Highlighted
Emerging Member
Posts: 84
Registered: ‎12-19-2017
Kudos: 2
Solutions: 1

Why put IoT devices on their own VLAN?

I've noticed quite a few posts on here where users have isolated their IoT devices on their own vlan. I can't figure out what the reasons are for that. I'm guessing they are mostly security related rather than performance related. On my home network i've segregated the primary vlan from the guest vlan but my IoT devices are on my primary vlan. 

Senior Member
Posts: 3,031
Registered: ‎04-26-2016
Kudos: 1159
Solutions: 312

Re: Why put IoT devices on their own VLAN?

For me it is primarily security. A lot of cheap IoT devices are notoriously weak in security. 

If someone succeeds in hacking into one of my IoT devices there is still a second barrier to get into my home network.

Emerging Member
Posts: 84
Registered: ‎12-19-2017
Kudos: 2
Solutions: 1

Re: Why put IoT devices on their own VLAN?

Thanks for the info. A couple of questions to determine if I want to do this. 1. How did you determine what was an IoT device? I can see various devices I have could be IoT. Nest, irrigation controller, weather station and remote control hubs (harmony). Did you determine IoT device by what it does or by the fact that it only needs to contact the internet and you don't need to connect to it locally. I'm not sure but I think the nest is controller through the internet. The irrigation controller can be controlled remotely or locally, the rest i'm not sure about.
Member
Posts: 184
Registered: ‎03-10-2015
Kudos: 26
Solutions: 1

Re: Why put IoT devices on their own VLAN?

If you use the Harmony's physical remote u could isolate it. If you use the app then I suggest leaving it on the main network. The app can connect locally or through the web but through the web is some kinda special slow. 

 

Just giving heads up on that. Gonna have to look into the idea of separation.

Emerging Member
Posts: 84
Registered: ‎12-19-2017
Kudos: 2
Solutions: 1

Re: Why put IoT devices on their own VLAN?

I thought the physical remote connected over the local network to send the commands to the hub.
Senior Member
Posts: 3,031
Registered: ‎04-26-2016
Kudos: 1159
Solutions: 312

Re: Why put IoT devices on their own VLAN?

[ Edited ]

All the devices you mentioned I have on IoT.

 

And I have set it up in a way so devices on my main LAN can control the IoT devices, and the IoT devices can talk back. But the IoT devices cannot initiate a connection to the main LAN.

 

So, for example, my Harmony Hub is on IoT but works perfectly with the app using devices on the Main LAN.

Regular Member
Posts: 465
Registered: ‎07-22-2016
Kudos: 198
Solutions: 28

Re: Why put IoT devices on their own VLAN?


wrote:

All the devices you mentioned I have on IoT.

 

And I have set it up in a way so devices on my main LAN can control the IoT devices, and the IoT devices can talk back. But the IoT devices cannot initiate a connection to the main LAN.

 

So, for example, my Harmony Hub is on IoT but works perfectly with the app using devices on the Main LAN.


This is exactly how I have my network setup and it works without issue.

Member
Posts: 184
Registered: ‎03-10-2015
Kudos: 26
Solutions: 1

Re: Why put IoT devices on their own VLAN?

How did you go about that setup?

Member
Posts: 184
Registered: ‎03-10-2015
Kudos: 26
Solutions: 1

Re: Why put IoT devices on their own VLAN?

The remote is most likely bluetooth.
Regular Member
Posts: 465
Registered: ‎07-22-2016
Kudos: 198
Solutions: 28

Re: Why put IoT devices on their own VLAN?


wrote:
The remote is most likely bluetooth.

The base station is WiFi.

New Member
Posts: 3
Registered: ‎02-14-2018
Kudos: 1

Re: Why put IoT devices on their own VLAN?


@Hsd1965wrote:

All the devices you mentioned I have on IoT.

 

And I have set it up in a way so devices on my main LAN can control the IoT devices, and the IoT devices can talk back. But the IoT devices cannot initiate a connection to the main LAN.

 

So, for example, my Harmony Hub is on IoT but works perfectly with the app using devices on the Main LAN.


 @Hsd1965 Would really appreciate it if you would be able to outline the steps to achieve what you have described above? I am new to Ubiquiti and have just recently bought the Unifi equipments to want to better secure my home network due to the rising number of IoT devices I am having.

 

Thanks.

New Member
Posts: 28
Registered: ‎01-09-2018
Kudos: 3

Re: Why put IoT devices on their own VLAN?


@rleongwrote:

@Hsd1965wrote:

All the devices you mentioned I have on IoT.

 

And I have set it up in a way so devices on my main LAN can control the IoT devices, and the IoT devices can talk back. But the IoT devices cannot initiate a connection to the main LAN.

 

So, for example, my Harmony Hub is on IoT but works perfectly with the app using devices on the Main LAN.


 @Hsd1965 Would really appreciate it if you would be able to outline the steps to achieve what you have described above? I am new to Ubiquiti and have just recently bought the Unifi equipments to want to better secure my home network due to the rising number of IoT devices I am having.

