Creating a new "network interface" for IOT devices on TO running 3.11.x

Hello all,

I’m trying to create a separate network interface (br-iot) with its own DHCP range, wireless network, etc for IOT devices. The objective is to segregate my main devices (on interface br-lan) and guests devices (br-guest_turris) from IOT devices.

I’ve chosen to model everything under the br-guest_turris network interface for br-iot.

Problem:

I’m getting these sort of error messages on system log:

2019-10-07 07:32:35 warning dnsmasq-dhcp[13725]: no address range available for DHCP request via br-iot
2019-10-07 07:32:39 warning dnsmasq-dhcp[13725]: no address range available for DHCP request via br-iot
2019-10-07 07:32:40 warning dnsmasq-dhcp[13725]: no address range available for DHCP request via br-iot
2019-10-07 07:32:46 warning dnsmasq-dhcp[13725]: no address range available for DHCP request via br-iot
2019-10-07 07:32:50 info kernel[]: [ 4210.658208] br-iot: port 2(wiot-n) entered disabled state
2019-10-07 07:32:50 info kernel[]: [ 4210.658354] br-iot: port 1(eth2) entered disabled state
2019-10-07 07:32:50 info kernel[]: [ 4210.665241] br-iot: port 1(eth2) entered disabled state
2019-10-07 07:32:50 info kernel[]: [ 4210.678128] br-iot: port 2(wiot-n) entered disabled state

It reads like the something to do with IOT’s DHCP setup is not right. Can any one please help me to troubleshoot?

These are parts of the files that I think are relevant, including guest_turris’ equivalent that I’ve modeled my iot entries on.

/etc/config/network:

config interface ‘guest_turris’
option enabled ‘1’
option type ‘bridge’
option proto ‘static’
option bridge_empty ‘1’
option _orig_ifname ‘wgst-n’
option _orig_bridge ‘true’
option ifname ‘wgst-n’
option ipaddr ‘10.111.222.111’
option delegate ‘0’
option netmask ‘255.255.0.0’

config interface ‘iot’
option type ‘bridge’
option proto ‘static’
option netmask ‘255.255.0.0’
option ipaddr ‘172.20.0.1’
option enabled ‘1’
option _orig_ifname ‘eth2 wiot-n’
option _orig_bridge ‘true’
option ifname ‘eth2 wiot-n’
option delegate ‘0’
option bridge_empty ‘1’

/etc/config/dhcp:

config dhcp ‘guest_turris’
option interface ‘guest_turris’
option leasetime ‘3600’
option ignore ‘0’
option start ‘100’
option limit ‘150’
list dhcp_option ‘6,10.111.222.111’

config dhcp ‘iot’
option start ‘100’
option limit ‘150’
option interface ‘iot’
option leasetime ‘3600’
list dhcp_option ‘6,172.20.0.1’
option ignore ‘0’

/etc/config/wireless:

config wifi-iface ‘guest_iface_1’
option disabled ‘0’
option device ‘radio1’
option mode ‘ap’
option network ‘guest_turris’
option encryption ‘psk2+ccmp’
option wpa_group_rekey ‘86400’
option ifname ‘guest_turris_1’
option isolate ‘1’
option ssid ‘guestn’
option key ‘1234567890’

config wifi-iface
option device ‘radio1’
option mode ‘ap’
option ssid ‘iota’
option network ‘iot’
option encryption ‘psk2+ccmp’
option key ‘0987654321’
option ieee80211w ‘0’
option ifname ‘wiotn’

/etc/config/firewall:

config zone ‘guest_turris’
option enabled ‘1’
option name ‘guest_turris’
option input ‘REJECT’
option forward ‘REJECT’
option output ‘ACCEPT’
list network ‘guest_turris’

config zone ‘iot’
option name ‘iot’
option forward ‘REJECT’
option output ‘ACCEPT’
option network ‘iot’
option input ‘REJECT’

config forwarding ‘guest_turris_forward_wan’
option enabled ‘1’
option name ‘guest to wan forward’
option src ‘guest_turris’
option dest ‘wan’

config forwarding ‘iot_forward_wan’
option dest ‘wan’
option src ‘iot’
option name ‘iot to wan forward’
option enabled ‘1’

config rule ‘guest_turris_dhcp_rule’
option name ‘guest dhcp rule’
option src ‘guest_turris’
option proto ‘udp’
option src_port ‘67-68’
option dest_port ‘67-68’
option target ‘ACCEPT’
option enabled ‘1’

config rule ‘iot_dhcp_rule’
option name ‘iot dhcp rule’
option src ‘iot’
option proto ‘udp’
option src_port ‘67-68’
option dest_port ‘67-68’
option target ‘ACCEPT’
option enabled ‘1’

config rule ‘guest_turris_dns_rule’
option name ‘guest dns rule’
option src ‘guest_turris’
option proto ‘tcpudp’
option target ‘ACCEPT’
option dest_port ‘53’
option enabled ‘1’

config rule ‘iot_dns_rule’
option name ‘iot dns rule’
option src ‘iot’
option proto ‘tcpudp’
option target ‘ACCEPT’
option dest_port ‘53’
option disabled ‘1’

Lastly, I didn’t make any changes to this file, but I thought I’d attach it here as well:

/etc/config/resolver:

config resolver ‘common’
list interface ‘0.0.0.0’
list interface ‘::0’
option port ‘53’
option keyfile ‘/etc/root.keys’
option verbose ‘0’
option msg_buffer_size ‘4096’
option msg_cache_size ‘20M’
option net_ipv6 ‘1’
option net_ipv4 ‘1’
option forward_upstream ‘1’
option prefered_resolver ‘kresd’
option ignore_root_key ‘0’
option prefetch ‘yes’
option static_domains ‘1’
option forward_custom ‘99_cloudflare’
option dynamic_domains ‘1’

config resolver ‘kresd’
option rundir ‘/tmp/kresd’
option include_config ‘/etc/kresd/custom.conf’
option log_stderr ‘1’
option log_stdout ‘1’
option forks ‘1’
option keep_cache ‘1’

config resolver ‘unbound’
option outgoing_range ‘60’
option outgoing_num_tcp ‘1’
option incoming_num_tcp ‘1’
option msg_cache_slabs ‘1’
option num_queries_per_thread ‘30’
option rrset_cache_size ‘100K’
option rrset_cache_slabs ‘1’
option infra_cache_slabs ‘1’
option infra_cache_numhosts ‘200’
list access_control ‘0.0.0.0/0 allow’
list access_control ‘::0/0 allow’
option pidfile ‘/var/run/unbound.pid’
option root_hints ‘/etc/unbound/named.cache’
option target_fetch_policy ‘2 1 0 0 0’
option harden_short_bufsize ‘yes’
option harden_large_queries ‘yes’
option qname_minimisation ‘yes’
option harden_below_nxdomain ‘yes’
option key_cache_size ‘100k’
option key_cache_slabs ‘1’
option neg_cache_size ‘10k’
option prefetch_key ‘yes’

config resolver ‘unbound_remote_control’
option control_enable ‘yes’
option control_use_cert ‘no’
list control_interface ‘127.0.0.1’

Any help and pointers greatly appreciated! Thank you.

1 Like