Isolate devices without a separate subnet?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Charles Wilkinson

Occasional Visitor
I have some devices that I don't entirely trust (some cheap AliExpress cameras). I can use iptables to prevent them from reaching the internet, but I would also like to prevent them from opening connections to other devices on my network.
My Google-fu tells me that I would need to create a separate subnet, but I'm wondering if there is any alternative.

The problem with using a different subnet is that these are wired devices and I don't have enough cable runs to route them to a specific network port on the back of my router. They are connected to a switch on the first floor which then has a single ethernet cable down to the router.

Is there any way to enable some kind of 'internal firewalling' or to assign a device to a subnet based on its MAC address?
I suspect the answer is no to both, but ideas welcomed.

Router is Merlin RT-AC86U with Skynet installed.

Many thanks

EDIT: Looks like one way to solve this would be to replace the unmanaged PoE switch on the first floor with a 'cheap' managed switch like this: TP Link T1500G-8T. It looks like this would let me tag the devices with a VLAN based on their mac address or which port they are plugged into on the switch.
 
Last edited:

eibgrad

Very Senior Member
Perhaps one of the easiest ways to deal w/ a situation like this (guest network, iot network, etc.) is just to use an old router w/ third-party firmware. So many ppl have such things lying around these days collecting dust. Or perhaps find one at a thrift store. Doesn't have to be fancy. You just daisy-chain that router to the primary router (WAN to LAN respectively) and use firewall rules on that same router to prevent access to any upstream private network(s). IOW, using another router *is* creating a new VLAN. It's just not conveniently co-located on the primary router. But if configured properly, it serves the identical purpose.
 

Charles Wilkinson

Occasional Visitor
That is actually pretty cunning. I might just get the managed switch though - I think it will be a neater solution. Just annoyed that I bought an unmanaged one only a few days ago. Threw the packaging away :(

It's a shame it doesn't seem to be possible to do MAC address-based VLAN tagging on these Asus devices. They are consumer gear though, so I'm not surprised.
 

eibgrad

Very Senior Member
In my experience, most consumer grade routers use port-based VLANs. The OEM never intended to expose or otherwise make them directly available to the user. Third-party firmware *sometimes* makes that possible (Merlin doesn't, except maybe via third-party scripting, but FT (FreshTomato) and dd-wrt do). But it's still port-based, and comes w/ all the limitations that implies. It's always been my contention that for ppl that really want the best VLAN support, they need a *true* managed switch, not the crappy VLANs you typically find on these routers. They work marginally well on the router for a very narrow set of purposes. So don't expect too much even when available.
 
Last edited:

CaptainSTX

Part of the Furniture
With a pair of smart switches such as TP-LINK SG108Es you could set up some 802.1Q vlans and run multiple VLANs over a single Ethernet cable. You can have devices in any VLAN connected at either switch. It works well and accomplishes what you want and segregates/ isolates the devices into groups even though the VLANs do not have individual subnets.
 

gattaca

Senior Member
I like both recommendations above from @CaptainSTX and @eibgrad. YMMV with complexity and how far you want to dive into 802.1Q and "managed switches" (BTW, you can pick up pretty good Dell ones on eBay usually).

I've isolated my "untrusted" IOT devices behind a separate router just as @eibgrad referenced for years. I took the KISS approach. There is the warning about double-nat ing and that can be an issue depending on the devices. YMMV.

For the average non-networking techie who doesn't want (or know how) to dive into "managed switches and VLANS" the KISS approach with the "router onion" can solve the isolation issue. Just make sure you use different IP ranges than the main segment so you do not get confused and the router does not either. I've referred to this as the "router onion or router ring" approach b/c it mimics the code execution protection layers in most pCPUs. Would a hard core networking engineer agree - nope b/c of the double-nat... but for me KISS wins until it does not work.

I'm elated to see more people starting to think about isolating these risky IOT devices with firmware from &diety knows where which can be open doors to all sorts of mischief. ;) Stay safe, stay alive!
 

CaptainSTX

Part of the Furniture
Just remember if you go the double NAT route which works fine, doesn't reduce throughput and for most people the only issue is if you want to run a server of some type on the second double NATed router.

Just remember if you go the double NAT route you need to have your less secure IoT devices connect on the first internet facing router. If you do it the other way, even though the IoT devices on your second router are in a different subnet they can see and potentially interact with devices on the first router.
 

eibgrad

Very Senior Member
Just remember if you go the double NAT route you need to have your less secure IoT devices connect on the first internet facing router. If you do it the other way, even though the IoT devices on your second router are in a different subnet they can see and potentially interact with devices on the first router.

That's why I suggested the latter, so he could firewall it. But that assumes third-party firmware. And while making the IOT router the primary is another option, you still face the possibility of ARP poisoning by the IOT network. Might not be a bad idea to use a VPN for all your private network traffic as it traverses the IOT network too.

Of course, there's also the three (3) router solution, where the private and IOT networks share a common primary router and never have access to each other's networks AT ALL. But of course, that's a rather messy setup and won't go over well w/ most users.

Ideally VLANs is the answer, but for a quick-n-dirty (if imperfect) solution, the use of two routers will work. Just understand both the pluses and minuses of placing the IOT network behind vs. in front of the private network. Neither is ideal.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top