Segregating IoT Devices on an Isolated Network

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Segregating IoT Devices on an Isolated Network

MurrayM

2502 posts

Uber Geek
+1 received by user: 742

ID Verified

Trusted

Lifetime subscriber

#261828 17-Dec-2019 09:37

I've been seeing this mentioned more and more lately and am wondering if I should do this at home. At the moment the only IoT devices I have are a Wyze camera, a Google Home Mini and a Google Chrome, but in the future I might add plugs, etc. I've also got a couple of PCs, a couple of games consoles, a Raspberry Pi with Kodi, a couple of phones and a couple tablets; all on WiFi. Two person household so not all of these devices are being used at the same time. It's a smallish house and WiFi reaches everywhere satisfactorily.

To set up a segregated network do I need to have two routers or can it be done within the one router? I'm using a Vodafone Ultra Hub and I actually have a second Ultra Hub that I could use because Vodafone sent me a second one when I switched from VDSL to fibre.

Any suggestions on how to set this up would be gratefully received.

timbosan

2199 posts

Uber Geek
+1 received by user: 294

Subscriber

#2376819 17-Dec-2019 10:09

Hope you don't mind me tagging onto your thread; I am actively looking into this now and how best to do it. I too have a growing collection of devices I want on their own VLAN.

My plan was to move to a complete Unifi setup, adding a PoE switch to the 2 existing AP's I have. My reason being it's easier with 1 vendor, and Unifi are supposed to make it 'easy'. BTW this is excellent reading on how NOT to do it: https://arstechnica.com/information-technology/2018/07/enterprise-wi-fi-at-home-part-two-reflecting-on-almost-three-years-with-pro-gear/5/

However I have a similar situation as you - 2 x Spark Smart Modem's, that may allow for the same setup a you.

I am not a router guru, but I would say as long as the two routers are on different subnets, say 192.168.x.x and 172.16.x.x it should have the same effect. Your problems may come from creating rules to allow communicating between the routers, for example if you have a IoT device on one network and want to control it from the other (say a cellphone).

Maybe try setting up the second router on a different subset and then make sure your IoT devices connect to it, and see how you go. You can always reset everything if it doesn't work :-)

richms

29104 posts

Uber Geek
+1 received by user: 10219

Trusted

Lifetime subscriber

#2376823 17-Dec-2019 10:12

Just get the unifi USG - so easy on it. Takes some work to block communication between the vlans. Once the iot tat is talking to its cloud you dont need a device to see it, so just connect to the iot ssid when you want to set something up and then go back to the normal one to use it day to day.

The only things I have going between my vlans is for watching my cameras.

Richard rich.ms

timbosan

2199 posts

Uber Geek
+1 received by user: 294

Subscriber

#2376825 17-Dec-2019 10:15

richms:

Just get the unifi USG - so easy on it. Takes some work to block communication between the vlans. Once the iot tat is talking to its cloud you dont need a device to see it, so just connect to the iot ssid when you want to set something up and then go back to the normal one to use it day to day.

The only things I have going between my vlans is for watching my cameras.

This is something I have never been sure off - I thought you didn't need the Unifi GATEWAY for this, I thought I could do it with just the Switch and AP's? Or is the USG a requirement?

gcorgnet

1096 posts

Uber Geek
+1 received by user: 273

ID Verified

#2376831 17-Dec-2019 10:25

I have started doing the same thing and I would refer you to this awesome video Series: https://www.youtube.com/watch?v=p3SfeQTaaxw

I moved a couple of things but then for most devices, there seem to sort of require both Network on Internet access. Eg my Wyze Camera. Seems like just Internet is OK but I haven't mmanaged to hook it up to the Internet only network. Also, if you use RTSP, then you need LAN anyway...

Same with Google Home. Requires internet definitely but also most likely requires LAN for Casting, etc..

I havew managed to move the odd Chinese plug or LED light onto a LAN only network, though... They show up as "offline" on the official crappy app but still manage to talk to my Home Assistant instance and are therefore still controllable \o/

Hope that helps

richms

29104 posts

Uber Geek
+1 received by user: 10219

Trusted

Lifetime subscriber

#2376833 17-Dec-2019 10:27

You need a router to get the traffic onto those vlans, if you have 2 cheap ISP routers that will not really do it, since your only options are to cascade them and that would still leave one network fully accessible from the other one. A USG or other proper router will have 2 seperate internal networks that both are natted to the WAN, but you can selectivly block or allow ports and IP addresses between them with rules. Not gonna get that outof a basic home router without reflashing it with something else and thats a whole massive timesink to go down.

Richard rich.ms

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#2376835 17-Dec-2019 10:31

Just think carefully about what devices you put in an isolated network. Chromecast for instance uses multicast so you then start talking about multicast routing and mDNS... starts to become rather pointless and overly complex in a home environment.

In my home network, I have a VLAN for "home automation" but it's more for ease of management rather than security (there are around 40-odd devices, like switches, sensors, relays etc). None of my home automation uses cloud services (mostly just MQTT internally) so there isn't a security issue. Chromecast, the TV's, etc sit on the 'trusted' network to keep things simple for the likes of casting and Spotify.

Also, simply using different subnets doesn't automatically mean they won't be able to communicate as the default action of your particular router may be to automatically populate the routing table with these subnets, and therefore allows them to communicate. So you need firewall rules to stop communication.

Lego

Shop now for Lego sets and other gifts (affiliate link).

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#2377395 17-Dec-2019 23:30

timbosan:
richms: Just get the unifi USG - so easy on it. ...
This is something I have never been sure off - I thought you didn't need the Unifi GATEWAY for this, I thought I could do it with just the Switch and AP's? Or is the USG a requirement?

Firewall rules? Seems not.

Static defined rules, yes you do.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2377677 18-Dec-2019 12:31

MurrayM:
To set up a segregated network do I need to have two routers or can it be done within the one router? I'm using a Vodafone Ultra Hub and I actually have a second Ultra Hub that I could use because Vodafone sent me a second one when I switched from VDSL to fibre.

Any suggestions on how to set this up would be gratefully received.

Depends on how configurable the router is, if you can set up different ports to have different subnets and block cross-subnet routing you're done, otherwise drop them into different VLANs. That's generic advice, but I don't have a Vodafone router so don't know what they can do.