What's new

IoT Home Network Setup

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

NetworkHound

Occasional Visitor
This spring I finally upgraded my home network router from the ISP router to a higher end consumer router. I have fiber and I was able to get the router to connect directly to the ONT. I was happy because I finally had a network with a separate guest SSID! Fancy!

Now I'm realizing I should also segregate my IoT devices to their own group, most commonly done using VLAN groups.

My consumer router can't do this. I could shuffle all my IoT devices onto the guest network, but then I either have to put guests on my IoT network or my secure home network.

I was thinking I could get a proper router that can tag VLAN groups on the LAN ports. Could I continue to use my current router in AP mode to act as an access point for one of the VLAN tagged LAN ports or would that not work? I'd also need to get APs for my guest and IoT network...

Am I missing another way to secure my IoT devices?
 
You can use your current router in AP mode to service one of the VLANs. If you are going to purchase other AP's I would look for AP's that can support multiple VLANs so you don't have to have so many AP's. Ubiquiti AP's are an example that are popular around here, but there are others.
 
You can use your current router in AP mode to service one of the VLANs. If you are going to purchase other AP's I would look for AP's that can support multiple VLANs so you don't have to have so many AP's. Ubiquiti AP's are an example that are popular around here, but there are others.
A few followup questions:

  1. So I could use my current router for one network, then an AP that supports multiple VLANs for an IoT and Guest network?
  2. Is there a simple way to handle IoT security? I have over a dozen IoT devices, mostly smart lighting. I keep seeing network segregation is the best way to handle IoT but perhaps I'm missing another solution. Yes-I realize getting ride of my IoT devices is the simplest, but besides that :)
  3. My next question is what routers are recommended for this setup? Something that is good for security, can work with VLANs, and won't break the bank. I can also re-ask this question on the Router forum.
 
I have most all of my IoT on their own router, with its own subnet. Five of the six SSIDs available are used for wireless IoT devices. The sixth SSID is for guests. The wired LAN ports are used for wired IoT devices.

Double NATed behind the first router is my second router which handles all my secure connections that I don't want exposed to possible exploits of my IoT devices. Administrative access from the WAN on both routers is turned off. AIprotection on the Internet facing router also offers some protection.

Two things to take into consideration: The IoT devices must be on the Internet facing router, running guest networks on an AP connected to your primary router doesn't isolate devices connected to the primary router from devices connected by WiFi to the AP.

VLANs will give you the isolation you are looking for if you have a router the supports VLANs (Tomato with the Teaman feature set does ) or you are willing to write the scripts for router firmware that doesn't support VLANs using the GUI.

Each approach has its pros and cons.
 
I have most all of my IoT on their own router, with its own subnet. Five of the six SSIDs available are used for wireless IoT devices. The sixth SSID is for guests. The wired LAN ports are used for wired IoT devices.

Double NATed behind the first router is my second router which handles all my secure connections that I don't want exposed to possible exploits of my IoT devices. Administrative access from the WAN on both routers is turned off. AIprotection on the Internet facing router also offers some protection.

Two things to take into consideration: The IoT devices must be on the Internet facing router, running guest networks on an AP connected to your primary router doesn't isolate devices connected to the primary router from devices connected by WiFi to the AP.

VLANs will give you the isolation you are looking for if you have a router the supports VLANs (Tomato with the Teaman feature set does ) or you are willing to write the scripts for router firmware that doesn't support VLANs using the GUI.

Each approach has its pros and cons.

I've seen a similar approach written before where you have a primary router with two secondary routers behind it double NATed. I do game online though and I've heard double NAT can cause some issues with online gaming.

That is another approach I could consider. Getting another router and putting one behind another in double NAT.

If I'm getting another router anyway shouldn't I just get one that supports VLAN?
 
Two things to take into consideration: The IoT devices must be on the Internet facing router, running guest networks on an AP connected to your primary router doesn't isolate devices connected to the primary router from devices connected by WiFi to the AP.

This is true in general, except for a few AP's. One example would be Ubiquiti AP's. Their AP's can isolate traffic on a guest SSID from all other traffic without using VLANs.
 
Last edited:
I've seen a similar approach written before where you have a primary router with two secondary routers behind it double NATed. I do game online though and I've heard double NAT can cause some issues with online gaming.

That is another approach I could consider. Getting another router and putting one behind another in double NAT.

If I'm getting another router anyway shouldn't I just get one that supports VLAN?

I don't game so I can't tell you if a double NAT would cause a problem. I have run a double NAT setup on and off for years and I don't have any problems with devices behind my second router. A double NAT makes DDNS harder and running a VPN server isn't easy/possible on a double NATed router. No problems with VPN clients. You also could connect your games to the first router.

If you buy a router that supports VLANs look for the ability to set them up using the GUI unless you want to spend the time with scripting and Iptables. I have VLANs setup on my N66 which is flashed with Tomato. Fairly straight forward setup in GUI. It has 8 SSIDs, 4 DHCP subnets and all the LAN ports are in different subnets.
 
I was looking at the EdgeRouter Light as an option, I can't tell if you can do all the VLAN tagging via the GUI or not.

I'd rather not be reliant on a command line to do settings. I'm fine with learning it in the future but I'd like to be able to get through the VLAN setup via a GUI.

Any other recommendations on a wired router that can do VLAN tagging easily? I need a router that can do VLAN tagging on the LAN ports and PPPoE login with a VLAN tag on the WAN port to connect to my ONT. I can deal with wireless by just adding access points to the VLAN tagged LAN ports (I think).

UPDATE: I'll also post this specific request for router recommendations in the router forum, since this is primarily about security.
 
Last edited:
Here is a potential layout I'm considering. Would this work? I could also reduce the need for switches by getting a router with more LAN ports
 

Attachments

  • IMG_4532.JPG
    IMG_4532.JPG
    53.3 KB · Views: 849
Here is a potential layout I'm considering. Would this work? I could also reduce the need for switches by getting a router with more LAN ports

Yes that is one way of doing it. You could even use one larger switch instead of two switches. I would definitely not purchase a router based on how many ports it has (as long as it has enough for what you need routed). Personally I let routers do routing and switches do switching. Just like I let routers do routing and AP's do wifi. When you start trying to combine roles for equipment you usually have to compromise and you certainly narrow your choices. If space is of the utmost importance then certainly combine them, but if you have enough space I would separate the roles.

Note: I am talking about home use here. In businesses it makes sense sometimes to combine certain roles, like a level3 routing switch for example.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top