1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Separated network for smarthome/IoT devices - Is a little modified Guest network enough?

Discussion in 'Asuswrt-Merlin' started by MightyDuck, Oct 22, 2019.

  1. MightyDuck

    MightyDuck New Around Here

    Joined:
    Oct 22, 2019
    Messages:
    2
    Hi there! :)

    I have an Asus RT-AC68U which have asusuwrt-merlin on it, and have some IoT devices (led-strip controller, air consitioneer, etc, amazon echo, harmony hub, connected all via 2.4GHz wifi) and computers/nas/smartphones (connected via ethernet and 5GHz wifi), and now I will install an Access point (Netgear wac124) instead of my non-smart switch.
    What would be the easiest way to make my network a little more secure?

    The smarthome devices need to see the internet and each other, but they musn’t see the main devices.

    The computers need to access the internet, each other AND should see the smarthome devices (to keep their apps working on local network).

    I have a developer a background, I love my IT, but iptables is just outside my knowledge. :/
    I’ve looked around here and there and found two ideas.
    • Try it with guest network (which is basicly a pre-setuped vlan to my understanding), but I’m not sure if they can see each other AND the main devices can see them too. Maybe it would need just an additional iptable rule
    • Manually set up 2 vlan (and leave the guest channel to the real guests)
    (Half of the ethernet connected devices connected directly to the router, the others to the switch/AP, so double NAT wouldn’t be viable since there the nas only connects to the router, and rewiring not an option.)
    Since I’m not familiar with iptables thus the second idea would fit my knowledge better, but I wiuld need some help in that too. If only the first point would fit the requirements then I would need a little more help. :(

    Thanks for any advice!
     
    Last edited: Oct 22, 2019
  2. EventPhotoMan

    EventPhotoMan Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    452
    I’ve done this similar.

    I have many APs, and guest accounts for each type of smart devices.

    but later on I changed the SSID of the guest account on each access point to...

    forWeno13
    forWemo14, etc

    so the smart devices stayed connected to one AP

    but the main SSID is the same on all APs to allow for roaming.

    hope this helps.

    there is no security advantage, just allows us to separate a smart device.
     
  3. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    614
    Location:
    Great White North
    Some things are not very clear for me:

    - How a computer will see IoT devices but the IoT devices won't see the computer? If they need to communicate, use some local running apps, etc. the communication should be going both ways, no? Dedicate one computer for IoT only and connect it to the same Guest Network with no access to your main devices. Let them do their IoT thing isolated from your main network.

    - You are concerned about security, but forgetting about your privacy. Someone not your relative in China (for example) knows and keeps logs (possibly) when you use your lights, A/C, smart plugs, etc. in other words when you are home and what you are approximately doing. You even voluntarily installed an Amazon microphone inside your home, listening 24/7 to your conversations.
     
  4. EventPhotoMan

    EventPhotoMan Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    452
    really? Omg have you ever watched the packets out of the device? Nothing goes out unless you say...
     
  5. Val D.

    Val D. Very Senior Member

    Joined:
    Jun 16, 2019
    Messages:
    614
    Location:
    Great White North
    L&LD, ^Tripper^ and HuskyHerder like this.
  6. MightyDuck

    MightyDuck New Around Here

    Joined:
    Oct 22, 2019
    Messages:
    2
    In firewalls (ip-ep/tables) you can set up which side can start new connections. So I can control them, but they cant start new connections.
    And since almost all IoT-device can be controlled from smartphone, thus a single iot-dedicated computer wont do any good, since if my smartphone are on the iot-network, I cant see my own devices.
     
  7. EventPhotoMan

    EventPhotoMan Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    452
    CaptainSTX and Greg72 like this.