Hi folks,
I've had a new air conditioning controller installed, an Airtouch 4. Turns
out it's just a little tablet running Android 6.0 - truly an example of the
old phrase, "the S in IOT stands for Security" :D It connects to wifi and
offers remote control (both on the local network and over the internet). So
I'm thinking what I want to do is isolate it on its own vlan that has no
outgoing access to the rest of my network, but still has external internet
access and inbound access from the LAN so the phone apps still work to
control it.
I've got a Mikrotik 951G-2HnD running RouterOS 6.49.2, with LAN (NBN HFC)
hanging off port 1, a single Unifi wireless AP hanging off port 2 (the
951G's wireless is turned off), and other stuff off ports 3, 4, & 5 (other
switches, a NAS, etc). It's all on a single network; the 951G runs DHCP for
10.1.1.0/24 on the bridge interface, there's a basic firewall configured,
and IPv6 is enabled and running.
So I assume what I need to do is some kind of vlan config to separate
traffic, and some routing and firewall config, but I really am not sure how
to achieve it. Maybe something like:
- Create 2 new vlans, one for the unrestricted devices and one that I'll
use for isolated devices
- Add both vlans to all ports? The Unifi AP can do vlan tagging by the
looks, so I could create a seperate wireless network for the restricted
vlan as well. (Or maybe the easier way would be to turn the 951G's wireless
back on purely for this restricted access, take the Unifi AP out of the
picture)
- Create a new DHCP range for the restricted vlan (can I decide which dhcp
range will respond based on the vlan tag?)
- Create a new firewall config to prevent the restricted vlan from
communicating to the unrestricted vlan?
- Routing config of some kind?
I'm not much of a networker, so any help would be much appreciated.
- Ben
