What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Do i need an IoT VLAN

My pfSense system has 4x 2.5gbps ports.
1 for WAN and 2 ports for the 2 nic LAG to the switch.
1 have only one unused port left.

I like to learn networking best practices and to prevent, mitigate vulnerabilities that comes with the territory.

"Not flying is always safer then flying."

www.linkedin.com

How do you secure VLANs against attacks such as VLAN hopping and spoofing?

Learn how to prevent VLAN hopping and spoofing attacks and follow best practices for VLAN configuration and management.
www.linkedin.com www.linkedin.com
 
Last edited:
follower said:
VLAN for security is useless. Have you heard about Hopping? Physical Network Separation is needed.
Click to expand...
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
 
ddaenen1 said:
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
Click to expand...
Yes. Unless your IoT devices don't effect anything on your network. Sometimes IoT devices broadcast horrible packets to everywhere. It occurs network issues.
 
Last edited:
ddaenen1 said:
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
Click to expand...
It can be as simple as you using a second network non-VLAN by using a second LAN port in Pfsense if you have an extra port in your NIC in your Pfsense router.

But the other thing is if you use a VLAN with its own network it can be just as safe as a separate network. You just need to add a blocking ACL, maybe a couple, on a Cisco switch. This may not be true on other L3 switches as I have not used them, so I don't know. I am not sure a L2 switch will be as safe. I can think of ways a L2 switch would not be as safe.
 
Last edited:
Is it safe to allow IoT devices to access the internet?
I've always wondered about that. I tend to block internet to all my IoT devices as I think it's more secure.

Is there a real security risk to allow Iot devices to have access to the internet even if they are on a separate network and isolated?
 
macster2075 said:
Is it safe to allow IoT devices to access the internet?
I've always wondered about that. I tend to block internet to all my IoT devices as I think it's more secure.

Is there a real security risk to allow Iot devices to have access to the internet even if they are on a separate network and isolated?
Click to expand...

Well, AFAIK IoT devices need the internet to connect to their respective servers to be able to be controlled by an app. The point is to ensure they cannot access anything else on your LAN. Therefore, putting on a separate VLAN to isolate them is what you would want to achieve.
 
ddaenen1 said:
AFAIK IoT devices need the internet to connect to their respective servers to be able to be controlled by an app
Click to expand...
I have seen that some iot devices are able to be controlled by an app when internet is blocked, but they need to be connected to the main network. If they are on a vlan, for example, they do not work when blocking internet access. Why would that be?

why can internet be blocked when connected to main network and they continue to work fine, but if they are on a vlan, internet access is a must?
 
macster2075 said:
Why would that be?
Click to expand...

You have to provide LAN or WAN access to the control device - app, hub, whatever it is. If you cut WAN and move the IoT devices to isolated VLAN obviously they will stop doing whatever they are doing. No access to Internet, no local access to the controller - like they are not connected at all. You have two possible options - 1) allow WAN access and the devices will communicate with the controller over Internet; 2) move the controller on the same VLAN so the IoT devices can see it.
 
Sorry, I am still a little confused...how come those iot devices work fine with the internet blocked when they are connected to the main wifi network?

But, when they are connected to a wifi network that is on a different subnet (using vlan), they do not work if internet access is disabled.
I would think if they need internet access to work, they would not work when internet is disabled regardless of what network they are connected to...this is why I am confused.
 
macster2075 said:
how come those iot devices work fine with the internet blocked when they are connected to the main wifi network?
Click to expand...

Because your controller is perhaps on the same main network and they have access to it.

macster2075 said:
But, when they are connected to a wifi network that is on a different subnet (using vlan), they do not work if internet access is disabled.
Click to expand...

Because they don't see the controller over Internet (blocked) and can't see it over LAN (isolated VLAN). They may be connected to this VLAN, but can't do anything. It depends on what IoT devices as well. Some may continue doing whatever they are doing, some need access to the controller to work.
 
Most are dumb and rely on some software running somewhere else to tell them what to do. All common light bulbs, switches, power plugs, etc. wait for remote commands. They call them "smart", but the actual "brain" is somewhere else and it needs access to the devices, WAN or LAN.
 
Riko said:
I use a IOT vlan for all my smarthome stuff.
They can not go to the Internet. If something needs to update i give it temporary access to internet for updating only.

I am on my LAN or WLAN vlan i can connect to the smarthome devices.
But not the way around smarthome devices can not reach anything.
Click to expand...
How does this work with things like Roborock vacuums were they need access via the internet - the app doesn’t locally connect.,,
 
Riko said:
I don't use mesh. My wifi devices roam between my accesspoints that are mounted on different places in my house.

The IOT Wifi SSID i use sometimes for specific Tuya smart switches with regular wpa2-psk works very well.
It ends in my IOT vlan just like the other IOT devices.

I don't see the need for a separate radio for that.
You can already do that with for example Ubiquiti Unifi accesspoints.

As you can see on the image below my normal users ssid is on 5ghz only channel 42 and 155 with wpa2-eap.
The IOT SSID is on 2.4ghz only channel 1 and 11 with wpa2-psk.
I have no problem connecting any 2.4ghz smart device to my IOT wifi.

View attachment 55412
Click to expand...
Why would a Tuya smart switch need an IoT lan - it’s a switch… or am I missing something…
 
You must log in or register to reply here.

Similar threads

S
Accessing router SMB server from Guest network?
Replies
2
Views
224
Stiletto364
S
D
Guest Network Pro issues on AX86U Pro
Replies
4
Views
323
bennor
B
C
Router for setting separate VLAN for IoT devices
Replies
0
Views
707
cysio528
C
1
Understanding guest network pro
Replies
4
Views
689
visortgw
visortgw
David Cavalli
IoT Network basics
Replies
4
Views
1K
bennor
B
Similar threads
Thread starter Title Forum Replies Date
W I need some help with a new router and network card Routers 12
Z Router recommendation need. Routers 26
S Pro-sumer WiFi 6/6E routers with support for VLAN, VPN, SSH, and some custom firmware Routers 55

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 571 (members: 9, guests: 562)
Back
Top