Separating IOT devices

wormvortex

Member
Looking at getting into the whole smart lights/sensors etc... but are well aware of the risks of some of them when on your local network with other devices so was looking at purchasing a switch which will allow me to set different vlans to keep the IOT devices separate to my proper devices like MacBook/server etc...

Would something like this do what I want:

Amazon product



My second question is, obviously these devices are going to be wireless so I'll need a separate wifi AP for this. My plan was to buy a wifi AP (or re-use my old spare home hub) and connect it to Vlan1 (which would be my IOT lan) and then connect my computers to vlan2 however at the moment my wifi comes from a BT smart hub and I've the black wifi discs and I don't see how it would be possible to have these connected to vlan1 so would I therefore need another wifi AP to provide wifi for vlan1?

So in essence would I need:
a router (BT hub and switch the wifi off)
a switch to create 2 vlans
2 additional wifi AP's (or old BT hubs with DCHP etc... disabled) with different SSID's

Hope this all makes sense haha.
 

jaspermycat

Active Member
you will need a switch that supports VLANs. These routers provided by VM, BT etc will not support this functionality.

On the switch side, you have 1 trunk port which will allow all VLAN traffic, this port you would uplnk to your broadband router.

On same switch create another VLAN for your IOT devices, assign one of the ports on the switch to this VLAN. The WiFi AP that is dedicated to your IOT devices, you connect this AP to this VLAN port.

BTW VLAN 1 on most switches is the default VLAN so for your case, use another VLAN ID for your IOT devices (I use 66 and have a network of 192.168.66.0/24)

Hope that makes sense
 

wormvortex

Member
you will need a switch that supports VLANs. These routers provided by VM, BT etc will not support this functionality.

On the switch side, you have 1 trunk port which will allow all VLAN traffic, this port you would uplnk to your broadband router.

On same switch create another VLAN for your IOT devices, assign one of the ports on the switch to this VLAN. The WiFi AP that is dedicated to your IOT devices, you connect this AP to this VLAN port.

BTW VLAN 1 on most switches is the default VLAN so for your case, use another VLAN ID for your IOT devices (I use 66 and have a network of 192.168.66.0/24)

Hope that makes sense

Make sense yes. Would I still need to have a separate WiFi AP for all my laptops etc… as if I use the home hub’s WiFi it will be outside of the Vlans or would it not matter.
 

mickevh

Distinguished Member
It depends on the AP's and what functionality they have:

Enterprise and some "prosumer" type equipment, (Ubiqiti for example,) avail multiple SSID's and each SSID can be bound to a separate VLAN. The ethernet port on such AP's then functions as a "trunk" port carrying the VLAN tagged traffic of multiple VLAN's up to a trunk port on the network switch (or possibly router in the SOHO use case) they connect to which keeps everything nicely separated. (It's what I do it in big "enterprise" networks.)

SOHO AP's, being much simpler, often do not avail such functionality. Cheap stuff is cheap for a reason.

So, you face a choice: Either use some additional physical AP's to avail multiple SSID's and ascribe the ports on your VLAN capable switch to effectively determine which SSID lands in which VLAN. Or, if you are going to be spending money on new AP's anyway, acquire some AP's that are multiple SSID and VLAN capable and use them such as I've described above. Though check the spec carefully to be sure they can do both parts - multiple SSID and trunk ports carrying tagged VLAN traffic.

There's no real "right" and "wrong" way to do this, both approaches will "work." However, one obviously require more AP's than the other. There's an argument that using multi-SSID/VLAN capable AP's needs you to deploy less kit and managing the radio channel plan will be a bit easier. (Multi-SSID AP's will generally use the same radio channel per AP, so it's fewer AP's to consider when devising the RF channel plan.)

I would also echo what @jaspermycat says - you're going to need a router that can route multiple subnets either with separate physical ports for each VLAN or supporting trunk ports. Again, cheap SOHO kit often does not do this, especially the freebies your ISP supplied. Which VLAN your ISP router's Wi-Fi SSID will appear in will depend on which VLAN the interlink between the ISP router and your switch is connected to (you can still use it) as your ISP router will almost certainly have no VLAN capability.

