Isolated VLAN for Android 6.0 device
Hi folks, I've had a new air conditioning controller installed, an Airtouch 4. Turns out it's just a little tablet running Android 6.0 - truly an example of the old phrase, "the S in IOT stands for Security" :D It connects to wifi and offers remote control (both on the local network and over the internet). So I'm thinking what I want to do is isolate it on its own vlan that has no outgoing access to the rest of my network, but still has external internet access and inbound access from the LAN so the phone apps still work to control it. I've got a Mikrotik 951G-2HnD running RouterOS 6.49.2, with LAN (NBN HFC) hanging off port 1, a single Unifi wireless AP hanging off port 2 (the 951G's wireless is turned off), and other stuff off ports 3, 4, & 5 (other switches, a NAS, etc). It's all on a single network; the 951G runs DHCP for 10.1.1.0/24 on the bridge interface, there's a basic firewall configured, and IPv6 is enabled and running. So I assume what I need to do is some kind of vlan config to separate traffic, and some routing and firewall config, but I really am not sure how to achieve it. Maybe something like: - Create 2 new vlans, one for the unrestricted devices and one that I'll use for isolated devices - Add both vlans to all ports? The Unifi AP can do vlan tagging by the looks, so I could create a seperate wireless network for the restricted vlan as well. (Or maybe the easier way would be to turn the 951G's wireless back on purely for this restricted access, take the Unifi AP out of the picture) - Create a new DHCP range for the restricted vlan (can I decide which dhcp range will respond based on the vlan tag?) - Create a new firewall config to prevent the restricted vlan from communicating to the unrestricted vlan? - Routing config of some kind? I'm not much of a networker, so any help would be much appreciated. - Ben
Hi,
Create 2 new vlans Or just one new VLAN for the restricted device
- Add both vlans to all ports? The Do you have your ports in a bridge? If so just add the new VLAN to the bridge interface
Then add the following to the VLAN interface - IP Address - DHCP Server (use the wizard) Then create a firewall rules - Drop anything in VLAN and out Bridge Then use unifi to create a new wireless network with VLANID you created in first step Then join tablet to new wireless Then Drink beer and bathe in your networking glory Andrew -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Ben Williams Sent: Monday, 11 April 2022 3:19 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Isolated VLAN for Android 6.0 device Hi folks, I've had a new air conditioning controller installed, an Airtouch 4. Turns out it's just a little tablet running Android 6.0 - truly an example of the old phrase, "the S in IOT stands for Security" :D It connects to wifi and offers remote control (both on the local network and over the internet). So I'm thinking what I want to do is isolate it on its own vlan that has no outgoing access to the rest of my network, but still has external internet access and inbound access from the LAN so the phone apps still work to control it. I've got a Mikrotik 951G-2HnD running RouterOS 6.49.2, with LAN (NBN HFC) hanging off port 1, a single Unifi wireless AP hanging off port 2 (the 951G's wireless is turned off), and other stuff off ports 3, 4, & 5 (other switches, a NAS, etc). It's all on a single network; the 951G runs DHCP for 10.1.1.0/24 on the bridge interface, there's a basic firewall configured, and IPv6 is enabled and running. So I assume what I need to do is some kind of vlan config to separate traffic, and some routing and firewall config, but I really am not sure how to achieve it. Maybe something like: - Create 2 new vlans, one for the unrestricted devices and one that I'll use for isolated devices - Add both vlans to all ports? The Unifi AP can do vlan tagging by the looks, so I could create a seperate wireless network for the restricted vlan as well. (Or maybe the easier way would be to turn the 951G's wireless back on purely for this restricted access, take the Unifi AP out of the picture) - Create a new DHCP range for the restricted vlan (can I decide which dhcp range will respond based on the vlan tag?) - Create a new firewall config to prevent the restricted vlan from communicating to the unrestricted vlan? - Routing config of some kind? I'm not much of a networker, so any help would be much appreciated. - Ben _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (2)
-
Andrew Oakeley
-
Ben Williams