Reply
Member
Posts: 182
Registered: ‎01-20-2016
Kudos: 65
Solutions: 1

Re: Why put IoT devices on their own VLAN?

I have all iot devices in a separate network, Chromecast included (mdns is a keyword here). But you might think about the firewall policies. From iot to user lan is not where the security problem is, it is the other way around.

 

IoT devices are either directly infected via malware, or via a device, like a PC, that is free to roam the internet. There are several attack vectors that could be used to "transfer ownership" of your IoT to a different party this way.

 

Personally I isolate my devices as much as possible (some devices can be isolated fully, for some you wonder why they are in a separate network) E.g. cameras can only record to the cloud service (and the PC accessed the cams via the cloud service). I have a special network port that allows me to enter the IoT network for maintenance.

Member
Posts: 184
Registered: ‎03-10-2015
Kudos: 26
Solutions: 1

Re: Why put IoT devices on their own VLAN?

So if I follow the guide above will streaming to FireStick or Chromcast still work? I assume that those type of devices work by broadcasting to the network to be found and if there is no "new" connections from IoT to  private then that would include broadcasts????

Member
Posts: 273
Registered: ‎04-22-2018
Kudos: 30
Solutions: 2

Re: Why put IoT devices on their own VLAN?

[ Edited ]

@Shadowed wrote:

How did you go about that setup?


This post details another setup guide

 

https://freetime.mikeconnelly.com/archives/6373


AP AC LITE
UAP nanoHD (x2)
Edgerouter 4
New Member
Posts: 6
Registered: ‎07-13-2018
Kudos: 1

Re: Why put IoT devices on their own VLAN?

I have an IoT vlan. The wireless is headed by a bitlocker Box. In therory it is an antimailware device.

 

It can see into my multimedia vlan (which also has an Alexa with the mic turned off).

 

My media server is on its own vlan. 

All wired computers are one one vlan.

Wireless (non IoT) are in another vlan. 

 

Wireless, multimedia, and computers can see the media server.

 

Computers can upload to the media server.

The phone on the wireless network can control Play—Fi devices can see the media server. This allows me to use my phone as a remote control both for Play-Fi and other multimedia devices. But the IoT Box can only see IoT, multimedia, and Alexa devices.

 

It sounds complicated, but it really isn’t.

 

All computers wired & wireless can see each other, including the media server.

 

The multimedia devices and phone can see media server and nothing else.

 

The IoT Box can see the IoT devices, multimedia and Alexa devices.

 

Alexa can only see stuff via HDMI and Amazon servers. It just streams movies.

 

The Box can’t see the phone or any computers, including the media server.

 

I can rip and backup to the media server (really cheap Linux and disks).

 

I can use my phone as a remote control, including Play-Fi.

 

The Box owns the IoT and can see the multimedia, but not any computer, including the media server. It’s also my “guest” network.

 

Everything goes through the security firewall to the internet.

 

Advantages.

Everything, including computers, wireless, IoT are protected via firewall.

Pure IoT have a IoT firewall.

Multimedia is watched by the Box (ID, not IDS).

Alexa can’t do anything but stream movies.

Visitors are treated like a cheap IoT device, but are IDS to real IoT.

 

Paranoid much? Yup. I’ve been working with computers since the late ‘70s. Back then we called hackers PhonePhreks. People would use sounds to hack into the telephone networks works. I’ve learned that groups claim they can be trusted are the least trustworthy. I’ve designed, bought, and implemented systems that protect $billons. My current networks protect a number of identities, about 0.1% of my prior systems. I’ve greatly reduced my security standards, but I error on the secure side.

 

I don’t trust any simple (IoT) devices.

I don’t trust Amazon. Alexa has sent gigabytes to Amazon. I’ve turned all voice activated everything off. I’m thinking of supergluing the Alexa mic.