Given the amount of kit you are going to be buying here, maybe you want have a look at something like a Ubiqiti combined "system" (of router, switch(es) and AP's,) that can do all this and gives you an integrated platform to manage it all from a single UI. I haven't ever used Ubiqiti and am not a cheerleader for them, but others here at AVF have and speak well of it. Doubtless there are similar prosumer offerings from other suppliers. Or there's nothing to stop you achieving it all using different vendors kit (again, we do it all the time "in business") each with it's own management.
 
Last edited:

oneman

Well-known Member
As mentioned above the problem is you will need to swap your router as well.

I know VM Superhub supports guest networks (similar concept to DMZ) which don't have internal access, don't know if the BT hub supports this.
 
Sorry, late to the conversation... it's a royal pain trying to do the sort of network segmentation that you are describing in a home environment with IoT devices. I've tried and gave up... because there are just too many occasions when device A (PC for example) needs to communicate with device B on another network segment, and home routers lack the management / advanced firewall functionality to do this in a meaningful way. You need something that can do more than just allow / deny certain network Service Ports.

Unless you have an (expensive) enterprise class Firewall from the likes of CheckPoint it's just going to be too difficult to achieve security and still allow the sort of accessibility that you'd be happy to live with. Remember that you're introducing these devices to make life easier, not harder.

Switches that support VLANs don't really help, because whilst they provide network segregation, they don't provide any means of controlling network to network communication in a managed (secured) way - and that's ultimately what you're trying to do.

It's certainly a market that's under represented by workable solutions...

We need a range of Pro-consumer IoT firewalls for the home - but I suspect not many people would be prepared to pay the costs, and companies would recoil at the amount of support calls they would have to endure...

CheckPoint have some edge devices designed for use in a small office, but they are still too expensive for the home.

Regards,
James.
 

jaspermycat

Active Member
A pfsense firewall which is free, supports VLAN's, adding a VLAN capable switch you can create rules on the pfsense to allow traffic between the various VLAN's
 

Seb Briggs

Distinguished Member
Ubiquiti UDMpro plus ubiquiti APs and switch for me .

I know not cheap but just works and does all I want with vlans, multiple ssids etc
 
A pfsense firewall which is free, supports VLAN's, adding a VLAN capable switch you can create rules on the pfsense to allow traffic between the various VLAN's

How are you securing your wireless devices via pfSense - Are they all on the same VLAN?

I looked at pfSense and OPNsense and their capabilities seemed limited with regard to wireless connectivity.

Are you running pfSense on a dedicated device or on a PC?

Are you using a separate (dedicated) WAPs for each security zone?

It would be really great if you could describe what your environment looks like (Visio diagram would be even better!) ?

I really struggled to find good documentation. All of the ‘how to’ docs I’ve looked at have all the wireless devices on the same internal network (same security zone) which defeats what I’m trying to achieve.


Minimum Required Segmentation (Security Zones):

1. IoT devices (Amazon Echos, TVs, Smart 'phone, iPads etc).
2. Computers (Laptops, Desktops & Servers)
3. CCTV PVR and Cameras

Security Zones 1 and 2 both contain wired and wireless devices. Zone 3 is wired.

I currently have 6 NetGear GS108Ev3 switches and 1 NetGear GS116Ev2. These all support VLANs.

Regards,
James.
 
Last edited:

mickevh

Distinguished Member
When it comes to IP routing etc. in PFSense (or anything else) it doesn't matter whether the relevant traffic originally came from a wired ethernet device or a Wi-Fi device, by the time the traffic is decomposed to extract the IP datagrams it's all identical - it's all "IP."

Wi-Fi AP's convert the packet format between Wi-Fi format and ethernet format as they forward it on to the rest of the (wired) network and from that point it's then indistinguishable from any other traffic as it's all "ethernet," so again there's no way to detect (without a really deep dive into the content of the data) the original source was a Wi-Fi device.

