Do i need an IoT VLAN

[ddaenen1]

The deal is as follows, i have configured 2 VLAN's in my network. The main LAN (VLAN 1) and a Public LAN (VLAN 10), both with their own DHCP server and subnet. The Public is mainly for guests that want wifi access in the house and is completely isolated from my main LAN. Until now, i really didn't bother much with the gaming consoles and the thermostat being on the main LAN but now i got a wifi speaker (from the illusterous brand Xiaomi) as a christmas gift from my work which i have connected once the main LAN to test it and it works really well. The thing though is that unfortunately, i have little trust in Chinese brands and certainly wouldn't want them having access to my main LAN network which has my Nextcloud server and fileserver which contain my personal and company files so after the trial, i disconnected the speaker and boxed it again.

This got me thinking that maybe it is time to have a separate IoT VLAN to connect things that i do not want to have any access to any other LAN resources other than the internet, similar to the Public Wifi. The thing though is that i do not know if you would need to be on the same LAN in orde to play music from the mobile to the speaker or if that all goes through the internet. In the end, the main question is, do i really need yet another VLAN for IoT or should i just use the Public for both purposes. Reconfiguring the existing stuff such as the game consoles and the thermostat to connect to the Public LAN is obviously a very simple operation. Is there anything i am missing here?

 

[CaptainSTX]

The deal is as follows, i have configured 2 VLAN's in my network. The main LAN (VLAN 1) and a Public LAN (VLAN 10), both with their own DHCP server and subnet. The Public is mainly for guests that want wifi access in the house and is completely isolated from my main LAN. Until now, i really didn't bother much with the gaming consoles and the thermostat being on the main LAN but now i got a wifi speaker (from the illusterous brand Xiaomi) as a christmas gift from my work which i have connected once the main LAN to test it and it works really well. The thing though is that unfortunately, i have little trust in Chinese brands and certainly wouldn't want them having access to my main LAN network which has my Nextcloud server and fileserver which contain my personal and company files so after the trial, i disconnected the speaker and boxed it again.

This got me thinking that maybe it is time to have a separate IoT VLAN to connect things that i do not want to have any access to any other LAN resources other than the internet, similar to the Public Wifi. The thing though is that i do not know if you would need to be on the same LAN in orde to play music from the mobile to the speaker or if that all goes through the internet. In the end, the main question is, do i really need yet another VLAN for IoT or should i just use the Public for both purposes. Reconfiguring the existing stuff such as the game consoles and the thermostat to connect to the Public LAN is obviously a very simple operation. Is there anything i am missing here?

I think your reasoning is sound. I do everything possible to keep my IoT devices off my primary LAN. I also run another VLAN for my entertainment/ streaming devices. I have found that most devices can be administered with an app on a mobile device so there isn't any need that they can be reached on my primary LAN. I also run as many of these devices as possible through a VPN so they don't even share a public IP with my more secure devices.

 

[coxhaus]

I have been thinking about the same thing. My guest VLAN has kind of turned into my Apple VLAN.

I have 2 ideas that I have been throwing around is creating another VLAN and running SNORT on Pfsense on the LAN side to track out going connections including LAN to LAN. Pfsense licensing and Christmas slowed me down, so I have not moved forward. Plus, I don't have but one Pictureframe device I would like to track.
I am not sure I want a third SSID. I am trying to decide whether I can live without wireless on the main LAN. It would kind of become a management VLAN. I would only allow access to network devices from my management VLAN. I am also deciding how hard I want to work.

My DHCP is run from my L3 switch for all networks. I don't use separate DHCP servers just multiple DHCP server scopes. Each VLAN has its own scope with its own network.

 

[Christos]

The Public is mainly for guests that want wifi access in the house and is completely isolated

Do you need a guest VLAN?
I have a "not trusted" VLAN with devices that don't get software updates and also guests.

 

[coxhaus]

Do you need a guest VLAN?
I have a "not trusted" VLAN with devices that don't get software updates and also guests.

Yea, my guest VLAN evolved from off-site devices, iPhones and laptops, long before guest VLAN was a thing. There were no real IOT devices back then like now.

 

[Riko]

I use a IOT vlan for all my smarthome stuff.
They can not go to the Internet. If something needs to update i give it temporary access to internet for updating only.

I am on my LAN or WLAN vlan i can connect to the smarthome devices.
But not the way around smarthome devices can not reach anything.

 

[coxhaus]

I use a IOT vlan for all my smarthome stuff.
They can not go to the Internet. If something needs to update i give it temporary access to internet for updating only.

How do you know when they are going to update the software? We do not get any emails.

