What's the best way to separate IoT devices from your Home Network?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › What's the best way to separate IoT devices from your Home Network?

sonyxperiageek

2959 posts

Uber Geek

Trusted

#215458 28-Jun-2017 14:23

As per question, but still allow me to access the IoT devices from my Home Network.

Sony

1 | 2

6036 posts

Uber Geek

Trusted

#1808302 28-Jun-2017 15:16

I've made a guest network for my single IOT device (single purchased one, I have others, but I've built them so I'm happy for them to be on my regular network).

It does have internet access, but no access to my network. I have one machine with two nics that can communicate across the two networks and it does the interaction needed with the device (sending MQTT messages). I think what I'll be doing soon is making the IOT network as another subnet and blocking internet + to my lan access, but allow my lan to access the IOT subnet - ie making it one way traffic.

IOT also has it's own SSID. All this is on Ubiquiti USG and APs

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#1808398 28-Jun-2017 18:00

What fortutitious timing - I have been thinking about doing something very similar myself.

I have a Wemo power switch that has a RPi plugged into it. The Pi runs my weather station, which has a tendancy to lock up every now and then (more so when I am not home than when I am!) so I have been using the wemo to remotely cycle the power of the Pi when this happens. There is probably a much more graceful and elegant way of doing this, but it works.

I have a USG and APs also, I was thinking of creating a seperate SSID for the wemo only and not giving it access to my LAN - I'd still be able to control the wemo switch externally when required but it wouldn't have access to any of our other stuff.

Anyone see any distinct flaws with this concept? It was going to be this evenings project, even before I saw this thread.

richms

28187 posts

Uber Geek

Trusted

Lifetime subscriber

#1808415 28-Jun-2017 18:28

Wemo requires the phone be on the same subnet to find it and grab the cloud details off it. Wemos are stupid because they dont have an account, so if you go to someone elses house and are on their wifi and run the wemo app, and they have wemos then there is a good chance that it will remove your ones and populate it with their ones losing you remote access to yours till you get back home and can run the app when on the lan again. It will not populate the list over a VPN back home.

Richard rich.ms

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#1808420 28-Jun-2017 18:36

Hmmm interesting. Being able to connect to same sub-net to do the initial set-up is no drama, but I was unaware of those other limitations - they make sense now I think how you connect to your own device.

davidcole

6036 posts

Uber Geek

Trusted

#1808423 28-Jun-2017 18:39

richms:
Wemo requires the phone be on the same subnet to find it and grab the cloud details off it. Wemos are stupid because they dont have an account, so if you go to someone elses house and are on their wifi and run the wemo app, and they have wemos then there is a good chance that it will remove your ones and populate it with their ones losing you remote access to yours till you get back home and can run the app when on the lan again. It will not populate the list over a VPN back home.

I guess that why putting in a bridge device or software works well, ie openhab, home assistant. Let them worry about the device communication and use their app rather than millions of vendor specific ones for unified control.

sonyxperiageek

2959 posts

Uber Geek

Trusted

#1808459 28-Jun-2017 19:32

Thanks for the replies. If I make a separate network with its own VLAN and on its own subnet for my IoT devices on the USG, how can I make it so that my openHAB server (which is on my own personal network) see and interact with my IoT devices? My IoT Wireless Network would be hidden too.

If I want to do something remotely when out, I would most likely VPN into my home network (when I can get it working again...)

Sony

davidcole

6036 posts

Uber Geek

Trusted

#1808470 28-Jun-2017 19:43

sonyxperiageek:
Thanks for the replies. If I make a separate network with its own VLAN and on its own subnet for my IoT devices on the USG, how can I make it so that my openHAB server (which is on my own personal network) see and interact with my IoT devices? My IoT Wireless Network would be hidden too.

If I want to do something remotely when out, I would most likely VPN into my home network (when I can get it working again...)

So with USG they way I've been told to do it is use a 2nd corporate network, not guest. And use firewall rules to allow some traffic into your iot network. The routing between the subnets is supposed to work out of the box. Then You use deny rules to block access to your regular network and/or the internet.