 

Thanks.


Yes, it would be very usefull.

Home equipment: USG-3P | 2x UAP-AC-Lite | 1x UAP-AC-LR | Cloud Key
Emerging Member
Posts: 66
Registered: ‎05-11-2017
Kudos: 25
Solutions: 5

Re: Why put IoT devices on their own VLAN?

While this post isn't the guide or how to but can give a really quick overview on what you would need to do'ish. 

 

LAN to IOT allow

IOT to LAN disallow

 

That's in a nut shell. I don't have a controller in front of me to give you the exact terminalogy that is used. If you did that directly it would render them useless from LAN. There is a way to set the IOT to LAN but only in one direction just can't recall what its labeled as in UniFi. 

 

Mostly wanted to chime in on defining IOT devices. 

1. You don't control the OS. "No root"

2. It has no local interface but requires a 3rd party web server to function. They go belly up the device is useless.

 

If you have no control over the device it's generally going to fall into the IOT field. You'll have to add routers in the gray area as you generally don't have root on them. This is an area where Ubiquiti has won me over as we have 100% control over the devices that we deploy. Cisco,FortiNet, Palo Alto, Linksys, DLink etc are gray as you don't have total control.

 

Nest devices, network attached home theater's, xbox, ps4 things that you don't control can be considered as problem devices. It really comes down to TRUST in the vendor. For which many of us don't have anymore. 

New Member
Posts: 3
Registered: ‎02-14-2018
Kudos: 1

Re: Why put IoT devices on their own VLAN?

Thanks @PublicName for giving the overview. You have further confirmed the path I am seeking is the right one which I kinda got after reading many blogs, forum post as well as youtube videos. I am currently using an ASUS wireless router and has just jumped into the Unifi realm. Having some kind of a guide will really help me set it up faster instead of me doing a trial and error Banghead as I am trying to setup my new Unifi network ASAP. I  am currently having close to 50 connected devices (both wired and wireless) and increasing. 

 

Hoping that @Hsd1965 could shed some light here Smiley Wink

Senior Member
Posts: 3,031
Registered: ‎04-26-2016
Kudos: 1159
Solutions: 312

Re: Why put IoT devices on their own VLAN?

It really is not that complicated.

 

Assuming you have your non-IoT devices on the main corporate network and your IoT devices on a separate VLAN you only have to create two firewall rules on the LAN IN section of the firewall before the predefined rules.

 

1. Only accept Established and Related connections from source IoT IPv4 subnet to corporatie LAN IPv4 subnet.

2. Drop all traffic from IoT IPv4 subnet to corporate LAN IPv4 subnet and any other VLAN you might have.

 

So if a connection is initiated from the corporate LAN the device on the IoT network is allowed to talk back. But an IoT device cannot initiate a connection to the corporate LAN.

 

Also enable the MDNS service so broadcasts from the corporate network are also sent to the IoT VLAN.

New Member
Posts: 1
Registered: ‎07-08-2013
Kudos: 5

Re: Why put IoT devices on their own VLAN?

I had many of the same questions and read much on these forums on this topic.  This link and step by step instructions is what I've done.

 

https://robpickering.com/ubiquiti-configure-micro-segmentation-for-iot-devices/

 

Hope this helps.

New Member
Posts: 3
Registered: ‎02-14-2018
Kudos: 1

Re: Why put IoT devices on their own VLAN?

Thank you @Hsd1965 and @Joperfi for giving the instructions on how to keep our network safer from all the IoT devices. Once I planned out my new network and how to transition from my current existing setup, I will definitely try out the steps you guys have provided. Appreciate the sharing. Cheers2

SuperUser
Posts: 9,483
Registered: ‎01-10-2012
Kudos: 5988
Solutions: 386

Re: Why put IoT devices on their own VLAN?


@Joperfiwrote:

I had many of the same questions and read much on these forums on this topic.  This link and step by step instructions is what I've done.

 

https://robpickering.com/ubiquiti-configure-micro-segmentation-for-iot-devices/

 

Hope this helps.


Thats an excellent write up and nice find!

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Member
Posts: 138
Registered: ‎09-29-2016
Kudos: 10
Solutions: 3

Re: Why put IoT devices on their own VLAN?

[ Edited ]

Quick question, with the firewall rule at the end, should that be put under LAN IN?

New Member
Posts: 17
Registered: ‎01-22-2018

Re: Why put IoT devices on their own VLAN?

Is setting up the IoT VLAN as a corporate network and putting in the allow establashed connections/deny everything else the typical way people setup their IoT network?  I set mine up using the Guest network and had to spend a good few days looking up ports and sniffing traffic via WireShark to get most of my devices working, and even then, I still don't have my Chromecast and Samsung Soundbar working 100% yet because of these garbage multicast discovery protocols.

 

I'm just wondering if it's worth continuing the hassle of keeping my IoT as a guest network with the device level isolation but having to fight firewall rules every time I add a device, or if you guys felt the quality of life made it worth while just dealing with the 2 firewall rules, but not having the network quite as secure as it could be.