I am trying to set something up that sounds simple, but I keep hitting a dead end, so thought I seek some help.
LAN 1 on the USG goes to a Unifi Switch
LAN 2 on the USG goes to a non-smart switch where my IOT devices reside
Due to the separate networks, my WD TV Live is unable to "see" my Synology (bittenbak, connected to LAN 1). It relies on discovery of the NFS share, I cannot enter the IP Address for it, which is a bit of a pita.
My Synology has two network interfaces, so I thought I would dedicate one interface to the IOT network and use the firewall on the Synology to only allow NFS traffic from the WD TV and drop everything else. Pretty safe right?
All my attempts however fail.
- I am unable to make the LAN 2 network also show up accross the LAN 1 interface where the Synology is connected.
- I figured I could solve this with VLANs and Port ptofiles, but as soon as I apply a VLAN to LAN 2 it will no longer show up in the topology view. All clients are blocked off from everything (don't know why that is)
I would love to know why LAN 2 effectively gets 100% isolated (even from the USG itself it seems) when I add a VLAN to the LAN 2 network.
I realized that having the devices on separate networks is the real issue, as this is a broadcast domain and discovery would never work. Firewall rules do not solve this either.
How would you advise setting up a safe IOT network if one or two devices do need to communicate with your private network?
The USG is not a switch. By all means LAN2 should be a dead port without VLANs assigned to it. But they (Ubnt) hacked it to work. Sounds you need to get off depending on untagged LAN2.
- Make sure you have an IoT network defined in the controller instead of depending on the magical default LAN2 config.
- Connect LAN2 into a spare port on “Meterkast Switch”. USG is not a switch so it we’ll not create a loop. Make sure that port is set to “All” profile.
- Assign a VLAN to the IoT network and assign it to LAN2.
- Configure another port on Meterkast Switch as untagged <VLAN of IoT>. This port is now configured to act like the old LAN2 but with VLANs behind it.
- Plug IoT non-smart switch into that port.
If all goes well this should act exactly the same as your current configuration. But LAN2 is now using VLANs. Though you need 2 spare ports on your switch and it is only 99% isolated. The VLANs will securely keep the IoT separate but they will share the same switch.
As I didn't have the space on my switch, I changed the network to go over LAN1, obviously put firewall rules in place to sort out
Would there be any (security) advantage to doing this over a separate Router port? I just thought to use LAN 2 as I am low on switch ports.
The USG already routes between the different network segments where needed, so don't think I will reduce load with a separate switch and using LAN 2, correct?