 

[Riko]

I regularly check the websites of the Smarthome devices i have for updates.
For example Philips hue: https://www.philips-hue.com/en-us/support/release-notes

 

[Riko]

Besides the firewall rules i mentioned earlier i set al the switch ports i use for IOT devices to isolated.

Restricting Traffic with Isolated Switch Ports

Port isolation allows a network administrator to prevent traffic from being sent between specific ports. This can be configured in addition to an existing VLAN configuration, so even client traffic …

documentation.meraki.com

https://help.ui.com/hc/en-us/articles/360039311974-EdgeSwitch-EdgeSwitch-X-Port-Isolation

 

[coxhaus]

Besides the firewall rules i mentioned earlier i set al the switch ports i use for IOT devices to isolated.

Restricting Traffic with Isolated Switch Ports

Port isolation allows a network administrator to prevent traffic from being sent between specific ports. This can be configured in addition to an existing VLAN configuration, so even client traffic …

documentation.meraki.com

View attachment 55407

I not sure what that setting is but how do control stuff with iPhones if the port is isolated?

 

[Riko]

I have 4 vlans for wifi devices.
I have wpa2-enterprise with dynamic vlans.
4 vlans with different firewall security configurations.

In the radius database i have 4 user groups with 4 different vlans set.
I can add or remove users from a specific group / vlan.

All groups can logon on a single ssid but they will end up in the group/vlan i added the user in in the database.

I don't have phones in the IOT vlans since the IOT devices are not allowed to go out to the internet and not allowed to initiate connection to local networks.

If you want your phones in the IOT vlan then you have to give them access to the networks you need them to connect to.
Isolating a network port on a switch prevents clients to connect to each other in the same network.

If you don't want your Philips HUE connect to your phone but to do want your phone connect to your HUE then you can do that with port isolation.

 

[sfx2000]

One of my current thoughts is that while we see devices with 3 radios - for example a 2.4GHz, a couple of 5GHz and/or a 6GHz radio for "normal" WLAN stuff...

What we've been missing is a dedicated 2.4GHz radio just for IoT - which is becoming more important over time...

Curious here to what the interest would be for a Router/AP would be for this application -- @TheLostSwede - we could discuss something here perhaps...

 

[Riko]

Why a separate radio?
You can configure a separate IOT WPA2-PSK SSID that is transmitted by all your accesspoints alongside with your normal users SSID.

 

[sfx2000]

Why a separate radio?
You can configure a separate IOT WPA2-PSK SSID that is transmitted by all your accesspoints alongside with your normal users SSID.

Mostly because what works well for many IoT devices does not work well for regular WLAN clients...

Between WiFi4 tweaks specific to the IoT chipset, and policy matters around services - it's best to handle that outside of the general WLAN - VLAN's aside, and Mesh just complicates things more...

It doesn't cost much to drop in a dedicate 1*1:1 802.11n radio just for IoT...

 

[Riko]

I don't use mesh. My wifi devices roam between my accesspoints that are mounted on different places in my house.

The IOT Wifi SSID i use sometimes for specific Tuya smart switches with regular wpa2-psk works very well.
It ends in my IOT vlan just like the other IOT devices.

I don't see the need for a separate radio for that.
You can already do that with for example Ubiquiti Unifi accesspoints.

As you can see on the image below my normal users ssid is on 5ghz only channel 42 and 155 with wpa2-eap.
The IOT SSID is on 2.4ghz only channel 1 and 11 with wpa2-psk.
I have no problem connecting any 2.4ghz smart device to my IOT wifi.

 

[coxhaus]

I have 4 vlans for wifi devices.
I have wpa2-enterprise with dynamic vlans.
4 vlans with different firewall security configurations.

In the radius database i have 4 user groups with 4 different vlans set.
I can add or remove users from a specific group / vlan.

All groups can logon on a single ssid but they will end up in the group/vlan i added the user in in the database.

I don't have phones in the IOT vlans since the IOT devices are not allowed to go out to the internet and not allowed to initiate connection to local networks.

If you want your phones in the IOT vlan then you have to give them access to the networks you need them to connect to.
Isolating a network port on a switch prevents clients to connect to each other in the same network.

If you don't want your Philips HUE connect to your phone but to do want your phone connect to your HUE then you can do that with port isolation.

So, is port isolation kind of like a one-sided ACL? Is it controlled by layer 3 or layer 2? Dynamic vlans should be layer 3. What switch are you using for your dynamic VLANs and port isolation? I have not seen the term port isolation except in layer 2. I guess it has to be by MAC as I don't think IoT devices can logon.

