Managing Your Internet Of  

This is yet another note to self on setting up my home network to isolate ‘smart’ and other IoT devices into isolated networks in their own subnets, but having a functional UX for the family.


End Goal

Here’s an outline of the end goal in ASCII art:

                                               / WLAN B1 ( - Miscl. Devices
ISP -- Gateway/Router-A ---- Gateway/Router-B ---- WLAN B2 ( - IoT Devices
             |                  (DD-WRT)      \
             |              []    \ LAN B3 (
          WLAN A1                                    |          |
       (                             AppleTV   Chromecast
       |     |     |
       Mobile Phones

Choosing a version of DD-WRT

The version of firmware recommended on DD-WRT’s router database is quite a bit dated, and using the bleeding edge beta from the forums isn’t always dependable, so I’ve recently started picking up builds recommended on flashrouter.

Virtual Interface (WLAN) and VLAN Setup

Router-B runs DD-WRT firmware in the Gateway mode. The basic setup itself is a straight forward adaptation of Guest Wi-Fi setup on dd-wrt wiki. Basically, Wireless > Basic Settings > new Virtual interface with AP Isolation enabled, and running a Unbridged network configuration with NAT, Net Isolation and DNS redirection enabled. In addition, I have a VLAN setup for LAN B3 with one of the physical LAN ports on the router. Similar configuration for the VLAN, can be configured under Setup > Networking. The IP Address/subnet here will be that of the interface, eg. 10.x.y.z/24. At the bottom of Setup > Networking > DHCPD, I setup a different DHCPD for each of the WLANs, and VLAN.

Virtual Interface Setup

mDNS Setup for Media Devices

These rely on mDNS broadcasts to allow client devices to discover services. However, by default these broadcasts don’t are local to the subnet of the (AppleTV/Chromecast) device. A solution for cross subnet/interface broadcasts would be the avahi-daemon. Fortunately, DD-WRT supports installing tools such as this via Entware opkg command. I have Entware running off a tiny flash drive setup as described in installing Entware followed by opkg update && opkg upgrade && opkg install avahi-utils. Here’s my /opt/etc/avahi/avahi-daemon.conf 1:






This snippet in Administration > Commands > Save Startup will auto start avahi-daemon:

# Start avahi/mDNS
echo "nogroup:x:114:nobody" >> /etc/group
/opt/etc/init.d/rc.unslung start

And save the following with ‘Save Firewall’. [The TTL bit was a nice find][1].

# Chromecast/AppleTV mDNS advertisements on vlan6 (AppleTV/Chromecast), from WAN
iptables -I INPUT -p udp --dport 1900 -i `get_wanface` -j ACCEPT
iptables -I INPUT -p udp --dport 1900 -i vlan6 -j ACCEPT
iptables -I FORWARD -p udp --dport 5353 -i `get_wanface` -j ACCEPT
iptables -I FORWARD -p udp --dport 5353 -i vlan6 -j ACCEPT
iptables -I INPUT -p udp --dport 5353 -i `get_wanface` -j ACCEPT
iptables -I INPUT -p udp --dport 5353 -i vlan6 -j ACCEPT

# Increase IP TTL so it can go an extra hop
iptables -t mangle -A PREROUTING -d -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -d -j TTL --ttl-inc 1

I verified avahi-daemon/mDNS working by firing up Tildesoft’s Discovery app and looking for my devices and also by firing up YouTube app for casting and the phone’s AirPlay to mirror the screen. The devices are now discoverable by phones and other clients.

However, the actual AirPlay mirroring and casting don’t work :-)

Static Route

mDNS discovery responses contain the IP/Port of the service so clients know how to reach these devices.


Starting with a simple traceroute in WLAN A1 in subnet, it was clear that the network did not know how to route the packets destined for So a friend suggested adding a static route in Gateway/Router-A for packets bound to with Gateway And traceroute went until the gateway, and stopped at that with 100% packet loss.


The final piece of the puzzle was in figuring out the firewall rules. I started off with a catchall rule that accepted all forwarded traffic to vlan2 (which is the default WAN interface on DD-WRT devices; run get_wanface in an SSH session into your router to check).

Then I added ports 8008, 8009, and high ports as a FORWARD rule, an adaptation from 2, including this to the ‘Save Firewall’ script. Note that I had also added TCP ports based on a packet type from a Wireshark packet capture of the session that failed to connect with firewall enabled for UDP packets.

# Punch a hole out of the router into the private 'WAN'
iptables -I FORWARD -i vlan2 -p tcp --dport 7000 -j ACCEPT
iptables -I FORWARD -i vlan2 -p tcp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000 -j ACCEPT
iptables -I FORWARD -i vlan2 -p tcp -m multiport --dports 8008:8009 -j ACCEPT
# van6: Media Center
iptables -I FORWARD -i vlan6 -p tcp --dport 7000 -j ACCEPT
iptables -I FORWARD -i vlan6 -p tcp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000 -j ACCEPT
iptables -I FORWARD -i vlan6 -p tcp -m multiport --dports 8008:8009 -j ACCEPT

### Caveat We have some early Wemo light switches which did not really play nice with AP and Net Isolation on the Virtual Interfaces, so for the corresponding VAP, these are disabled.


And, that’s all folks. With this, I have devices isolated in their own networks/subnets that are firewalled off, but still usable across subnets for casting/AirPlay mirroring.


Thanks to the DD-WRT contributors, community for the very usable software and readable documentation. Thank you to the authors of and for the very helpful tips. Many thanks to @zyxmon and @ryzhovau of Entware for quickly fixing a bug with avahi-utils on DD-WRT.

And of course, to my family, for bearing with many, many, many network disruptions!