Separate IOT Network?

[Droidling]

I'm a bit uncertain about at this so forgive me if I get the terms wrong. I've been watching youtube, and I'm afraid it has expanded my vocabulary without leaving me with much understanding.

I've read that for better security I should have a separate network for My IOT devices. (security cameras, lights, outlets, etc.) I haven't found anything on how I should do that. I currently have a modem with a firewall and router from comcast with one network mask. Then an Asus RT-ax58U connected through it's WAN port. It has the main network where everything is connected. The main network on a different network mask. I've also got an RT-AC56UThat has been connecting the switch in my home office to through wifi to the main network. There Was cat5e to the Office switch from the RT-ax58U but it doesn't seem to be working any more. I have been too lazy to replace it. Can I move all the smart devices to the wifi on the cable company switch. and call it good, or is there a much better way to separate the devices, from my laptops, and work computers?

I am not adverse to buying new equipment if that is the best way to go.

It's just 2 of us so not a huge load. Aside from a growing collection of smart devices, I will have a HTPC, a Denon AV Receiver, 3-4 Laptops, 2 desktops, 2 smart TVs, 3 Roku players, 2 Blu Ray players, 2 phones, 2 tablets, and probably a few other things I'm forgetting .

 

[Steve23]

If the devices you'll be placing on the IOT network are wireless devices, then you can create a Wifi guest network. This keeps the devices from being able to communicate with other devices on your LAN (blocks intranet access), and essentially gives them access only to WAN.

If you have a combination of wireless and wired devices, you can use a 2nd router to accomplish this too.

Generally I'm hesitant to use equipment provided by an ISP for my network, other than providing internet access. This is my preference, not gospel. One of the reasons this has become my preference is that this equipment sometimes becomes quite dated. Lack of updates becomes a concern for me.

 

[Droidling]

I've set up a guest network before. I was looking for advice on the preferred method. Will that allow a computer on the main network to connect with devices on the guest network?

 

[Steve23]

Sorry, RL has kept me away.

I consider the security of pretty much all IoT devices to be suspect so I personally do not connect ANY to my LAN and simply avoid using some. I don't even connect my streaming boxes to my LAN.
These are personal decisions, of course. I understand that many people want IoT devices such as light bulbs, cameras, remotely-switchable power outlets, etc. I would always advocate to anyone asking me that they keep them off their LAN.

I believe that the preferred method is one that's safe and as simple as possible to implement. I also believe that there's more than one way to accomplish this effectively and safely.

Guest Wifi networks commonly included as features on consumer-level routers are simple to set up and do a good job of keeping devices off your LAN. They are set up without the added complication of explicitly setting up a VLAN even though that's effectively what they do. Working with VLANs is tricky for many end users, so using the capability built in to your router to create a guest Wifi network is a good choice. This can be done on your existing router and thus needs no additional hardware.

A limitation of this method is that it is typically used for wireless devices only and simply not implemented for ethernet-connected devices. Further, you will not be able to connect to devices on the guest Wifi network from a device that's connected to your main network.

If you want to have access to devices on your IoT network the way you describe in your question or you want to include wired devices in this topology, you either will be learning about VLANs or you might consider using two routers. [1]

[1] If you set this up using two routers, it will be possible to keep the IoT devices from accessing your LAN while allowing a computer (for example) on your LAN to access devices on the IoT network. The routers must be connected in a certain way in order to accomplish this and - notably - devices on your LAN will then be in a double-NAT environment. This can cause some issues with gaming/port forwarding. I operated this way for many years and the port forwarding worked properly once I set up the cascading forwards* accurately.
If your gateway device (interface to the internet) includes a router with ethernet ports and Wifi, you can set this up with just your router and the gateway (although personally I avoided this, as I mentioned in my first response).
Note that this method may (depending upon what you want) operate two Wifi networks (one on each router), causing more wireless traffic and - potentially - interference/congestion/channel crowding, especially if the two routers are close to one another and/or you're already in a crowded Wifi environment.

* not sure what else to call that, but port forwarding from one router to another, then forwarding to the connected computer can work. Many people consider it to be difficult but it's really just about keeping track of the IPs and port(s) to forward at each router.

 

[drinkingbird]

I've set up a guest network before. I was looking for advice on the preferred method. Will that allow a computer on the main network to connect with devices on the guest network?

If you use Guest Wireless 1 on the asus running in router mode, yes devices on the main network can reach devices on the Guest network (but not the other way around). Guest Wireless 2 and 3 are totally isolated in both directions.

Another option is have the IOT devices connect to the Comcast router's wifi, which will prevent them from hitting your other devices (if they all connect to the asus), but your other devices can hit them.

In reality I'd just buy a modem and ditch the comcast box.

 

[cjconebone]

I just went down this rabbit hole and did a small writeup, hopefully it's helpful for you: https://cjcone.github.io/IotNetwork

Note I've only done rudimentary testing with this setup to confirm communication is one-way. I don't know what issues may arise after extensive use.

As mentioned in the above replies the most secure would be to have an isolated guest network for the IoT devices. This is fine for devices that you control via the internet. However if you have devices that are controlled locally (maybe Home Assistant), then doing two routers seems like the most accessible solution to me. You can still put the internet-only devices on their own isolated guest network.