Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Emerging Member
Posts: 51
Registered: ‎03-29-2016
Kudos: 7
Solutions: 4

IoT segregation

[ Edited ]

Hi all,

 

First, I'm an amateur with unifi.   I do have a home system running - USG-4, USG 48 POE Switch and 3 AC-PRO access points.

 

On one of the AP, I have my daughter's SSID, the main SSID and a seperate IoT SSID.  On another AP, I have a lower level SSID and a guest SSID.  The guest is set up with quest authentication and a seperate guest network and I think Vlan.

 

Now, what I want to do is seperate the IoT SSID so those devices don't have access to the rest of my network, just internet access.  Things like thermostats, video doorbells, Ooma phone sys etc (although Ooma is hardwired come to think of it).

 

Can someone give a cheat sheet method.  I'm sure the equipment can handle it.  I think it is just above my pay grade.

 

Thanks,

 

Andrew

Emerging Member
Posts: 79
Registered: ‎05-30-2015
Kudos: 8
Solutions: 3

Re: IoT segregation

The easiest idea may be to set the IOT wifi as another guest wifi and let the built-in access control do its job. 

 

Another idea would be to limit inter-VLAN routing using rule sets in the Firewall section of the controller (Depending on what version of the controller you're using). 

 

-Colt

Colter \'kohl-ter '\ vb : to be Ubiquiti noob.
Colter \'kohl-ter '\ n : The notorious "hold my beer, I got this" guy.
Emerging Member
Posts: 51
Registered: ‎03-29-2016
Kudos: 7
Solutions: 4

Re: IoT segregation

If I set the IoT to a seperate guest network, will the devices first be sent to the login page ?  I don't think that will work.

 

Thanks

Emerging Member
Posts: 79
Registered: ‎05-30-2015
Kudos: 8
Solutions: 3

Re: IoT segregation

[ Edited ]

If you have your guest network setup as a 'Hotspot' then yes. 

 

Looks like intern-vlan rules are the way to go then. 

 

This post is a good reference guide through the CLI on the EdgeRouter line.  Same sort of pathway for the USG's CLI, but can also be applicable if you have a newer controller with GUI options.  

 

https://community.ubnt.com/t5/EdgeMAX/Turn-off-inter-VLAN-routing/m-p/1447496#M93132

Colter \'kohl-ter '\ vb : to be Ubiquiti noob.
Colter \'kohl-ter '\ n : The notorious "hold my beer, I got this" guy.
Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

Wondered if you ever did get this setup in the way you described ?

Regular Member
Posts: 445
Registered: ‎12-09-2015
Kudos: 152
Solutions: 3

Re: IoT segregation

I run a seperate guest network, VLAN and SSID for IoT and HA.

Works great for my Nest, Nest Protects, SmartThings and GeoSpring water heater. Oh yeah, my cameras too. My main net (corporate) can still see this subnet but the isolated network can't see corp.

Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

@melbo Thanks for the reply. Very interested in how you set this up specifically on which UBNT equipment. Could you detail how you did this, can be in a private message if you would prefer. Thanks so much for your help with this. One other question I do have, we know that for the most part VLAN or true segregation usually means jsut that, 1 network isolated from the other, how have you gotten around issues like smart app (iOS etc) control of the smart devices if for example your phone is connecting to your main 5G network while your iOT is segregated on a 2.4 isolated VLAN ?


Thanks again for any help with this

New Member
Posts: 24
Registered: ‎12-18-2016
Kudos: 17
Solutions: 1

Re: IoT segregation

You can do it with firewall rules. So traffic from your non-IoT VLANs can be allowed to initiate connections with devices in your IoT VLAN and they in turn are allowed to respond. However, you would block IoT devices from being able to initiate connections with your non-IoT VLANs. So they can answer and respond but can't initiate.

Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

@secureme Thanks. To clarify with the VLAN configurations that are being discussed here are we talking separate VLAN tied to (for example) a specifc physical eth port on an Edgerouter so for example AP 1 is hardwired to Eth1 (regular traffic) and AP2 is hardwired to Eth 2 (iOT VLAN) or are most setting up VLAN groups using 1 AP and 1 Eth connect and segregating underneath. Just curious if most are separating VLAN and network physicall for iOT or just using VLAN under same network as regular traffic. Thanks again for helping with this all !