However, as has been observed, the "challenge" is in that we have multiple IP subnets and need to tools and expertise to be able to create the relevant VLAN's, routes, NAT traversals, ACL's, firewall rule, etc. etc. between multiple IP subnets - ie the "main" subnet, the "IOT" subnet and the Internet. (Also, if I was are going to all that trouble, I would set up an "guest" subnet whilst I was at it and possible one for VOIP handsets if I had any.)

As observed, basic SOHO kit just doesn't have such functionality or granularity of control. Even for kit that does, it's going to require some "setting up" - I think it's unlikely to be a case of power up box X and "tada" it's all done for us.

I'm not sure we quite need the expense and complexity of something like a Checkpoint, but for sure we need something that can route multple IP subnets and avail the level of separation and protection we require. I tend to think the biggest (mental) challenge for newbies and ley people used so a single flat subnet is going to be the broadcast traffic which is going to need special handling to get it across layer 3 boundaries (ie router) as that's a bit of an uptick in the expertise required to understand how it's all working.
 
Purely by coincidence, Steve Gibson on his weekly "Security Now" Podcast [Episode 855 (25 Jan 2022) available through Twit.TV] talked about how he uses pfSense on his network(s) and the appliances he runs it on.

Steve uses a Netgate 1000 (no longer for sale - replaced with an improved 1100 model). This 3 x Gigabit network interfaces and is available for $189.

At his other location he runs pfSense on a Protectli.com device (various different appliances are available).

Netgate is the project sponsor for pfSense. The Protectli.com appliances are platform agnostic and can be used for different purposes - they are not specifically designed with pfSense in mind.

The Netgate 2100 (Base) is available for $349 which has 1 x WAN, plus 4 x Gigabit Ethernet ports. The price includes 4 GB RAM and 8 GB Storage which is sufficient for running pfSense. For $392 you can get the Netgate 2100 (Max) which is the same appliance with 32 GB Storage.


Regards,
James.
 
Last edited:

Seb Briggs

Distinguished Member
The ubiquiti uDM pro is $379 including a 8 port switch

 

jaspermycat

Active Member
How are you securing your wireless devices via pfSense - Are they all on the same VLAN?

2 VLANs, primary VLAN 10 and VLAN 66 for other devices

I looked at pfSense and OPNsense and their capabilities seemed limited with regard to wireless connectivity.

Pfsense does support wireless , if a wifi adapter is installed but not recommended and from what I have read it has issues, why run a firewall/router as a Access Point as well. Have a dedicated wireless access point

Are you running pfSense on a dedicated device or on a PC? yes a i3 CPU, 80 GB HDD and 4 Gb RAM

Are you using a separate (dedicated) WAPs for each security zone? I have 2 WAP's each one assigned to the 2 VLAN'S

It would be really great if you could describe what your environment looks like (Visio diagram would be even better!) ? see attached - not the best but I knocked it up on mspaint

On my Cisco 2960x port 1 is a trunk port, that connects to the pfsense box on the LAN port. The WAN port on pfsense goes to my Virgin Media SH thats in modem only mode. Not included in the diagram but I also have a secondary WAN on pfsense where I have a 4G router plugged in, this is my secondary internet and pfsense is configured to fail over to this if the VM goes down

I have various ports configured on the 2960x for a dedicated VLAN

1643208684949.png

.
 
Last edited:
There seems to be a fair few people recommending Intel x86-64 processors over ARM Cortex processors when it comes to hardware devices that can run pfSense…

Also, I see that Sophos will provide a Free home licence for their full firewall product - you just have to provide the hardware to run it (it only runs on Intel x86-64 not ARM).

Regards,
James.
 

mickevh

Distinguished Member
I find generally the biggest factor that informs what processor/RAM is required in a routing device is the volume of traffic you need it to handle. The "processing" one expects to do on this traffic is also a factor - for example, for like-for-like traffic levels, if one was "just" routing, we'd need less CPU horsepower and RAM than if we were also running the same traffic pattern and volume through NAT and firewall, a bunch of ACL's and stuff like web content filtering. And other "smart" applications higher up the protocol stack can really cane it.

