Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IOT VLAN Firewall Rules Feedback

    Scheduled Pinned Locked Moved
    Firewalling
    2
    5
    491
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rstewart
      last edited by

      I'm new to router setup and learning as much as possible. Looking for some input on my IOT VLAN firewall rules. I have a honeywell smart thermostat, and I was not able to change the temperature, it would connect but the request would not go through. I checked the firewall logs and it was blocking a request from my thermostat IP to the IOT VLAN DNS PORT 53, using the "Easy Rule" addition from the logs I added a new rule which you can see here labeled pass IOT to local dns added for thermostat and now it works as I expect it to.

      Two questions. First is this a safe setup for my an IOT specific VLAN? Is this new rule I've added done anything to compromise this VLAN?

      Second question is why is this specific rule required to update the thermostat? Shouldn't the DNS redirect Rule cover what was being blocked?

      Appreciate any feedback.

      firewallrules.PNG

      1 Reply Last reply Reply Quote 0
      • H
        hieroglyph
        last edited by

        The DNS redirect Rule has shows 0/0B under states. Does not look like anything is matching that rule at all.

        On the NAT-Port Forward page what does your DNS redirect rule look like?

        R 1 Reply Last reply Reply Quote 0
        • R
          rstewart @hieroglyph
          last edited by

          Thanks @hieroglyph, the dns redirect now shows some activity
          new_firewallrules.PNG

          here is the detailed information on the nat port forward page
          nat_dnsredirect.PNG

          mostly was looking for validation that my newly added rule didn't introduce any vulnerabilities.

          1 Reply Last reply Reply Quote 0
          • H
            hieroglyph
            last edited by hieroglyph

            Your rules do not seem to compromise anything. Devices in the IOT_DEVICES alias can reach the internet and not anything local.

            The way it is setup now, only devices who are originally not sending DNS and NTP requests to the router will be redirected back to the router. For instance if a device in the IOT_DEVICES alias is sending a DNS request to 192.168.50.1 the DNS NAT redirect will not match it. Because the redirect is looking for DNS requests not sent to 192.168.50.1.

            You need a regular firewall rule above or below "NAT VL50_IOT:DNS redirect" that allows DNS requests from the VL50_IOT net, destined to 192.168.50.1 (or This_Firewall) to pass. Do the same for the "NAT VL50_IOT: NTP redirect" rule.

            Example:
            Screenshot_2021-01-23 Firewall Rules VLAN_VPN_NETWKS - AlphaTrion tld(2).png

            R 1 Reply Last reply Reply Quote 1
            • R
              rstewart @hieroglyph
              last edited by

              Thanks again @hieroglyph . I've added rules for both NTP and DNS for This_Firewall destination. Appreciate the feedback.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.