Novice question about adding VLAN | IOT

[aps]

Apologies - I've been out of action. I use a VPN when working from home that connects the work machine(s) to VPN endpoint. The question that I asked, then, was more about VPN usage for the various personal devices that talk to the internet.

@aps I'm going to answer a small part of your query "Why might I use a VPN?".

Many (most?) users are utilizing it for either getting around geo-fenced applications (ex. watch Netflix from another country) or so that they appear to access the internet from an address not their own. Some for P2P downloads, others ... who knows. There are certainly numerous other usecases, but if you get right down to it I would bet dollars-to-donuts that the majority fall into one or both of those camps.

Now to accomplish that, I don't have to run VPN on the router, but it's easier, say I run netflix on a Roku or Playstation or smartTV, those endpoints may not be easily configured for VPN (if at all), so doing it at the router level makes a lot more sense.

Re geo-fenced applications; e.g., Netflix: I'm not interested in this application as most services that I'm interested in are available locally. Note: I have, in the meanwhile, set-up a VPN on the router which has turned out to be problematic as while Netflix works Amazon Prime won't work citing the use of a VPN (even though the VPN is using an Australian IP address and Amazon Prime is an Australian account).

Re accessing from a different IP address: This use case is of interest given privacy concerns.

A paid-for VPN is a false sense of security. Period.

I'm a target, no doubt, for the "VPN = safe" marketing message. It'd be good to understand the thought behind the above statement. Note, except for work, I don't have a use case that involves accessing content on the Home LAN externally; i.e., I don't, for example, access music or photos stored on the NAS when out of the home. So, this being the case, I guess that all a VPN is providing is a different IP address so it's privacy not security?

 

[L&LD]

A paid-for VPN is neither for privacy nor security.

Unless you control both ends of the VPN tunnel, and you don't move outside of that tunnel, there is no security or privacy.

On your computer or router, that is one end of the tunnel and let's assume that you consider yourself safe from yourself.

If you connect to your summer cottage location over a VPN and access any files, data, or other information there (i.e. video footage from surveillance cameras), then you are safe and secure.

If however, you connect over VPN to that same summer cottage location but then go to any public server, website, etc., you're neither safe nor secure anymore. Because you've unhid yourself from behind the VPN encrypted tunnel.

Connecting from your home/client device to a paid-for VPN to surf the web is just throwing your money away. If you think you're safer or more private doing so.

 

[aps]

A paid-for VPN is neither for privacy nor security.

Unless you control both ends of the VPN tunnel, and you don't move outside of that tunnel, there is no security or privacy.

On your computer or router, that is one end of the tunnel and let's assume that you consider yourself safe from yourself.

If you connect to your summer cottage location over a VPN and access any files, data, or other information there (i.e. video footage from surveillance cameras), then you are safe and secure.

If however, you connect over VPN to that same summer cottage location but then go to any public server, website, etc., you're neither safe nor secure anymore. Because you've unhid yourself from behind the VPN encrypted tunnel.

Connecting from your home/client device to a paid-for VPN to surf the web is just throwing your money away. If you think you're safer or more private doing so.

I get the part that one has to control both ends of the VPN tunnel (and do this when working from home). Is there not, though, some measure of privacy from getting an alternative IP address via using using a VPN (client) on the router, smartphone etc?

 

[cptnoblivious]

I get the part that one has to control both ends of the VPN tunnel (and do this when working from home). Is there not, though, some measure of privacy from getting an alternative IP address via using using a VPN (client) on the router, smartphone etc?

It depends on who owns the endpoint of the VPN where your traffic is exiting and what they log and if they log, who they make those logs available to.

Also, much depends on how much tracking the site you go to do, and what you do from an application (i.e. browser) setting to prevent that. It's multi-layered.

 

[L&LD]

There is a small measure of (so-called) 'privacy', maybe, from an alternative IP address (which is the same after a few clicks, right...) from the 12-year-old in his mom's basement with an i7 under his fingertips and time to burn.

 

[aps]

Since the earlier posts I have, using Yaz-Fi, set-up the guest networks on my ASUS RT-AC86U with Guest Wi-Fi 1 for actual visitors and Guest Wi-Fi 2 for all IoT Devices (including a Wi-Fi printer). The Guest Wi-Fi 2 network is set-up so that devices on this network cannot connect to the main network. I am, now, starting to consider the next steps in the quest with these appearing to be:

1. Add a managed switch (3-layer) after the RT-AC86U that allows VLAN to be set-up that segment the various components connected via ethernet cable. The diagram below shows this option with the benefits being to isolate NAS/media and work computer from other (presumably trusted) devices on the network.
2. Replace the RT-AC86U with a dedicated firewall (e.g., pfSense) and use the RT-AC86U as an Access Point (retaining the current arrangement of Main and Guest Wi-Fi networks). The benefits link to better control of security and performance at the expense of complexity.

It’s not clear to me whether either of these paths has merit or whether the current state – which is working fine – is good enough. Or, put differently, in what situations does it make sense to move to either of these models?

P.S. Additional question re option 1. A requirement is that a device on the Main Wi-Fi network (e.g., iPhone) can connect to the A/V components running off the managed switch (e.g., Apple TV). Is it correct that this will just work because as the router is transparent to the VLAN set-up?

 

[degrub]

For Apple devices, the network is required to be flat ie both devices in the same 192.168.xxx.yyy where the xxx has to be the same.

 

[aps]

For Apple devices, the network is required to be flat ie both devices in the same 192.168.xxx.yyy where the xxx has to be

So, basically, the only way to meet my requirement is for the Wi-Fi to come off the managed switch as per option (2). The complexity seems to be increasing (at least to me) so I guess that I need to be clear of the benefits.

 

[lordtech]

The picture below shows my understanding of the network design. Is this correct?

1. I understand that devices on the Guest network won't have access to devices on the Main Wi-Fi. How, though, do I allow devices on the Main Wi-Fi to access these Wi-Fi IOT devices; e.g., use smartphone to control the Wi-Fi IOT device?
2. How, in this design, do I ensure that the devices on the Main WiFi (e.g., laptop, smartphone) and trusted Ethernet devices on VLAN 1 can communicate; e.g., able to access the NAS via the laptop or have a smartphone act as a client for A/V component connected via Ethernet?

View attachment 28402

Hi @aps, did you find an answer for your concerns in point 1?. I can set up a guest network and put my IoT devices connecting to it, but can I control them from my smartphone that is connected to the main network?