One place I worked we ran a software based router/NAT/firewall/content-filter with a bunch of other toys. It was basically a customised "turnkey" Linux distro, but being a software product it was handy that we could run it on an available PC rather than dedicated specialist hardware. (Great when the applicable PC died - we just grab another one, slap in enough NIC, install the product, restore the ruleset from backup and we're up and running again is a couple of hours.) Over time as the size of our user base grew and our Internet bandwidth went up and up and therefore our traffic level grew, we had to transition to ever more powerful PC's. Last time I worked there, it was running on a enterprise class server platform with multiple multi-core processors and a ton of RAM - though it didn't need much HDD.

I concede this comment is anecdotal, but I hate Sophos with passion - I've been bitten by it too many times. One place I worked we had a major problem with Sophos - basically it just wasn't working on about a third of our PC's and facilitated a major virus outbreak. As bad as that was, two of us - one managerial, one technical - were working the phones trying to get some help and Sophos would not return our calls. We took it out put in something else and, IIRC, asked for our money back. I'm not much of a product/platform hater/fanboy - but Sophos is one of the few things I would personally avoid.
 
Last edited:
A few weeks ago I took the plunge and decided to segment my home network properly utilising a Firewall Appliance and VLANs.

I've attached details of the hardware appliance I purchased and my design documents in case they are useful for others contemplating a similar project.

The 4 port firewall appliance is a HSIPC J4125 which is great value at £215. It includes a 256 GB SSD and 8 GB of RAM. The CPU is an Intel Celeron J4125 (Quad Core x86-64) with AES-NI (Advanced Encryption Standard New Instructions) capabilities. I decided to get this over any of ARM offerings, as you have more choices about which operating system / Firewall to run. It has both HDMI and VGA output. HDMI works perfectly.

The Zyxel NWA50AX Wireless Access Points are really great as they support VLANS, so you can have two isolated wireless networks on the same WAP and maintain network segregation. I'm using these WAPs in standalone mode. I have no desire to use the Zyxel Nebula cloud management portal. You can configure everything via a web browser - they support smart 'phone setup, but I didn't use it (seems a rather pointless feature).

I already had one NetGear GS116Ev2 and six GS108Ev3 Managed Plus switches that support 802.1Q VLANs. These switches don't provide all the manageability that you would find in a business / enterprise product (there's no command line interface or SNMP support for example), but the VLAN implementation works well and is fully featured allowing you to tag VLANs across multiple trunks.

It's all working great.

Regards,
James.
 

Attachments

  • HSIPC J4125 Quad Core Micro Appliance.pdf
    121.8 KB · Views: 51
  • Home Firewall (public).pdf
    451.5 KB · Views: 22
  • Home Network (public).pdf
    336.2 KB · Views: 20
Last edited:

wormvortex

Member
In the end I went with a far simpler option. Anything smart wifi I had I flashed with Tasmato and just blocked internet access on the from my router and anything I bought since I went with Zigbee over wifi all connected to a Sonoff Zigbee bridge which again I flashed with Tasmato and disabled internet access on from my router.

End result is none of my smart equipment is accessible outside my home network and as I already run a VPN server on a raspberry pi I can simply VPN into it from outside and connect to my entire home network.
 

mickevh

Distinguished Member
I've attached details of the hardware appliance I purchased and my design documents in case they are useful for others contemplating a similar project.

Nice diagrams.

You've created them much the same way I would in my "professional" hat in that there's one diagram that describes the topology at a "logical" (or "IP subnet/LAN/VLAN") level showing which LAN/VLAN is which and where they interconnect (I might perhaps add the IP subnet addressing and VLAN tag numbers for completeness) plus another one that shows where all the kit is and how it physically interconnects. I often like to colour code such diagram as you have. Sometimes I've even used coloured patch-cord/labels that reflect the diagram in the physical world.

Also, albeit that there appears to be nothing in it, you've also implemented DMZ in the way I prefer. That's to say there's an "outer" and "inner" router/NAT/firewall with the DMZ being the LAN/VLAN/subnet between the two.
 
Nice diagrams.