New Member
Posts: 24
Registered: ‎12-18-2016
Kudos: 17
Solutions: 1

Re: IoT segregation

For the APs you can specify a VLAN per SSID, so it'll already tag them no need to tag at the port. Most ethernet devices aren't tagged so you'll want to tag them at the port if you want VLANs. I went a little crazy with my VLAN segregation, not so sure I'd recommend it to others but I do keep ethernet and wifi all on separate VLANs and split them into corp, restricted (internet+printer+corp can talk to them), cameras (locked down tight+corp can talk to DVR), and guest using the built in guest policies.

Emerging Member
Posts: 69
Registered: ‎10-12-2016
Kudos: 8

Re: IoT segregation

has anyone who has done this done any inspection of the traffic.

 

Once i have done some extra cabling i am planning on putting a proxy server infront of all the IoT devices and making sure they can't talk to anything they shouldn't 

Regular Member
Posts: 445
Registered: ‎12-09-2015
Kudos: 152
Solutions: 3

Re: IoT segregation


Wildcat_1 wrote:

@melbo Thanks for the reply. Very interested in how you set this up specifically on which UBNT equipment. Could you detail how you did this, can be in a private message if you would prefer. Thanks so much for your help with this. One other question I do have, we know that for the most part VLAN or true segregation usually means jsut that, 1 network isolated from the other, how have you gotten around issues like smart app (iOS etc) control of the smart devices if for example your phone is connecting to your main 5G network while your iOT is segregated on a 2.4 isolated VLAN ?


Thanks again for any help with this


Defining a network with a purpose of 'guest' automatically creates firewall rules. A corporate network can see (reach) the guest subnets but the guest subnets cannot see (reach) the corporate network. It was simple Man Happy

 

USG 3P

USW 8 150W

USW 8 60W

3 AP PROs

 

I created 3 networks:

Name > Purpose > Subnet > VLAN

family > Corporate > 192.168.1.1/24 > (no VLAN) 

guest > Guest > 192 168.2.1/24 > VLAN 20

home_automation > Guest > 192 168.3.1/24 > VLAN 30

 

Then created 3 SSIDs and defined the VLANs for 'guest' and 'home_automation' 

 

My iOS apps (SmartThings, Nest, IFTTT, etc) all hit a cloud server before hitting the local device so it doesn't matter what network I'm on when using them. I can be on LTE and still turn my water heater on or off. Since the corp network can still see guest subnets, I'm sure you could access locally when on your main network although I haven't found any devices that needed this level of control. I don't SSH into my SmartThings hub, etc. My SmartThings hub is wired only so I added the VLAN to the port config on the USW 8 150

 

With the security concerns of anything that is exposed to www, I at least wanted these devices on their own network to minimize damage in the event of a breach. Let me know if you need screenshots or more info @Wildcat_1

Regular Member
Posts: 445
Registered: ‎12-09-2015
Kudos: 152
Solutions: 3

Re: IoT segregation


irweazel wrote:

has anyone who has done this done any inspection of the traffic.

 

Once i have done some extra cabling i am planning on putting a proxy server infront of all the IoT devices and making sure they can't talk to anything they shouldn't 


I've used port mirroring on the USW 8 150W and hooked up a pc running wireshark a couple times to see if anything looked out of the ordinary. Most of these devices used next to nothing in the way of traffic. I also use OpenDNS which gives me a rough snapshot of which domains are being hit my my network so I'd be able to see if my water heater was trying to take over the world. The Unifi stats are also pretty good at showing who's sending or receiving an excessive amount of traffic.

Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

@secureme @melbo Thanks for the replies. I am interested in the WLAN VLAN tagging that was mentioned but have not done that before. Generally have setup port based VLANs in the past so hope you don't mind giving me some more pointers. Background is Cisco infrastructure so also getting used to the UBNT EdgeOS methods as well Man Happy

 

Wanted to give a little more background on the current setup and how I uplink the AC-AP-PRO into the existing mix

 

 

AC-AP-PRO (Hosting 2 x 2.4G SSIDs & 1 x 5G currently) ---> CISCO SG200-8 ---> Wall Port ---> Patch Panel ---> Cisco SG200-26 ---> Eth1 ERLITE-3 ---> Eth0 ERLITE-3 --- > Internet

 

The AC-AP-PRO and ERLITE are the new additions and replace former Asus AC88u & AC3100 routers in their relevant positions. I am also thinking about picking up another AC-AP-PRO to introduce into the mix and may band separate by AP at that point.

