As an aside, do any of use VLANs for IoT etc? I currently do this with Wi-Fi, but not on Ethernet connections.
I currently use an unmanaged 24 port switch, and an 8 port POE. By adding an 8 port managed switch for ~£50 I can easily segregate wired devices such as TVs, cameras, alarm system etc.
What are your thoughts, particulaly regarding security?
Me, too. In hindsight, I probably asked the wrong question. I have IoT devices on a separate SSID, which happens to use a separate VLAN, and I did this some years ago for practical reasons. Everything else is on the same LAN/VLAN except guest Wi-Fi, which has a separate SSID and VLAN.
So, my question should have been, is it good practice (for security not management) to place these devices in a separate VLAN?
I did a little searching, and it seems that most people do this because they can, not necessarily to mitigate risk. Also, it seemed that potential vulnerabilities were only an issue if the network was already compromised.
Therefore, I’ll probably leave things alone until I need more PoE capacity, when I’ll consider a managed switch.
I believe it makes sense for IoT devices to be segregated if possible, for secuity as well as performance. A separate SSID makes sense, but that does not help wired devices, and it may or may not result in having a separate VLAN for these devices.
Maybe I’m missing something, but having separate networks seems a bit too complicated to me. If the IoT devices don’t connect to Internet, and you want to control them with a phone, you’d have to connect the phone to one WLAN to see them and to another to see the rest of your devices. And if you want to access all your devices when away, will a single VPN work with both?
Also, regarding performance, I’m not sure two SSIDs are better than one, as it may increase overhead and interference.
They probably aren’t better than one in terms of efficiency & interference but, in my experience, the majority of iot devices are 2.4 Mbps and frequently refuse to connect to a single ssid (combining 2.4 & 5 Mbps). So, separation is pretty much essential when adding devices and often the same devices will lose the wifi connection when ssids are combined.
While split ssids are not desirable, from a practical viewpoint, the better option.
Yes, the majority are 2.4, but all my devices seem to work fine with the combined SSID I’m using. I think it depends on the router.
Also, if one SSD is 2.4 MHz and the other 5 or 6, then it should be fine, as they would not interfere. This is what I’m currently using. Initially, I used the 6 MHz only for backhaul, but then moved to wired backhaul, so I kept it and opened it up for devices.
Interestilgly, my router (Deco XE75 Pro) has support for a dedicated IoT network, but I haven’t tried it.
I maintain a separate IoT SSID/VLAN with firewall rules that block access from it to the main network.
The deeper question is what constitutes an IoT device. I define them as devices that are not regularly patched — dishwashers, HomeKit devices, etc. — but not stuff like Roon endpoints that run macOS, iOS, tvOS, Linux variants, etc.
So I do have an IoT network, but no part of Roon is on that network.
I also maintain a guest VLAN/SSID and a management VLAN/SSID. The latter is used only by the UniFi management infrastructure so that it is unaffected by something like a packet flood on the other networks.
IMO, there’s absolutely no need to VLAN things out at home, you’re just going to end up in admin/permissions hell, and creating rules and exceptions for stuff defeats the intent anyway. Guest WLAN for, um, guests (so they don’t steal or delete your music collection), otherwise KISS.
Yes but only if you plan to truly block access to something or to each device on the same subnet like turning on device isolation (which would break roon).
I have an “IoT” subnet but its isolated from my “not iot” subnet because there are things on my “not iot” subnet I don’t want my iot devices to see or get access to. A lot of times on these forums I see people stand-up two subnets / SSIDs and then turn on things like mdns and multicast snooping and all kinds of things to let the two subnets talk to each other. I think that defeats any point to two subnets.
This is what I do, albeit for Wi-Fi only. I’d need a new switch to add Ethernet into the mix. However, my current solution is pulling Ethernet from TVs etc., and using Wi-Fi only. That leaves a single device on my default network. I can live with this.
However, I’m more interested in why separation is needed in the home environment than what is possible. AFAICS, exploits have only used IoT devices because perimeter security was aleady compromised. Is this correct?
This is almost always the case since your inet → lan filters are probably the same. The only exception is if you physically bring an exploit behind your firewall. For example, you obtain a virus or other compromise from public wifi and then bring it home on your laptop. If that exploit then identifies other devices to infect… If your laptop was isolated from the other devices then those things wouldn’t get infected.
Now, if you want to get super fancy… You could limit what your “IoT” devices are allowed to talk to on the Internet. This gets a little more involved but, for example, you could limit your Google devices to just Google, in the US, on the west coast, as example. Then, someone trying to exploit the device would need to be doing it from a Google platform just in that region. Additionally, if your IoT device was exploited and it tried sending traffic to, say, some country not the US your firewall would drop that traffic outbound. So, your device might be “infected” but you’ve made the infection worthless because the device can’t “phone home” to be controlled remotely.
Things like this can be done and they can be done via VLAN / subnet which makes the configuration easier.
If you know what you’re doing and have the equipment to support this configuration, then yes, I would recommend it. I have seen IoT devices that are not particularly well secured.
I have a dedicated IoT VLAN and a dedicated IoT WLAN that is bound to it, so wired and wireless IoT devices are isolated from the rest of my network. There is a route from my primary VLAN to the IoT one, so I do not have to change networks in order to access my IoT devices. On the other hand, the IoT VLAN only has a route to the Internet - traffic cannot traverse from the IoT VLAN to my primary VLAN.
As an aside, I have also seen cases where separate SSIDs were implemented (eg one for “guest”) such that guest users or devices would not need to have the PSK for the primary SSID, but where there was a route between the guest and primary networks.
If this all sounds a little wonky, that’s because it is. That said, if you are concerned about security, a little research can go a long way.
“Yes, but” is my answer. Yes, it’s better for security, but your experience may suffer if you do it. For example, Roon can’t find nodes on the network if they’re in a different subnet; so if you setup routing to allow your Wifi VLAN to talk to your Wired VLAN it won’t matter as it won’t be able to find it. Example would be like using a Bluesound Node on Wifi and have your ROCK server on the wired VLAN it just won’t work. I wish there was a way to setup fixed IP’s in the server so it just knows where everything is without having to do network discovery, but that’s the way it is unfortunately.