This is the theory I've had explained to if, but I'm yet to do it.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#1808479 28-Jun-2017 20:02

I have been reading a couple of threads about that - the USG will allow you to create access groups that allow trusted devices to initiate contact with untrusted, but not the other way around, based around VLAN tagging. Both networks are created as corporate.

Disclaimer - I'm reading about this at the same time as posting about it here, I haven't quite started making changes to my network yet.

sonyxperiageek

2959 posts

Uber Geek

Trusted

#1808483 28-Jun-2017 20:04

I originally made a corporate network named IoT, but haven't gotten my head around what firewall rules I should be making etc. to allow my personal network access to the IoT network.

Sony

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#1808488 28-Jun-2017 20:13

As far as I can tell, the USG will allow the connection between the two by default, you create the rules in order to manage it the way you want.

With Pictures!

sonyxperiageek

2959 posts

Uber Geek

Trusted

#1809280 29-Jun-2017 23:26

How do I block the IoT network from accessing the internet in the Firewall tab of UniFi? I don't know what Address to put in to create a group.

Sony

brad.wright

67 posts

Master Geek

#1810270 1-Jul-2017 21:50

Hi All,

Hoping someone would be willing to expand / assist on this. I want to isolate a couple of wired LAN devices on my network. I want them to have internet access but NO local / LAN Access.

I tried cascading an old Modem / Router (Netgear DGND3700) and gave it a separate subnet (10.114.68.0/24) but both networks could still communicate; Router # 1 LAN was connected to the WAN port on the Netgear... I purchased a Ubiquiti USG thinking this would magically fix my problem, but no. Everything is still accessible from both networks. I am not familiar with creating the firewall rules or ACL's.

I currently have an ASUS DSL-AC68U (VDSL; I do have a order to get UFB installed, but Chorus won't climb the power-pole due to OSH issues and are taking forever to design the underground solution) which doesn't support Port Based VLAN's via. the GUI and the information is pretty scare re: CLI Commands. I have 2 x D-Link Smart switches (DGS-1210-08's) which allow VLAN's and ACL's, but again, I am not sure how-to setup and am not sure if this will block local traffic and still give me Internet access.

I am at a total loss and I don't know what to do now. I could purchase a DrayTek Vigor 2860n which will give me multiple private LAN subnets and isolated VLAN's but I don't really want to spend another $650 +

Thanks in advance!

Brad

Ge0rge

2055 posts

Uber Geek

Trusted

Lifetime subscriber

#1810539 2-Jul-2017 18:01

Hi @brad.wright,

If you have got a USG, then you are good to go. Have a look at the link in my post above ^^ "with pictures", it explains how to make it all happen. You will need to set up a Unifi Controller, even if it is only temporary (once the rules are in place, you don't need the controller running any more). It can be set up on a RPi, your main pc, or even by asking @michaelmurfy very nicely, who hosts a cloud controller for GZ users.

sonyxperiageek

2959 posts

Uber Geek

Trusted

#2012903 9-May-2018 19:43

Finally found some quality time to look at this and have managed to let my home network see my IoT network, but not the other way around, achieved this using Option 3: https://help.ubnt.com/hc/en-us/articles/115010254227-UniFi-How-to-Disable-InterVLAN-Routing-on-the-UniFi-USG

Sony

dfnt

1512 posts

Uber Geek

Lifetime subscriber

#2012916 9-May-2018 19:53

I use a Unifi UAP AC Pro and Cisco SG500, so IOT devices are own their own ssid and vlan.

I use ACL's on the SG500 to prevent IOT devices access to my lan and guest vlan's, but allow my lan vlan access to IOT devices. I use the SG500 for layer 3 routing, whereas I was using the EdgeRouter 4 with the vlan's present and using firewall rules to achieve the same but shifted those duties to the SG500.

IOT devices have access to the internet

1 | 2