I would like to separate a work computer on my internal network provided by my employer. This computer can connect to the network via Wifi, or LAN. Providing a separate Wifi SSID with isolation is relatively easy. However, the LAN connection is a big more challenging and I cannot find the answer in the documentation or on the Internet.
Is it possible to tag a device to be a member of a vlan via LAN? All I can see is having any devices connected to the specified LAN interface as being member of that vlan. However, I have another computer (my own) which I am often connecting to the LAN interface in that room, which I do not want to isolate. Is it possible to isolate a specific device only (maybe by its MAC) to be member of a vlan?
Can you please tell me about this a bit more? I came across of 802.1x only in relation to eduroam (academic wireless network across Europe), where the institutions agreed on a distributed authentication network, which then provides access to the particular organizational wireless. This is obviously not what I want to create at home, so please feel free to point me to the right direction, any suggestion is more than welcome.
This could be theoretically achievable by using macvlan in source mode. A simple Google search shows that there is macvlan support in OpenWRT, but I’m not sure whether source mode is also allowed.
Maybe it would be easier to use a hardware solution instead: a small manageable desktop switch separating the one cable into two based on VLAN tag.
Regarding 802.1x, I doubt that OpenWRT support dot1x access point role on wired ports, so this would probably not fly.
thanks, this macvlan looks exactly what I need, but it seems nobody has applied it yet on turris. There is a luci-app-macvlan, will try to play with it in the upcoming days whether it works or not…
Hm, I had another idea but I wonder whether my thinking is correct.
The router and my LAN is running on the 192.168.x.x subnet, but I can create a separate firewall zone, with only access to WAN not LAN, with a dedicated interface and IP, e.g. 10.8.x.x. If I use then for the MAC address a static IP, then the device will always get the 10.8.x.1 IP address.
Will this be enough, or I still need to separate with the firewall zone? As described earlier, I want isolation from LAN not only through Wifi but also through cable (similar to vlan, but only 1 device from work).