Real computers are completely separated from everything else. Any/all communication is encrypted. Shared secrets PKI is only for setting up communication of encrypted traffic. All databases and system have multiple levels of encryption and logging.

 

And I can can play lossless music and stream UDH when I want.

 

I am sure someone could hack me, but the  ROI isn’t worth it. 

New Member
Posts: 1
Registered: ‎09-17-2017

Re: Why put IoT devices on their own VLAN?

Hey, thanks for the link.

Did you by any chance utilise this with a Sonos system ?

I am wondering if their technology relies on a broadcast FROM the IoT device (Sonos).

 

Following this guide I am unable to connect to my Sonos system.

Emerging Member
Posts: 44
Registered: ‎02-24-2016
Kudos: 2

Re: Why put IoT devices on their own VLAN?

[ Edited ]

 Quick question, with the firewall rule at the end, should that be put under LAN IN?

 

I'd like to know this as well.

Emerging Member
Posts: 44
Registered: ‎02-24-2016
Kudos: 2

Re: Why put IoT devices on their own VLAN?

to answer my own question. It should be LAN IN .

New Member
Posts: 6
Registered: ‎11-02-2018
Kudos: 2

Re: Why put IoT devices on their own VLAN?


@Hsd1965 wrote:

And I have set it up in a way so devices on my main LAN can control the IoT devices, and the IoT devices can talk back. But the IoT devices cannot initiate a connection to the main LAN.


Any chance you can share some of the rules you setup? I've been having an inconsistent time with device discovery. e.g.: Spotify finding my devices, Alexa being able to stream music, etc. 

House: 1x USG4, 1x sw-48x500w, 1x sw-8x60w, 3x sw-8, 2x ap-NanoHD, 1x ap-LR, 1x Cloudkey2
Cabin:1x USG3, 1x sw-8x60w, 3x sw-8, 1x ap-NanoHD, 1x Win10-Cloudkey
Highlighted
Emerging Member
Posts: 44
Registered: ‎02-24-2016
Kudos: 2

Re: Why put IoT devices on their own VLAN?

If you follow The guide in one of The previous posts you’ll accomplish just what you’re asking.

Member
Posts: 443
Registered: ‎09-23-2018
Kudos: 51
Solutions: 19

Re: Why put IoT devices on their own VLAN?

New Member
Posts: 36
Registered: ‎11-07-2018
Kudos: 3

Re: Why put IoT devices on their own VLAN?

Somewhat related to this thread.

 

Any reason I shouldn't create a User Group and Network with Firewall Rules for an LG Smart TV and a HP Printer.  I know Vizio got in hot water over doing shady things with data they collected on owners without consent and HP is well, its a printer, so i figure its probably one of the category of devices that is least secure.

 

My concern is that block-and-tackling this makes my network somewhat more complicated to manage but also might interfere with the proper running of it. My goal is simple, prevent these less well understood devices from interfering negatively with my more trusted devices (laptop/desktop) etc that I have more control over.  I'm concerned these devices in particular have less granular control over "who" they talk to outside of my network.  Though much of it might be purely innocent automatic firmware updates etc.

I have a streaming device too (apple tv) but for some reason I trust that to be in my private network group more.

 

Any thoughts on risks/rewards with micro-segementing Printers and TV (Smart TV) would be greatly appreciated.

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: Why put IoT devices on their own VLAN?


@Shadowrun1994 wrote:

 

Any thoughts on risks/rewards with micro-segementing Printers and TV (Smart TV) would be greatly appreciated.


Well you already touched on it - security is always a trade off for convenience.

 

Most IoT vendors security sucks.  Hackers are most successfull when they can move laterally.  Segmenting network traffic can help mitigate that.

 

Is it really something you need to worry about at home?  Probably not.  but if you can do it and make it work, then extra protection is rarely a bad thing Man Happy

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
New Member
Posts: 36
Registered: ‎11-07-2018
Kudos: 3

Re: Why put IoT devices on their own VLAN?

