Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2683 posts

Uber Geek

Trusted

# 215458 28-Jun-2017 14:23
Send private message

As per question, but still allow me to access the IoT devices from my Home Network. 





View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
4571 posts

Uber Geek

Trusted

  # 1808302 28-Jun-2017 15:16
Send private message

I've made a guest network for my single IOT device (single purchased one, I have others, but I've built them so I'm happy for them to be on my regular network).

 

It does have internet access, but no access to my network.  I have one machine  with two nics that can communicate across the two networks and it does the interaction needed with the device (sending MQTT messages).  I think what I'll be doing soon is making the IOT network as another subnet and blocking internet + to my lan access, but allow my lan to access the IOT subnet - ie making it one way traffic.

 

 

 

IOT also has it's own SSID.  All this is on Ubiquiti USG and APs





Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


517 posts

Ultimate Geek

Trusted

  # 1808398 28-Jun-2017 18:00
Send private message

What fortutitious timing - I have been thinking about doing something very similar myself.

I have a Wemo power switch that has a RPi plugged into it. The Pi runs my weather station, which has a tendancy to lock up every now and then (more so when I am not home than when I am!) so I have been using the wemo to remotely cycle the power of the Pi when this happens. There is probably a much more graceful and elegant way of doing this, but it works.

I have a USG and APs also, I was thinking of creating a seperate SSID for the wemo only and not giving it access to my LAN - I'd still be able to control the wemo switch externally when required but it wouldn't have access to any of our other stuff.

Anyone see any distinct flaws with this concept? It was going to be this evenings project, even before I saw this thread.

 
 
 
 


22649 posts

Uber Geek

Trusted
Subscriber

  # 1808415 28-Jun-2017 18:28
Send private message

Wemo requires the phone be on the same subnet to find it and grab the cloud details off it. Wemos are stupid because they dont have an account, so if you go to someone elses house and are on their wifi and run the wemo app, and they have wemos then there is a good chance that it will remove your ones and populate it with their ones losing you remote access to yours till you get back home and can run the app when on the lan again. It will not populate the list over a VPN back home.





Richard rich.ms

517 posts

Ultimate Geek

Trusted

  # 1808420 28-Jun-2017 18:36
Send private message

Hmmm interesting. Being able to connect to same sub-net to do the initial set-up is no drama, but I was unaware of those other limitations - they make sense now I think how you connect to your own device.

4571 posts

Uber Geek

Trusted

  # 1808423 28-Jun-2017 18:39
Send private message

richms:

Wemo requires the phone be on the same subnet to find it and grab the cloud details off it. Wemos are stupid because they dont have an account, so if you go to someone elses house and are on their wifi and run the wemo app, and they have wemos then there is a good chance that it will remove your ones and populate it with their ones losing you remote access to yours till you get back home and can run the app when on the lan again. It will not populate the list over a VPN back home.



I guess that why putting in a bridge device or software works well, ie openhab, home assistant. Let them worry about the device communication and use their app rather than millions of vendor specific ones for unified control.




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




2683 posts

Uber Geek

Trusted

  # 1808459 28-Jun-2017 19:32
Send private message

Thanks for the replies. If I make a separate network with its own VLAN and on its own subnet for my IoT devices on the USG, how can I make it so that my openHAB server (which is on my own personal network) see and interact with my IoT devices? My IoT Wireless Network would be hidden too.

If I want to do something remotely when out, I would most likely VPN into my home network (when I can get it working again...)





4571 posts

Uber Geek

Trusted

  # 1808470 28-Jun-2017 19:43
Send private message

sonyxperiageek:

Thanks for the replies. If I make a separate network with its own VLAN and on its own subnet for my IoT devices on the USG, how can I make it so that my openHAB server (which is on my own personal network) see and interact with my IoT devices? My IoT Wireless Network would be hidden too.

If I want to do something remotely when out, I would most likely VPN into my home network (when I can get it working again...)



So with USG they way I've been told to do it is use a 2nd corporate network, not guest. And use firewall rules to allow some traffic into your iot network. The routing between the subnets is supposed to work out of the box. Then You use deny rules to block access to your regular network and/or the internet.

