XG (SFOS 17.5.9 MR-9) on ProtectLi FW2B
Networks:
- WAN on PORT1, 192.168.1/24, direct to DSL modem
- LAN on PORT2 untagged VLAN1, 10.10.0/24, XG-owned DHCP, static 10.10.0.1 . . 10.10.0.64
- WLAN on PORT2 untagged VLAN1, bridged to LAN
- GuestWLAN on untagged VLAN1, Separate Zone, 10.255.0.1/24, XG-owned DHCP, no static
- IoTLAN on PORT2.666 tagged VLAN666, 10.10.1.0/128, XG-owned DHCP, static 10.10.1.65 . . 10.10.1.126
- IoTWLAN on untagged VLAN1, Separate Zone, 10.10.1.129/128, XG-owned DHCP, static 10.10.1.194 . . 10.255.1.254
XG firewall policies reject traffic between WLAN/LAN and IoT networks with single LAN-to-IoTLAN/WLAN management rule.
DHCP options "Accept client request via relay" and "Conflict detection" are disabled
Scenario:
I established separate XG- and switch- managed networks to reduce the threat of IoT devices to the service LAN / WLAN. I assign a static IP in the WLAN to my Android phone support a firewall rule allowing all traffic from the phone to the IoT networks (still working out the traffic profile of some of the apps) for device management.
Because some IoT management apps use broadcast traffic (not configurable) to discover devices on the network, I have to move the phone to the IoTWLAN to find them. While the phone is in the IoTWLAN, it needs freer WAN access than the devices get so that it can acquire updates for the devices, requiring a separate IP-specific phone rule. IoTWLAN and IoTLAN rules are device- or device-type- specific, and generally WAN-restricted to NTP and HTTP/S to specific destinations only.
I assigned a static IP to the phone in the WLAN so that only it has access to the IoT nets for management using apps that support directed traffic. If I try to assign a static IP in the IoTWLAN, XG complains about duplicate MACs.There is no scenario where this device can simultaneously exist in multiple WLANs.
This thread was automatically locked due to age.