 

So my question is based on what I did in the past I would run tagging through the entire infrastructure using the Cisco's to tag at one level and port tag on the 26 uplink, creating VLAN's and even using QOS (VOIP & Media). What I was thinking is to separate maybe into Media, iOT & 'regular taffic' VLAN's and wanted to know based on the comments above how best to do this with the AC-AP-Pro now in the mix and the VLAN tagging by SSID. Any further details on setting this up in the infrastructure design (any other place I would need to tag/isolate etc) I have above would great. I noticed that their is a 'network' tab in the AP controller but hadn't explored that yet either.

 

On a separate note, I did notice that accoridng to the controller log the AP already disconnected 5 times since midnight, not sure what would be causing that.

 

Thanks so much for your continued help.

 

Regular Member
Posts: 445
Registered: ‎12-09-2015
Kudos: 152
Solutions: 3

Re: IoT segregation

@Wildcat_1 I'm not sure the process on the ERL.

 

In Unifi, it's as simple as ticking a box in the controller software settings and the change gets pushed to the rest of the devices as a provisioning step. My controller runs on a Unifi Cloud Key

 

Same thing for my SSIDS. They are set once in the controller and pushed to each AP during an automatic provisioning step on 'save'.

 

I started with an ERL but quickly moved to full Unifi and never explored VLANs on the ERL or ERX.

Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

@melbo Thanks. I see the 'use VLAN with VLAN ID' options in the Controller, my question is if we're ignoring the ERL then as not doing port based VLAN where do I then setup the different network addresses for the VLANs that the SSID's are assigned to ?

 

Thanks again

New Member
Posts: 24
Registered: ‎12-18-2016
Kudos: 17
Solutions: 1

Re: IoT segregation

[ Edited ]

It's been a bit since I've had an ER-L, but let's say you want to set up a wifi SSID for VLAN 10. You'd create a VLAN from the ERL UI, I believe it's from the main page, you're options are to create a PPPOE or VLAN. Create a VLAN w/ 10 on the LAN eth port (likely eth1), you'll  then see an interface eth1.10. Then go configure DHCP/DNS for that interface via the ER-L UI. Then via the unifi controller UI you'd create a wireless network and give it the same VLAN #10. That'll tag the SSID traffic to 10, and the router will allocate DHCP/DNS/etc. based on what you set in the ER-L.

Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

@melbo I am going to try the multiple network approach as VLAN traffic currently was not staying tagged through the Cisco. Going to look into this further as well.

 

So, with that said, if you can send screenshots that would help. Currently have 2 options:

 

1) AC-AP-PRO (through Cisco) running standard plus guest networks on 1 unit OR

2) AC-AP-PRO running 'standard' network ultimately routing through Cisco infrastructure back to Eth 1 of ERL and an ASUS router running 'guest' network routing through Eth 2 of ERL

 

Not sure which option is better currently although I do like the extra segregation of the 2nd AP (in this case ASUS until I pickup another AC-AP-PRO).

 

So I won't have the USG or UBNT switches like your config at this time but hoping/thinking I can get there with the other infrastructure. Again certainly appreciate your further help with this.

 

Thanks

Regular Member
Posts: 445
Registered: ‎12-09-2015
Kudos: 152
Solutions: 3

Re: IoT segregation

Unfortunately you'll probably need someone else to help with your setup. I'm fairly new to VLANs but my full Unifi system made it pretty easy to implement with a couple steps. For background, I was on consumer grade 'all in one routers' and unmanaged switches 12 months ago... @Wildcat_1
Emerging Member
Posts: 42
Registered: ‎01-09-2017
Kudos: 2

Re: IoT segregation

@melbo, I'm a little lost at where the 'networks' option in Unifi Controller is used vs the network you already create back on the ERL or in your case the USG. Were you using any specific firewall rules for your setup ? The reason I ask is like you I have a number of smart devices controlled by the cloud but I have a few that are locally controlled via Bonjour (HomeKit) and cannot get those to route between LANs. Thanks again
Reply