Can I Isolate IOT devices on a guest network but...?

[morgan boyle]

Is there a way to isolate my IOT device (i.e. google home, chromecast, nest cams, etc.) to a guest network but still be able to cast/access to them from my main network?

what's the best solution?

Put everything on a guest network??? I don't want to have to be switching networks to access hard wired devices like SONOS or Printers etc.

Current Network:
Router - Asus RT-AC88U
AI-Mesh Node - Blue Cave
AI-Mesh Node - RT-AC68U

 

[OzarkEdge]

Is there a way to isolate my IOT device (i.e. google home, chromecast, nest cams, etc.) to a guest network but still be able to cast/access to them from my main network?

what's the best solution?

Put everything on a guest network??? I don't want to have to be switching networks to access hard wired devices like SONOS or Printers etc.

Current Network:
Router - Asus RT-AC88U
AI-Mesh Node - Blue Cave
AI-Mesh Node - RT-AC68U

Not the ones you need to communicate with like Chromecast.

Another issue with Asus guest networks is that they only broadcast securely from the router, which may not reach all perimeter IoT devices, and don't broadcast at all from AiMesh nodes... yet.

Others here may propose some solutions. I'm still avoiding IoTs I can't trust.

OE

 

[morgan boyle]

Not broadcasting from the other nodes is a big issue...

i've been reading about setting static IP's for them and restricting WAN access. not sure if that really restricts anything from taking over my network though!

 

[OzarkEdge]

Not broadcasting from the other nodes is a big issue...

i've been reading about setting static IP's for them and restricting WAN access. not sure if that really restricts anything from taking over my network though!

What will happen is IoTs won't work without Internet access. It's a hopeless security issue, imo. As I see it, you avoid them or trust them or fully isolate them on a separate network. I prefer to avoid them.

Word is that Asus is working on supporting guest networks on nodes. But even then, isolating things will impede using and managing them.

OE

 

[EmeraldDeer]

My approach is conceptually simple.

If device needs LAN access, then connect via Ethernet or to non-guest SSID on 5 GHz (with AP isolation disabled).

If device does not need LAN access, then connect to guest SSID (with LAN access disabled) on 2.4 GHz (with AP isolation enabled).

 

[Jack Yaz]

For the main router, you could flash Merlin and use YazFi https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

As others have said, AP/mesh node propagation bypasses guest security on the router

 

[Amwjujo]

Is it posibile to assign static IP's for devices on Guest network? I seems is bot possible from DHCP as I have them under a different subnet - 192.168.2.... am I missing something?
I am trying to assign some IP's to my IoT devices so I can block them in Skynet. I already blocked them with their current IP but I am assuming that this can change when I'll reboot the router.
Is this the right way to do it?
PS. I'm already using YazFi

Thank you.

 

[Midlevel-User]

My approach is conceptually simple.

If device needs LAN access, then connect via Ethernet or to non-guest SSID on 5 GHz (with AP isolation disabled).

If device does not need LAN access, then connect to guest SSID (with LAN access disabled) on 2.4 GHz (with AP isolation enabled).

Follow up to Emerald:
saw your post here to the question on how to best isolate IOT devices, where you said if they don’t need access to the LAN, then have them sign into a 2.4Ghz guest network with AP Isolation turned on. that is exactly what I want to do - so they cannot see/talk to each other - and in that way, if one happens to get infected somehow then the others are safe (not to mention my LAN since they are only on a guest network).
I did this - turned on AP Isolation but when i logged into that same network and used a utility to see what other devices I could see (expecting nothing), I still saw all the same devices before I turned on AP isolation.
Note - I did this on the 5.1 GHz band as that is where most of my current IOTs (ex Roku, Alexa, etc.) are - but that shouldn’t make a difference right ?
Only thing I can think of is maybe I need to reboot the router (rather than just Apply) so it starts fresh with the new setting ???
On Merlin 17 and an RT-AC5300. Thx !

 

[Luboknok]

I'm looking to isolate my IOT devices as well. YAZFI looks great but will I get a reasonable isolation just putting them on Merlin's Guest network? Will they still route through VPN by IP? I have all my IOT devices on a discreet VPN slot.

 

[CaptainSTX]

Yes you can isolate wireless devices (IoT) by using the guest networks.

Policy based routing will let you route both IoT and normal devices to either your WAN or VPN tunnel(s).