Should IoT devices be on their own network?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Lee MacMillan

Regular Contributor
Below is my device list and the band they are connected to on my Asus AC66U_B1. The items listed in red are in the same room as the router. I've been reading conflicting opinions on whether IoT devices should be on their own network. Since I only have single router, I guess that would mean a guest network for only IoT devices. Also saw a recent thread here that asked whether all IoT devices should be on the 2.4 band (and an expert opinion was yes.) In our typical use, the Roku Ultra is streaming to the Samsung KS8000 pretty much every evening from 8 to 10:30 or 11. Nothing else is being used much during this time except maybe a phone for brief periods.

So my questions are 1) should IoT devices should be on a separate network from the computers, phones and tablets, 2) does a guest network on the same router count as a separate network, 3) if the answers to 1 and 2 are yes, are there any downsides to separating the IoT devices from the main network?

Thanks!



router connections.JPG
 

eibgrad

Very Senior Member
1) Yes

2) Yes

3) Yes, provided you're using Merlin's implementation of guest networks, which defaults to having the private and guest networks using the same IP network. If you disable "Intranet access", then by definition you can't access those IOT devices from the private network (something ppl will probably want from time to time, for example, accessing your Chromecast TV on the IOT network). But if you enable "Intranet access", then you defeat the purpose of having the IOT network, namely, isolation. IOW, having an IOT network is indeed useful, but *total* isolation is often impractical. In many cases, you might be better off to use something like Yazfi, where you have more flexibility when it comes to these types of issues. Or else use a separate router dedicated to IOT and daisy-chained to the primary router.
 

Lee MacMillan

Regular Contributor
1) Yes

2) Yes

3) Yes, provided you're using Merlin's implementation of guest networks, which defaults to having the private and guest networks using the same IP network. If you disable "Intranet access", then by definition you can't access those IOT devices from the private network (something ppl will probably want from time to time, for example, accessing your Chromecast TV on the IOT network). But if you enable "Intranet access", then you defeat the purpose of having the IOT network, namely, isolation. IOW, having an IOT network is indeed useful, but *total* isolation is often impractical. In many cases, you might be better off to use something like Yazfi, where you have more flexibility when it comes to these types of issues. Or else use a separate router dedicated to IOT and daisy-chained to the primary router.
Thanks. I am using Merlin and have a guest network setup for visitors so I noticed that "intranet access" toggle. I'll probably set up another guest network for the IoT devices but leave the Roku on my regular network. When adding a channel it's more convenient to do it with the computer and I guess that's where they need to be on the same network. Or I suppose I could just toggle intranet access to yes when I need the Roku on the PC on the same network. I looked at the Yazfi thread and that requires a level of expertise that I don't possess!
 

Piggie

Regular Contributor
You may want some devices on your network and not on the guest work. For instance, if you put a network printer on a guest network, you won't be able to access it. It will be isolated from the rest of the network. Same with a media server. It doesn't work very well to have a network media server if you can't access it. Any device which you want to share should be on your regular network. Also, some devices (not all) require devices to be on the same network to cast screen. So if you are trying to cast your phone screen to a TV and they are on different networks, you may not be able to do it.
 

Lee MacMillan

Regular Contributor
You may want some devices on your network and not on the guest work. For instance, if you put a network printer on a guest network, you won't be able to access it. It will be isolated from the rest of the network. Same with a media server. It doesn't work very well to have a network media server if you can't access it. Any device which you want to share should be on your regular network. Also, some devices (not all) require devices to be on the same network to cast screen. So if you are trying to cast your phone screen to a TV and they are on different networks, you may not be able to do it.
Thanks. You gave me more to think about.
 

L&LD

Part of the Furniture
The answer to the post's title is 'Yes. They should be on someone else's network. Not on our own.'. :p

Until IoT devices catch up to 2021 standards of security, privacy, and transparency, they should be ignored and left on store shelves until the manufacturers get forced to make them so. Right now, there is no incentive for them to do anything at all.
 

redpaw.rider

Occasional Visitor
I’m concerned they do have their own network and looking into LoRaWAN to see if this suspension is correct.

If what little I do know and the transmission being low power with something in the kilometers in distance there would be a few things I can think of that are concerning.
 

routerq

Occasional Visitor
Thanks. I am using Merlin and have a guest network setup for visitors so I noticed that "intranet access" toggle. I'll probably set up another guest network for the IoT devices but leave the Roku on my regular network. When adding a channel it's more convenient to do it with the computer and I guess that's where they need to be on the same network. Or I suppose I could just toggle intranet access to yes when I need the Roku on the PC on the same network. I looked at the Yazfi thread and that requires a level of expertise that I don't possess!
My understanding based on my experience.

You should be able to add channels to Roku even if Roku is on the IOT isolated network. Like most devices that have a internet based web interface, Roku does not talk to its web interface over the local network. When you log into the Roku portal and make changes they get pushed to your Roku over the internet, so if your Roku has intenret access all should be well.

For printer, I have it on my primary network, but I have disabled its internet access...
 

nikr

Occasional Visitor
Whole point of putting IOT devices in separate network is to isolate untrusted devices like your smart plug or vacuum cleaner into its own network. If a devices receive regular updates like nest or chromecast, while they should ideally be on a separate network. I would not worry too much about them being on main network.
 

eibgrad

Very Senior Member
Dumb question, if the IOT device is hooked up via Ethernet, how does one isolate it?

Depends if you're talking about ideally, or specifically using Asuswrt/Merlin. Ideally, you'd typically define a new bridge for IOT devices (e.g., br1) configured w/ at least one wired port and one or more wireless APs/VAPs, then use the IP firewall to isolate the new bridge from the existing private network's bridge (br0).

But using AsusWRT/Merlin, since it doesn't support additional bridging or VLANs, your only option is to use a guest network, which by definition is limited to wireless. IOW, AsusWRT/Merlin is NOT a good solution for IOT if you need wired support (not unless you're willing and able to hack it w/ some scripting). It's why I use FT (FreshTomato) on my own primary router, which provides this kind of support natively.
 

CaptainSTX

Part of the Furniture
I use Fresh Tomato and setting up VLANS and virtual APs simple.

If you want to continue using Merlin on your router then the simplest solution probably is to buy a smart switch which will allow you to set up port based VLANS. Currently Amazon has an 8 port TP-Link smart switch on sale for US$24.90. Each port can be its own VLAN connect your IoT devices.

Smart switches have other useful features which you may or may not need.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top