This is the theory I've had explained to if, but I'm yet to do it.




Previously known as psycik

OpenHAB: Gigabyte AMD A8 BrixOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Xiaomi Humidity and Temperature sensors and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 10
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex


 
 
 
 


517 posts

Ultimate Geek

Trusted

  # 1808479 28-Jun-2017 20:02
Send private message

I have been reading a couple of threads about that - the USG will allow you to create access groups that allow trusted devices to initiate contact with untrusted, but not the other way around, based around VLAN tagging. Both networks are created as corporate.

Disclaimer - I'm reading about this at the same time as posting about it here, I haven't quite started making changes to my network yet.



2683 posts

Uber Geek

Trusted

  # 1808483 28-Jun-2017 20:04
Send private message

I originally made a corporate network named IoT, but haven't gotten my head around what firewall rules I should be making etc. to allow my personal network access to the IoT network. 





517 posts

Ultimate Geek

Trusted

  # 1808488 28-Jun-2017 20:13
Send private message

As far as I can tell, the USG will allow the connection between the two by default, you create the rules in order to manage it the way you want.


With Pictures!



2683 posts

Uber Geek

Trusted

  # 1809280 29-Jun-2017 23:26
Send private message

How do I block the IoT network from accessing the internet in the Firewall tab of UniFi? I don't know what Address to put in to create a group.





67 posts

Master Geek


  # 1810270 1-Jul-2017 21:50
Send private message

Hi All,

 

Hoping someone would be willing to expand / assist on this. I want to isolate a couple of wired LAN devices on my network. I want them to have internet access but NO local / LAN Access.

 

I tried cascading an old Modem / Router (Netgear DGND3700) and gave it a separate subnet (10.114.68.0/24) but both networks could still communicate; Router # 1 LAN was connected to the WAN port on the Netgear... I purchased a Ubiquiti USG thinking this would magically fix my problem, but no. Everything is still accessible from both networks. I am not familiar with creating the firewall rules or ACL's. 

 

I currently have an ASUS DSL-AC68U (VDSL; I do have a order to get UFB installed, but Chorus won't climb the power-pole due to OSH issues and are taking forever to design the underground solution) which doesn't support Port Based VLAN's via. the GUI and the information is pretty scare re: CLI Commands. I have 2 x D-Link Smart switches (DGS-1210-08's) which allow VLAN's and ACL's, but again, I am not sure how-to setup and am not sure if this will block local traffic and still give me Internet access.

 

I am at a total loss and I don't know what to do now. I could purchase a DrayTek Vigor 2860n which will give me multiple private LAN subnets and isolated VLAN's but I don't really want to spend another $650 +

 

Thanks in advance!

 

 

 

Brad

 

 


517 posts

Ultimate Geek

Trusted

  # 1810539 2-Jul-2017 18:01
Send private message

Hi @brad.wright,

If you have got a USG, then you are good to go. Have a look at the link in my post above ^^ "with pictures", it explains how to make it all happen. You will need to set up a Unifi Controller, even if it is only temporary (once the rules are in place, you don't need the controller running any more). It can be set up on a RPi, your main pc, or even by asking @michaelmurfy very nicely, who hosts a cloud controller for GZ users.




2683 posts

Uber Geek

Trusted

  # 2012903 9-May-2018 19:43
Send private message

Finally found some quality time to look at this and have managed to let my home network see my IoT network, but not the other way around, achieved this using Option 3: https://help.ubnt.com/hc/en-us/articles/115010254227-UniFi-How-to-Disable-InterVLAN-Routing-on-the-UniFi-USG 





defiant
1035 posts

Uber Geek

Lifetime subscriber

  # 2012916 9-May-2018 19:53
Send private message

I use a Unifi UAP AC Pro and Cisco SG500, so IOT devices are own their own ssid and vlan.

 

I use ACL's on the SG500 to prevent IOT devices access to my lan and guest vlan's, but allow my lan vlan access to IOT devices. I use the SG500 for layer 3 routing, whereas I was using the EdgeRouter 4 with the vlan's present and using firewall rules to achieve the same but shifted those duties to the SG500.

 

IOT devices have access to the internet


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.