Security setup advice for IoT

[Wayno-wan]

Hello, I typically try to buy Zigbee IoT devices and control them through the Samsung Smarthings Hub but I also have a number of IoT devices such as:

• TP-Link Kasa plugs,
• Winix humidifiers,
• smart speakers
• garage door opener
• WiFi cameras
• Smart thermostat

that currently are on my main WiFi network. I understand that this is bad practice and I'd like to improve the security of my network, but I'm not sure how to proceed with the older equipment that I have. I have an Asus RT-AC68 (running Merlin FW) that I use as my main router. It's connected to my main PC and a couple of Netgear switches. I have a Linksys E3000 router (running Tomato) on the other side of the house connected to one of the switches, where it's used only for WiFi (different SSIDs than the AC68 since I wasn't sure how to get my devices to switch properly when their RSSI was low). I also have a spare Asus RT-N10P that I'm currently not using.

I run an OpenVPN server on the AC68, as sometimes I want to be able to check on the house (cameras) or access the files on my DIY NAS.

What's the best way to isolate the IoT stuff with the equipment that I have? I was thinking of creating a guest network on the AC68 but AFAIK there's no independent Firewall for the guest network. The other option I was thinking is putting all the IoT stuff on a seperate WiFi network that I could use the N10P for. I know that there are now VLANs, but I don't have equipment that supports that option. I also know that I can create some kind of subnets but not sure what that would buy me. Please be gentle, as I'm a networking newbie.

 

[drinkingbird]

Guest network will allow you to isolate the IoT devices from your main LAN, the firewall blocks all communication between the two networks.

If you run 386.7_2 on the AC68 and enable guest wireless 1, you will have two VLANs created for the guest networks (one for 2.4Ghz and one for 5Ghz). You can then use a fairly simple script to put physical ports into those VLANs, if you wanted to extend the guest network to another AP if needed. But if all the devices are in range of the 68 then just enable Guest Wireless 1, move your IoT devices to that, and you should be fine.

As to how it will interact with your VPN, not positive, someone with more experience will have to weigh in, isolating them may block them from the VPN but I'm sure there is some way around that. Guest Wireless 1 does allow access FROM the main LAN (just not TO the main LAN) so that may work fine with VPN.

 

[Wayno-wan]

Thanks for the reply and suggestion. I think the issue for me is that I want my Amazon Echos to interact with both items on my main network, and the IoT network. That is, I need it to talk to smartswitches as well as TV, which I sometimes use to play photos and videos off a DNLA server. I suppose I could put the Echos on the guest network and give up on a little functionality for the sake of security.

 

[jasonreg]

There are several threads dealing with VLANs and IOT devices. One of the better ones really helped me with my plan. For me now - anything from cell phones to iPads to TVs/AVRs to Alexafied devices to wall switches atc are all lumped into the IOT VLAN. I keep this separate from all PCs and prii is Bret’s etc. I also keep a guest network for just that. Same work setting up 4 VLANs as 3.

My two cents.