OpenWrt Network Segmentation Part 1: How to Isolate IoT Devices with VLANs and Firewall Zones

If you are running a smart home, you have probably got a dozen devices, lightbulbs, cameras, smart plugs, that probably shouldn’t be chatting with your main PC or your NAS. In a standard home network, everything is “flat.” If one cheap, insecure IoT device gets compromised, it has a direct line to your private files and banking data.

The fix? Network Segmentation. By using VLANs and firewall zones in OpenWrt, you can create a “walled garden” for your untrusted devices. Here is how to lock down your network without breaking your internet access.

The Two Methods of VLAN Setup in OpenWrt

When you are looking to isolate devices in OpenWrt, you generally run into two approaches. It is important to understand the difference before you start clicking buttons.

  1. Physical Port Isolation (The Bridge Method): This is the “low-level” approach. You literally take a physical Ethernet port on the back of your router, detach it from the main LAN bridge, and create a completely new, separate bridge for it. It’s simple, robust, and doesn’t require managing complex 802.1Q tags.

  2. 802.1Q VLAN Tagging (The Virtual Method): This is the professional standard. Instead of using separate physical ports, you “tag” traffic with a VLAN ID. This allows you to have multiple isolated networks running over the same physical wire or Wi-Fi radio. This is what you need if you want to support multiple isolated SSIDs on the same access point.

For this guide, which i have just set it and tested it myself, we will focus on the Physical Bridge method as our foundation, it’s the cleanest way to learn how OpenWrt handles routing and firewalling.

High-Level Roadmap

We aren’t just setting a checkbox; we are building a security system. We’ll follow this logical order to ensure the network never leaks traffic during the setup. The router used in this case is gl.inet flint 2, 

  1. Hardware Layer: Detach a physical port and create a new bridge device.

  2. Network Layer: Define a new Interface and DHCP server for that bridge.

  3. Security Layer: Create a dedicated Firewall Zone to gatekeep the traffic.

  4. Wireless Layer: Create your IoT SSID and bind it to the secure bridge.

  5. Finalize: Commit changes and perform an audit test (Part 2).

 

Step-by-Step Implementation

Step 1: Physical Hardware Separation

  1. Navigate to Network > Devices.

  2. Find br-lan and click Edit.

  3. Under Bridge ports, uncheck the physical port you want to isolate (e.g., eth3). Click Save.

  4. Click Add device configuration. Set the Type to Bridge and Name it br-iot.

  5. Under Bridge ports, select the port you just freed (eth3). Click Save.

Step 2: Interface and DHCP Setup

  1. Go to Network > Interfaces and click Add new interface.

  2. Name it IOT, set the protocol to Static address, and choose br-iot as the device.

  3. In General Setup, assign a unique subnet (e.g., 192.168.10.1 with a netmask of 255.255.255.0).

  4. Switch to the Firewall Settings tab. Type iotzone in the box and click Add (or press Enter) to bind it to a new zone.

  5. Click the DHCP Server tab and click Setup DHCP Server. Save your changes.

Step 3: Firewall Policy (The Gatekeeper)

  1. Go to Network > Firewall.

  2. Find iotzone and click Edit.

  3. Set Input to REJECT, Output to ACCEPT, and Forward to REJECT. Check the box for Masquerading.

  4. Under Inter-Zone Forwarding, select ONLY wan for “Allow forward to destination zones.” Keep “Allow forward from source zones” BLANK.

  5. Click Save.

Step 4: Finalize and Apply

  1. Review your pending changes. When you are ready, click Save & Apply at the top. Your network will briefly restart.

Step 5: Configure the IoT SSID

  1. Go to Network > Wireless.

  2. Click Add on your 2.4GHz or 5GHz radio.

  3. Enter your ESSID (e.g., My-IoT-Network).

  4. Under the Network tab, uncheck lan and check IOT. This is the crucial step that links your wireless traffic to the secure bridge we created in Step 1.

  5. Set your encryption/password, save, and apply.

Conclusion

You’ve now built a professional grade, isolated network. By separating your IoT hardware at the bridge level and enforcing strict “Reject” policies in the firewall, you’ve significantly reduced your home network’s “blast radius.”

Pro Tip: Once you’re done, verify your isolation by connecting a laptop to the new IOT Wi-Fi and trying to ping your main router gateway (192.168.1.1). It should fail. If it does, your walled garden is officially open for business.  Check out Part 2 the security audit for how some additional audits and pro tips.

Disclaimer: The steps outlined in this guide are based on my personal configuration and testing environment. Network environments vary significantly based on hardware, OpenWrt firmware versions, and existing configurations. This guide is for educational and proposed purposes only. Implementing these changes involves modifying core network settings, which carries the risk of losing connectivity to your router. Please proceed with caution and ensure you have a physical recovery path (such as a device connected to your main LAN) before applying any changes. You are responsible for your own network; proceed at your own risk.

Leave a Reply

Your email address will not be published. Required fields are marked *