You've created them much the same way I would in my "professional" hat in that there's one diagram that describes the topology at a "logical" (or "IP subnet/LAN/VLAN") level showing which LAN/VLAN is which and where they interconnect (I might perhaps add the IP subnet addressing and VLAN tag numbers for completeness) plus another one that shows where all the kit is and how it physically interconnects. I often like to colour code such diagram as you have. Sometimes I've even used coloured patch-cord/labels that reflect the diagram in the physical world.

Also, albeit that there appears to be nothing in it, you've also implemented DMZ in the way I prefer. That's to say there's an "outer" and "inner" router/NAT/firewall with the DMZ being the LAN/VLAN/subnet between the two.

Thanks for your comments :)

I decided to implement my home network segmentation as I would for a mini-enterprise. There were going to be too many compromises otherwise, and it wouldn’t have been worth the effort.

I do this sort of thing for a living (although less technical/physical involvement recently since moving jobs).

The private versions of my diagrams have all the IP subnet details on them. I removed this detail from the public versions.

My patch cable colours match the diagrams - bit of a struggle to find an orange cable for the DMZ inter-link!

I have a spreadsheet which documents the VLAN configuration on each switch and describes exactly what’s connected to each physical port, but as that’s unique to my environment I didn’t feel there was any value in sharing it.

I contemplated putting the CCTV PVR in the DMZ, but it made more sense to have it in its own dedicated network.

Regards,
James.
 

ChuckMountain

Distinguished Member
I've attached details of the hardware appliance I purchased and my design documents in case they are useful for others contemplating a similar project.

Yes, it is always useful to share real-world examples and I have got a similar setup.

A couple of follow up questions:

1) Have you had any issues with devices needing to talk across different vLANS. So thinking particularly about devices that talk to the local network as opposed to a cloud push\pull. If your WiFi mobile clients are on a different vLAN then discovery can be an issue
2) Power Consumption - with ever-increasing electricity prices having all those switches and servers on 24/7 will add up. I am looking at reducing my consumption and while energy-efficient devices are one way, not having stuff on for say 8 hours overnight will reduce consumption by one third. Any thoughts on it?
3) Have you tried HomeAssistant at all, currently configuring to see power usage etc and automation to try and improve efficiency.

My patch cable colours match the diagrams - bit of a struggle to find an orange cable for the DMZ inter-link!

If you didn't already find one. Try here available in a variety of lengths :)

 
Yes, it is always useful to share real-world examples and I have got a similar setup.

A couple of follow up questions:

1) Have you had any issues with devices needing to talk across different vLANS. So thinking particularly about devices that talk to the local network as opposed to a cloud push\pull. If your WiFi mobile clients are on a different vLAN then discovery can be an issue
2) Power Consumption - with ever-increasing electricity prices having all those switches and servers on 24/7 will add up. I am looking at reducing my consumption and while energy-efficient devices are one way, not having stuff on for say 8 hours overnight will reduce consumption by one third. Any thoughts on it?
3) Have you tried HomeAssistant at all, currently configuring to see power usage etc and automation to try and improve efficiency.



If you didn't already find one. Try here available in a variety of lengths :)


The VLANs are completely isolated from each other as you would expect, but as the Firewall is a router with a physical leg in each network, connectivity is possible between the separate networks if you create a corresponding Firewall rule to permit it.

Because the Firewall has a leg in each network, no specific routes are required to permit traffic to flow between each subnet. I just have to tell the Firewall that the ISP router leads to the Internet. Likewise, on the ISP Router is has the Firewall configured as the DMZ device and just forwards incoming traffic.

I haven’t experienced any connectivity issues that I couldn’t solve by using the Firewalls logs. There’s a lack of good quality technical documentation for home IoT devices and it’s hard to find exactly what service ports are required and for what purpose. The IoT manufacturers just assume a flat network with a single layer 2 broadcast domain.

My firewall rule base allows limited connectivity between certain devices in the Computer LAN and devices in the IoT LAN. I lock things down as much as I can, but some connectivity is required for management etc. I’m not running a huge amount of home automation.

I’ve not really considered my home IT energy usage that much. My two physical servers run 247. Other desktops and laptops are configured to sleep when not active. Network switches and IoT devices take very little power, so I’m not concerned about those.

