IOT devices on separate VLAN

mushtafa · 30 Jan 2021 at 19:03

I'm thinking of moving all my IOT and automation bits to a separate VLAN - mainly for security resaons.

My main question; would I still be able to use the mobile apps (connected to the main VLAN) to control these devices? And if I open a connection to allow access, surely this would render the exercise of moving VLANs useless?

Dave85 · 30 Jan 2021 at 20:11

Depends on how you do it and what equipment your setting up Vlans on. As you can lock down the ports and communication between vlans to specific ports and protocols. You using Unifi?

https://youtu.be/6ElI8QeYbZQ

I used that to set mine up. It goes into further detail on how to secure it with establishing connections etc to lock it down. I imagine most of it can apply to a few diff manufacturers.

the-evaluator · 31 Jan 2021 at 07:42

mushtafa said:
My main question; would I still be able to use the mobile apps (connected to the main VLAN) to control these devices? And if I open a connection to allow access, surely this would render the exercise of moving VLANs useless?

It depends on the IoT device. Some will communicate directly between your phone and the IoT device and others will go via their cloud service. If communication goes direct then you'd need to look at punching holes in the firewall but if they go via a cloud service then as long as the IoT VLAN has internet access you should be fine.

In my case all ny IoT devices seem to go via a cloud service so I can still control everything from my normal VLAN that's in the IoT VLAN. The only firewall rules I have to allow traffic from IoT to the nornal VLAN is to let the IoT devices use my Pi-Hole instances. Everything else is blocked.

mushtafa · 31 Jan 2021 at 10:34

Dave85 said:
Depends on how you do it and what equipment your setting up Vlans on. As you can lock down the ports and communication between vlans to specific ports and protocols. You using Unifi?

https://youtu.be/6ElI8QeYbZQ

I used that to set mine up. It goes into further detail on how to secure it with establishing connections etc to lock it down. I imagine most of it can apply to a few diff manufacturers.

I'll check that video out.

Equipment wise will be Netgear R8000P wireless router.

IOT devices will include Harmony Hub, Smartthings hub, LIFX bulbs, and Kasa smart plugs.

the-evaluator said:
It depends on the IoT device. Some will communicate directly between your phone and the IoT device and others will go via their cloud service. If communication goes direct then you'd need to look at punching holes in the firewall but if they go via a cloud service then as long as the IoT VLAN has internet access you should be fine.

In my case all ny IoT devices seem to go via a cloud service so I can still control everything from my normal VLAN that's in the IoT VLAN. The only firewall rules I have to allow traffic from IoT to the nornal VLAN is to let the IoT devices use my Pi-Hole instances. Everything else is blocked.

I'm also using Pi-Hole. I assumed both VLANS should use Pi-Hole as their default DNS server as that's configured in the router

mushtafa · 31 Jan 2021 at 11:24

I've watched that video and learnt a couple of things;

1. Rather than just separating my smart devices from the main network, I need to separate my server/tablets/mobiles/laptops from everything else. I didn't even think about all the Amazon devices, consoles, and TVs

2. I need to invest in better equipment. I've setup some Ubiquiti stuff at work, I now need it at home!

the-evaluator · 31 Jan 2021 at 11:37

mushtafa said:
I'm also using Pi-Hole. I assumed both VLANS should use Pi-Hole as their default DNS server as that's configured in the router

In my setup I'm using 192.168.8.0/24 as my main LAN (VLAN1) and 192.168.80.0/24 as my IoT VLAN (VLAN3). My Pi-Hole instances only have an interface in VLAN1, their IP addresses are 192.168.8.2 & 192.168.8.3. My firewall is set to block anything from VLAN3 going to VLAN1, if there's open access then what's the point of having VLAN3? The Pi-Hole instances only have an interface in VLAN1 so the VLAN3 devices will be trying to do DNS queries on 192.168.8.2 & 192.168.8.3 but there's a firewall rule in place that blocks all traffic going from VLAN3 to VLAN1.

So I've added a rule that's applied before the block that allows 192.168.80.0/24 to reach 192.168.8.2 & 192.168.8.3 only for the purposes of DNS queries, so all other ports are blocked.

What I'm saying is if you have a firewall rule in place to block traffic then just because your DHCP server is telling clients in VLAN3 to use the Pi-Hole instances in VLAN1, that isn't enough to get that traffic flowing. You specifically need a firewall rule to allow that traffic.

the-evaluator · 31 Jan 2021 at 11:40

mushtafa said:
1. Rather than just separating my smart devices from the main network, I need to separate my server/tablets/mobiles/laptops from everything else. I didn't even think about all the Amazon devices, consoles, and TVs

Is that really necessary? You may end up needing to punch so many holes in the firewall that you're actually gaining nothing other than an overly complex setup. In my setup I have IoT devices (that's Amazon Echo's, Sonos speakers, smart lamps, TP-Link Kasa stuff and things like that) in my IoT VLAN but everything else is in the main VLAN.

I want my iPad to be able to access my printer and my server. I want my iPad to be able to reach my Sky box and TV. So for me there didn't seem any point in splitting things up to that degree.

Also, if you're going to be pushing much traffic between the VLANs then you'll struggle with throughput fairly early on. In my setup there's only DNS traffic which is minimal to say the least but if have a server in a different VLAN from a client and you're pushing SMB/CIFS around it'll be horrid.