0
Votes

Device Isolation whitelist exceptions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
 
0
Votes

Device Isolation whitelist exceptions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Device Isolation whitelist exceptions
Device Isolation whitelist exceptions
2023-08-20 18:04:20 - last edited 2023-08-20 18:32:53
Model: Archer BE800  
Hardware Version: V1
Firmware Version: 1.0.6 Build 20230706 rel.60826(5553)

I'm using IoT Network for various devices: Rain Machine, Ring, Fridge, Alexa/Google devices, etc.

 

Due to the BE800 not supporting DNS over HTTPS, I'm having to run Pi-hole and Cloudflared dockers on my two Unraid servers to provide DNS to my network (using a Control D resolver):

 

DNS-Over-HTTPS proxies (DNS lookups via Control D) 
192.168.50.2 = cloudflared docker on Unraid Box 1
192.168.50.4 = cloudflared docker on Unraid Box 2

 

DNS Servers
192.168.50.3 = pi-hole docker on Unraid Box 1
192.168.50.5 = pi-hole docker on Unraid Box 2

 

DHCP Server
192.168.50.3 = pi-hole docker on Unraid Box 1

(providing 192.168.50.6 - .254; on my BE800 I have DHCP disabled)

 

The issue is, if I turn on Device Isolation and I select my IoT devices - they can no longer communicate with my local DHCP or DNS servers. 

If I use the BE800 as the DHCP server, then the IoT devices get an address but they still cannot hit my local DNS servers. 

 

If a feature could be added to the BE800 which allows exceptions to be made to Device Isolation, that'd be great. Essentially, if I could put in IP addresses which should be whitelisted and accessible to all devices part of Device Isolation, then my DHCP and DNS servers would work. 

i.e. Allow me to whitelist 192.168.50.3 and 192.168.50.5

 

Then, my ring devices and fridge, etc., could be put into Device Isolation and they would be able to communicate with each other still, but also have access to my two whitelisted IPs.

 

Alternatively, I would be able to get rid of my pi-hole and cloudflared dockers entirely if DNS over HTTPS was a feature in the BE800 interface. Unfortunately I can only enter IP addresses, and DoT/DoH are not supported. It's a catch 22. Using IP DNS and BE800 DHCP, Device Isolation works fine -- but I don't want to use IP DNS. So at this point, I'm forced to choose between enabling Device Isolation, or using DoH - and for now, I'm having to leave Device Isolation off.

#1
Options
1 Reply
Re:Device Isolation whitelist exceptions
2023-08-20 20:10:56 - last edited 2023-08-20 20:11:34

Workaround:

- Enable Control D's Legacy Resolver IPs and set up TP-Link DDNS.

- Update WAN and DHCP to use Legacy Resolver IPs

- Enable Device Isolation

 

Not as good of a solution as native DoH supporting hostname entry on the BE800, but it at least works and resolves my issue.

#2
Options