I have a different problem with my IoT, pictureframe. It needs cloud access so my daughter can add pictures of her and my granddaughters to the cloud so we can see them, but it does not need access to my main LAN as we can add pictures to the cloud also. It does not need to have local access just internet access.

I definitely want to know which switch you are using and how are you controlling dynamic VLAN access by MAC or by Logon? I guess it has to be by MAC as I don't think IoT devices can logon. I am thinking captive portal logon.

I don't do anything in my network by MAC, only by IP. It is one of my rules.

 

[Riko]

I added several links about port isolation.
Port isolation is a common thing in switches and even in wifi networks your can set client isolation.

I have a Ubiquiti EdgeSwitch 24 POE 250 watts.
And 2x Unfi Flex switches.

My dynamic vlans doesn't work based on mac address but username/password (EAP-PEAP).
I could use MAC addresses but i want to use username/password per user. This way i can give individual users access and wen needed remove them from the radius database (Freeradius / MariaDB).
A mac address could be spoofed.

I could also use personal certificates (EAP-TLS) i have this working so i could switch to certificates if i would want to but i dont want to. I like EAP-PEAP more.
Because EAP-TLS has no concept of inner / outer tunnel so i can't hide usernames. With EAP-PEAP i can use a anonymous username on the outer tunnel and the real usernames on the inner tunnel. This way you can not sniff the usernames. the username a listener would see is anonymous.

All traffic to the radius server is over TLS.

My IOT wifi is not wpa2-enterprise but WPA2-PSK (pre shared key) see te picture i added earlier.

I don't use a captive portal on the IOT wifi.
You probably saw the option checked in one of my pictures.
But that setting does more then only captive portal it isolates clients. The captive portal needs another extra setting to switch that on. if you don't configure the captive portal this setting only functions as isolation between wpa2-psk clients. Hard to explain. English is not my native language.

If you need some cloud access for IOT devices then you have to allow it to the internet of course.
I would personally go to great lengths to prevent cloud connections.

I have a OpenVPN server on my network this way i don't need cloud services to connect to my IOT devices.
btw this OpenVPN server uses also my freeradius database for user authentification.

In the picture below you see a part of the dynamic vlans configuration in MariaDB for the freeradius server.
You see 3 vlan/groups:

private - vlan id 88
friends - vlan id 99
guests - vlan id 110

Then I use a fourth vlan 44 for a open wifi network with a separate ssid were clients can not go to the internet or connect to internal networks but were they can reach a single local (captive portal) website were i explain things about my network.

In Windows ...

 

[coxhaus]

You confused me with your statement on dynamic VLANs and IoT devices. But now it makes sense as you are not using it with IoT devices.

Yes, I agree using MAC addresses is not a good idea as they can be spoofed. I do not use MAC addresses in my network as stated above.

Port isolation is not a thing I use nor seen except in wireless. I use ACLs in my Cisco layer 3 switch.

 

[follower]

The deal is as follows, i have configured 2 VLAN's in my network. The main LAN (VLAN 1) and a Public LAN (VLAN 10), both with their own DHCP server and subnet. The Public is mainly for guests that want wifi access in the house and is completely isolated from my main LAN. Until now, i really didn't bother much with the gaming consoles and the thermostat being on the main LAN but now i got a wifi speaker (from the illusterous brand Xiaomi) as a christmas gift from my work which i have connected once the main LAN to test it and it works really well. The thing though is that unfortunately, i have little trust in Chinese brands and certainly wouldn't want them having access to my main LAN network which has my Nextcloud server and fileserver which contain my personal and company files so after the trial, i disconnected the speaker and boxed it again.

This got me thinking that maybe it is time to have a separate IoT VLAN to connect things that i do not want to have any access to any other LAN resources other than the internet, similar to the Public Wifi. The thing though is that i do not know if you would need to be on the same LAN in orde to play music from the mobile to the speaker or if that all goes through the internet. In the end, the main question is, do i really need yet another VLAN for IoT or should i just use the Public for both purposes. Reconfiguring the existing stuff such as the game consoles and the thermostat to connect to the Public LAN is obviously a very simple operation. Is there anything i am missing here?

VLAN for security is useless. Have you heard about Hopping? Physical Network Separation is needed.

 

[Riko]

@coxhaus

I don't use layer 3 on my switch.

I would like to play with it but i need a separate L3 switch for that.
I don't want to have my network down for to long.

I have a lot of firewall rules set.
If i would have to convert all that in ACL's i don't know if i could get the same result.

Plan is to buy a cheap L3 switch just to practice with L3 on the switch and get some hands on experience with ACL.