Input on ways to implement IOT network

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

technotic

New Around Here
Hi all,

I'm relatively new the the forum, but from everything I've picked up about this place over the last year or more of running into it, this is the place to be if you have questions with ASUS routers. What I'm looking for is a few different ideas of how you would implement the below mentioned hardware to achieve the target goal. There's a handful of ways to do this, and I know I am not thinking of all possible solutions myself, so I'd like to hear how some of you might approach this


Hardware:
Spectrum cable modem - 200/10mbps
ASUS RT-AX3000 (AX58U) - ASUSMerlin v386.2
2x ASUS RT-AC68U - ASUSMerlin v386.2
An ass load of devices (roughly 30-40 wifi, 10 wired)
5 Amazon echo devices, 2 google home hubs, home assistant server on wired LAN (also hosts zigbee controller for my zigbee devices, no longer using my echo plus for zigbee).

Current configuration:
ASUS AX-3000 router sits on the modem's WAN port. Several hardware devices are connected throughout my condo via ethernet, mostly in my loft, running through an 8-port tplink dumb gigabit switch. Attached to that switch is one of the RT-AC68U's, with the other in the living room downstairs.
The AC68U's are configured as a mesh network in access point mode, with LAN backhaul over my internal LAN, each attached on different LAN ports of the AX3000. The AX3000 is utilizing both 2.4ghz and 5ghz wifi networks, configured with ax/mu-mimo and is used by household personal devices such as laptops, tablets, phones, gaming devices (oculus), printers, google hub, and amazon echo devices. Currently handles 5-10 wifi devices (mix of 5ghz and 2.4ghz) as well as the wireless devices from the AIMesh network and all my wired devices. Approximately 35-45 devices communicate through this router at any given time, whether internally or to the internet.
The AIMesh network (unique SSIDs) also provide a 2.4ghz and 5ghz wifi network, targeting my smart home devices, such as my smart bulbs, ring doorbell, smart outlets, the dozen or so ESP8266 devices I've created myself (most running ESPHome), indoor garden, motion sensors, etc. Currently handles about 15-20 device connections, almost all of them on 2.4ghz.


The goal:
I would like to isolate my IOT network. I understand that merlin and ASUS firmware in general will not handle VLANs properly. I considered DD-WRT on the AC68U's for VLAN tagging, but that would mean losing AIMesh, and the lack of support for VLAN on the AX3000, making things much more complex than necessary. The IOT network does need access to the internet as some of my smart devices are cloud connected (until I can get local-tuya working reliably). I would likely also move my echo and google home hub devices onto the IOT network, where they will need internet access. Home Assistant will likely need an interface on both networks (can simply put a wireless interface on the IOT network, leave wired on the internal LAN, and put them in a bridge.. which, off the top of my head, should be safe if hairpinning is not enabled). My home media devices, computers, laptops, tablets, phones, etc will remain on the internal mixed network handled directly by the AX3000 LAN and Wifi ports.


Solutions considered:
The first solution I've considered is flipping one of the AC68U's to router mode, and then adding the other to it via mesh. It's questionable how much I'd be compromising security by continuing to use the AX3000 LAN as a backhaul. The only other viable solution would then be wireless backhaul. I would create a route on the AX3000 to point to the IOT segment IPs via the AC68U's WAN interface. Of course, unsolicited inbound traffic would be blocked. I could disable the firewall though, and use only NAT, which would allow me in to any device. The main requirement I guess would be writing an iptables rule on the AX3000 that drops any traffic originating from the AC68U WAN IP destined for my internal LAN subnet. But that has caveats to it. My smart devices should still be able to report their status to my phones or other LAN devices by first routing through their cloud home. I am assuming there won't be any issues controlling my echo devices from my LAN to the IOT network. In the long run, I'm also considering how much security I'm actually gaining by configuring my network this way. A compromised device could still gain access to my LAN if the LAN device initiates the connection, for example. Unless I leave the firewall on, and force any communication from the LAN devices to the IOT devices be done either by controlling through Home Assistant, or over the WAN port via either their own clouds or the Echo/Google Hub clouds. Note that the google hubs are used maybe once a month by voice... 99% of my voice control happens on the echo devices (though I just set up my first Mycroft device and am working on running my own back end, so that I can voice control my entire home without internet).

If anything here doesn't make sense or I overlooked something, feel free to point it out or ask. I'd really like to hear a mix of opinions of how you guys would go about doing such an implementation, but just as importantly, I'd love to hear why you would go with your choice. I've worked in infosec/it/netsec long enough to know that everyone has their own preference, and it's almost guaranteed that whomever your coworkers are, you will not be fortunate enough to have any that would do it the same way you would, because that would be too easy. Thanks in advance guys, I appreciate and welcome any input.


tech
 

bbunge

Very Senior Member
Why make it complicated? You have what you need for AiMesh. Use Guest WIFI 1 and sync to the nodes. Connect the IoT to the guest and relax.
 

brummygit

Very Senior Member
Why make it complicated? You have what you need for AiMesh. Use Guest WIFI 1 and sync to the nodes. Connect the IoT to the guest and relax.
If Guest Network 1 worked for everyone that would be great, but I'm one of those that has issues when I try to enable it. The other challenge is that some of my IOT devices are ethernet connected - the Philips Hue Bridge for example has no WiFi capability, therefore there needs to be a solution for this too.

I'm currently testing the use of an RT-AC68U to provide an isolated subnet inside my network, and then distributing the traffic across my normal backhaul connections using 802.1q trunks for the vlans created on Netgear switches. This isn't really allowing me to gain extra security, however it controls some high levels of broadcast traffic I am suffering from on my main LAN which is causing congestion on my 2.4Ghz devices. In my case my main Asus router is is doubled NATing behind my ISP router so I could also connect the additional RT-AC68U directly to the ISP router and gain the security, but then I would lose the benefits I'm getting from QoS on my main Asus router.
 

nikr

Occasional Visitor
For devices which need ethernet connection and needs to be on guest network , you can setup a router in media bridge mode and make it connect to guest network, alternatively you can use raspberry pi and bridge its WLAN and LAN to provide ethernet connection to Hue bridge. Have not tried it myself so dont know how easy or difficult its going to be. This solution might not help you, but might help others.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top