What's new
  • Please do not post any links until you have 3 posts as they will automatically be rejected to prevent SPAM. Many words are also blocked due to being used in SPAM Messages. Thanks!

Simple network isolation for smart stuff?

Lysrin

Well-known member
Joined
Mar 10, 2014
Messages
4,963
Location
Nova Scotia
I bought some smart plugs. Time to isolate them from the rest of my network. I have a little networking knowledge, but not my strong suit for sure, and I don't have any fancy set up at home. So wondering what you guys would recommend with the stuff I currently have, at least to start.

Right now I just have:

- Bell Home 3000 acting as my main router and WiFi.
- ASUS RT68U set in access point mode, WiFi turned off, and basically being a switch in my office for a couple wired PCs.

I have a guest network set up on the 3000, unique password, etc. VLANs are often a recommended solution, but unless I'm blind or just not looking in the right category on the admin pages, I don't think the 3000 supports that. From a little Googling the ASUS might be able to do VLANs if I put the Merlin firmware on it. I could go that route if I had to perhaps...

So anything recommend from below?

1. Is it sufficient for things as simple as the smart plugs to just put them on the existing guest network?

2. Would it be better to run a separate WiFi network from the ASUS, if I can configure that?
If I do that, isolating it is unclear. If I set it back to full wireless router mode, to get the full set of features, it assigns DHCP IPs to the wired PCs; default 1.n rather than 2.n as from the 3000. But if I turn on with WiFi there, then the smart stuff would also be 1.n and not separated from the two wired PCs. And because the ASUS set this way now has an external 2.n address from the 3000, I can ping the 2.n devices from the wired devices connected to the ASUS (at least I think that's why). So for separation there I would have to have a separate IP range for the WiFi? Not obvious if I can set that up.

3. Perhaps a third option would be a guest WiFi network on the ASUS, connect only the smart stuff to that, and then allow it to isolate that way from the connected wired devices? Hide the SSIDs of the WiFi network coming from the ASUS perhaps, just to avoid confusion. I know that's not a security benefit.

4. "You're out to lunch! Do this instead..."

I'm happy to do more research, but I'd love input from you guys so I at least head down a good path for that.
 
Last edited:

sswilson

Moderator
Staff member
Joined
Dec 9, 2006
Messages
21,689
Location
Moncton NB
What's your main purpose to "isolation"? Is it security/privacy concerns with the IoT devices?
 

crazyea

Well-known member
Joined
May 15, 2012
Messages
1,497
Location
Surrey, BC
This is what I do.

On my Asus Router I set my dhcp ip pool to start above 200.

Then I have my clients set to use static dhcp outside of the reservation pool using ip's below 200.

For example,

Voip 1-5
Printers 6-10
Stereo Receivers 11-16
TV's 20-29
Apple TV's / Media players 30-39
PC's 50-59
Phones 70-79
Tablets / Ipod's 80-89
Smart Watches 90-99
Game Consoles 100-120
Google Nest Products 160-upward.

For example Ooma Voip could use 192.168.1.5

Personally wouldn't separate anything that I want to be able to easily control or access from anyone's phone or pc. Instead I would use the network services filter and restrict devices from accessing these if needed.
 

sswilson

Moderator
Staff member
Joined
Dec 9, 2006
Messages
21,689
Location
Moncton NB
The one thing I've found is that setting up smart plugs/switches is a pain in the arse unless you've got a dedicated 2.4GHz SSID and connect your phone to it during the setup. (Combo 2.4/5Ghz SSIDs have given me issues in the past).
 

crazyea

Well-known member
Joined
May 15, 2012
Messages
1,497
Location
Surrey, BC
The one thing I've found is that setting up smart plugs/switches is a pain in the arse unless you've got a dedicated 2.4GHz SSID and connect your phone to it during the setup. (Combo 2.4/5Ghz SSIDs have given me issues in the past).
I always have my ssd's set with a _2g or _5g at the end of the ssid and I never enable guest. No reason to allow other people in when everyone has multi gig cell phone plans these days.
 

Lysrin

Well-known member
Joined
Mar 10, 2014
Messages
4,963
Location
Nova Scotia
What's your main purpose to "isolation"? Is it security/privacy concerns with the IoT devices?
Yes, security and privacy is the concern. Reading on IoT devices seems to say they are often unpatched and insecure. So the recommendation is to keep the separate.

@crazyea You've conceptually separated your IP assignment there, but those are all still on the same network right? Unless I am missing what you mean. So a device in any one of those IP grouping categories can still "see" all the other categories, correct? If they are all 192.168.1.n they are all on the same network.

@sswilson I did go through your Bell 3000 thread again too. Good info there but you're way beyond me in gear at this point.
 
Last edited:

crazyea

Well-known member
Joined
May 15, 2012
Messages
1,497
Location
Surrey, BC
Yes, security and privacy is the concern. Reading on IoT devices seems to say they are often unpatched and insecure. So the recommendation is to keep the separate.

@crazyea You've conceptually separated your IP assignment there, but those are all still on the same network right? Unless I am missing what you mean. So a device in any one of those IP grouping categories can still "see" all the other categories, correct? If they are all 192.168.1.n they are all on the same network.

@sswilson I did go through your Bell 3000 thread again too. Good info there but you're way beyond me in gear at this point.

Yes they are, as I said at the bottom of the post, I said that I personally wouldn't separate the devices from my network. I see no point in that. I mean, unless you have people coming around and using your network that you don't trust.
 

Lysrin

Well-known member
Joined
Mar 10, 2014
Messages
4,963
Location
Nova Scotia
Yes they are, as I said at the bottom of the post, I said that I personally wouldn't separate the devices from my network. I see no point in that. I mean, unless you have people coming around and using your network that you don't trust.
Well I don't have people coming around and using it that I don't trust... that I know of! ;) But isn't that the point? Protecting from the attacker I don't know about so that if there is a vulnerability in the smart stuff, and someone gets in somehow, they only get that far; into the smart network but not into my home network.

At least that is what I thought I was trying to protect against... 🤔
 

JD

Moderator
Staff member
Joined
Jul 16, 2007
Messages
10,790
Location
Toronto, ON
At a more basic approach, use a DNS that blocks the major threats, like Cloudflare (1.1.1.2 - has to be .2!) or Quad9 (9.9.9.9), and disable UPnP/NAT-PMP. That should make you relatively secure as it will help limit malicious access. And of course unique passwords and MFA where possible on all your "cloud" accounts that manage said IoT devices.

Only way I see for you to do this without buying anything though, is using Guest mode as you've come to conclude. I would double-check that Guest mode is truly isolated, connect a client to it and try to ping something outside of it.

IMO, if you are going down the "smart home" rabbit hole, I'd stick to ZigBee/ZWave and have a hub. A lot more secure this way as you don't have a bunch of random WiFi-enabled devices all over your house with questionable security. You only really need to worry about the hub itself. SmartThings on the easy end of the spectrum, Hubitat on then more advanced end (but totally local).
 
Last edited:

lowfat

Moderator
Staff member
Joined
Feb 12, 2007
Messages
11,353
Location
Grande Prairie, AB
You can run TPLink smart switches in local mode only. When you set them up do not sign in to Kasa. You'll only be able to control them from within your network tho.
 

Latest posts

Twitter

Top