, but for some reason it is using only the IPv6 address, even though there is also a DHCP IPv4 server on that network as well, running its own subnet. And with the current firewall settings, there is no working DNS nor internet connection, so I must have something major misconfigured.

Looks like with the Internet, there is no default gateway configured. Good job me…

Hello Parsnip,

And here is the internet access, since devices connected to this subnet / WLAN-SSID are cloud connected IOT, that operate using the OEM cloud…

I know it is a potential risk have them open to the internet without limitations, but I have not found enough time to check which ports these devices actually employ to work properly.

We do not need this traffic rule, as by default it should be able to access WAN.

Here is the DNS&DHCP configuration I am running in the Network > Firewall Traffic Rules -page

Could you remove Destination address from these traffic rules, as this might be conflicting, which is why you are not getting any IP from DHCP.

Also could you clarify, did you create a firewall zone accordingly to this setup:

  Input: "Drop"
  Output: "Accept"
  Forward: "Reject"
  Covered networks: The name of a newly created interface("Guest")
  Allow forward to destination zones: wan

If the issue persists after removing destination address, try moving around the traffic rule priorities, as firewall prioritizes what is on top first followed by the rules who are downwards.

If this does not work out, I have contacted you via hubspot, to be able conduct this matter onwards, as I will need private information. Check your email and there you will find instructions for further steps.

Let me know how it goes,
DziugasS