I work in the power generation sector, but I’ll reserve posting my options on the energy crisis for another day!


Regards,
James.
 

ChuckMountain

Distinguished Member
The IoT manufacturers just assume a flat network with a single layer 2 broadcast domain.

Yes, it was more for this and when devices are broadcasting to find IoT and similar devices. e.g. Sky Q box for example I don't really want those on the same network as my home machines\servers. Sky and Amazon devices are great for flooding the network with "crap" :D You can't necessarily just do that with firewall rules and may have to have some mDNS relays for example.

I’ve not really considered my home IT energy usage that much. My two physical servers run 247. Other desktops and laptops are configured to sleep when not active. Network switches and IoT devices take very little power, so I’m not concerned about those.

Fair enough but I am paying quite a bit for my electricity bills before they go up and my rack and switches are supping 400W or so on idle (that's after a consolidation but they are managed and 10Gb and its mainly the server) that's roughly £450 a year before bills go up.
 
Yes, it was more for this and when devices are broadcasting to find IoT and similar devices. e.g. Sky Q box for example I don't really want those on the same network as my home machines\servers. Sky and Amazon devices are great for flooding the network with "crap" :D You can't necessarily just do that with firewall rules and may have to have some mDNS relays for example.

I class my TVs and set top boxes as IoT devices so they are all in the same layer 2 network. The broadcast traffic flows quite happily around my switches on the appropriate VLAN. I’m not attempting to do any broadcast rate limiting or filtering on the switches.

I see lots of broadcast traffic which the firewall doesn’t pass to the other networks, because it not routable traffic. It doesn’t cause me any issues. It would if I tried to do further segregation. I guess I’d have to try and implement some sort of broadcast relaying, but that sounds very problematic and something I don’t have the time or inclination to expore!

My computers are all on the same VLAN as each other for the same reason (but it’s a different VLAN to the IoT devices).

Regards,
James.
 

ChuckMountain

Distinguished Member
I class my TVs and set top boxes as IoT devices so they are all in the same layer 2 network. The broadcast traffic flows quite happily around my switches on the appropriate VLAN. I’m not attempting to do any broadcast rate limiting or filtering on the switches.

Yes get that but for example, if you a say a Sky Q box on VLAN 52, which will work happily away on its own, along with any Mini boxes. You now want to use Sky Go and watch a recording from the Sky Q box on a phone on VLAN 50, normally the phone would do a discovery broadcast looking for the Sky Q box. However, since they are on separate broadcast domains, it would fail.
 
Yes get that but for example, if you a say a Sky Q box on VLAN 52, which will work happily away on its own, along with any Mini boxes. You now want to use Sky Go and watch a recording from the Sky Q box on a phone on VLAN 50, normally the phone would do a discovery broadcast looking for the Sky Q box. However, since they are on separate broadcast domains, it would fail.
Right. My Smart ‘phones and tablets are also on my IoT LAN. So it wouldn’t be a problem in my environment. But I can see how it this would be an issue if they were segregated on different subnets.

Other than some sort of broadcast relay or convoluted proxy ARP configuration I don’t know how you can contend with this type of broadcast based resource discovery, if the devices simply aren’t design to find each other in different broadcast domains.

I don’t hold out much hope raising a support ticket with Sky 🤣 .

Regards,
James.
 

The latest video from AVForums

Panasonic LZ2000, LZ1500 & LZ980 Hands-on Launch Event | No QD-OLED for 2022, new 77-inch for LZ2000
Subscribe to our YouTube channel

Latest News

What's new on Netflix UK for June 2022
  • By Andy Bassett
  • Published
Triangle announces new wireless Borea Active bookshelf speakers
  • By Ian Collen
  • Published
Cleer Audio announces Arc earbuds
  • By Ian Collen
  • Published
iFi Audio launches new Go bar portable DAC/headphone amp
  • By Ian Collen
  • Published
Sony adds LinkBuds S to its earphone series
  • By Ian Collen
  • Published

Full fat HDMI teeshirts

Support AVForums with Patreon

Top Bottom