Gotcha, That's what I thought.

 

Any thoughts on where devices like Apple TV boxes and NAS should go? I have the former (Apple TV in my secure/private home network) but am not sure where to plunk the NAS.  The NAS serves a number of functions, specifically

 

  • Plex Media Server
  • Encrypted Backups for local computing devices/work devices
  • File Server for Family Photos and Editing.

I'm hoping to eventually host my website from it and possibly migrate to self hosted email. It's the later two things that concern me as I want to both securely/safely access my NAS internally from my hardened network but also expose some bits to the dangers of the wild wild internetz.

 

Maybe I'll just grab another NAS to serve specific functions. I'd like to avoid that expense though Man Sad

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: Why put IoT devices on their own VLAN?

IMNSHO if you can't trust the NAS and Apple TV on your primary network that's a bit crazy. 

 

I've seen some guys that want each device on their own VLAN.  I'm not sure the NSA would go to that level in all but the most extreme of circumstances. 

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Member
Posts: 443
Registered: ‎09-23-2018
Kudos: 51
Solutions: 19

Re: Why put IoT devices on their own VLAN?

Most people will have upnp enabled, and that will allow the device to open its own ports on the firewall. That can lead to unknown ports being open and lead to security issues. If you disable it, there shouldn't be any issues

New Member
Posts: 33
Registered: ‎02-08-2017
Kudos: 7

Re: Why put IoT devices on their own VLAN?

[ Edited ]

The main issue with putting everything into separate VLANs is something has to route the data between these.

 

As the bandwidth goes up it can overwhelm some of the lower powered USG devices, if they are given the task of inter VLAN routing and you turn on things like Smart Queues and IPS/IDS.

 

I've only segmented the low bandwidth devices, which by chance are also generally the least trustworthy devices as well.

 

If I was to put the Nvidia Shield or the smart TVs on their own VLAN, away from the media servers, I think the first time I fired up a 4K movie my USG3 would struggle.

 

The USG4 & XG routers will be less taxed, but at some point even they will have issues routing multiple VLANS if you start running the switches near their full switching capabilities.

 

J

Emerging Member
Posts: 75
Registered: ‎04-21-2017
Kudos: 26
Solutions: 1

Re: Why put IoT devices on their own VLAN?

Before I “upgraded” to a usg pro I ran pfsense and ips between all internal subnets. An atom c2758 can manage that comfortably at 1gb line speed.

New Member
Posts: 33
Registered: ‎02-08-2017
Kudos: 7

Re: Why put IoT devices on their own VLAN?

But without a larger link to the router, you're going to be limited at 1G aggrgated across all VLANs.

 

This is the main reason for me not using more VLANs as I think the USG3 will handle 1G routing, as I don't have IDS/IPS or Smart Queues switched on, but I can easily create more than 1G of traffic when copying files around between servers.

 

J

New Member
Posts: 36
Registered: ‎11-07-2018
Kudos: 3

Re: Why put IoT devices on their own VLAN?

This is very helpful. Thank you all. 

 

I think I'm going to keep my TV on its own VLAN Network.  I don't use any of the "smart" parts of it though, its literally just a dumb-smart tv (it's hard to find good non-smart TV's these days if they exist at all anymore). I just want to make sure when firmware does come in it can auto-update as needed.  I wish I new enough on how to test and measure the differences here.  Maybe once they roll out the upgrade Airplay 2 enabled TV's on the market I'll move it back and dump the extra network.


I think I'll keep my Apple TV and NAS on my private locked home network.  The apple TV connects to that "Smart TV" but only through HDMI anyhow. Plus I've already gone through the huge pain of segregating everything already and just finished the last bits off.  Now on to Firewall Rules Funtimes.

 

I now have another good reason to upgrade to the fancy new USG-XG-8 given that I'd like to do IPS at 1G, now I have two reasons to upgrade (such overkill for my home network CoolgleamA )

Reply