What's new

Should IoT devices be on their own network?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Lee MacMillan

Senior Member
Below is my device list and the band they are connected to on my Asus AC66U_B1. The items listed in red are in the same room as the router. I've been reading conflicting opinions on whether IoT devices should be on their own network. Since I only have single router, I guess that would mean a guest network for only IoT devices. Also saw a recent thread here that asked whether all IoT devices should be on the 2.4 band (and an expert opinion was yes.) In our typical use, the Roku Ultra is streaming to the Samsung KS8000 pretty much every evening from 8 to 10:30 or 11. Nothing else is being used much during this time except maybe a phone for brief periods.

So my questions are 1) should IoT devices should be on a separate network from the computers, phones and tablets, 2) does a guest network on the same router count as a separate network, 3) if the answers to 1 and 2 are yes, are there any downsides to separating the IoT devices from the main network?

Thanks!



router connections.JPG
 
1) Yes

2) Yes

3) Yes, provided you're using Merlin's implementation of guest networks, which defaults to having the private and guest networks using the same IP network. If you disable "Intranet access", then by definition you can't access those IOT devices from the private network (something ppl will probably want from time to time, for example, accessing your Chromecast TV on the IOT network). But if you enable "Intranet access", then you defeat the purpose of having the IOT network, namely, isolation. IOW, having an IOT network is indeed useful, but *total* isolation is often impractical. In many cases, you might be better off to use something like Yazfi, where you have more flexibility when it comes to these types of issues. Or else use a separate router dedicated to IOT and daisy-chained to the primary router.
 
1) Yes

2) Yes

3) Yes, provided you're using Merlin's implementation of guest networks, which defaults to having the private and guest networks using the same IP network. If you disable "Intranet access", then by definition you can't access those IOT devices from the private network (something ppl will probably want from time to time, for example, accessing your Chromecast TV on the IOT network). But if you enable "Intranet access", then you defeat the purpose of having the IOT network, namely, isolation. IOW, having an IOT network is indeed useful, but *total* isolation is often impractical. In many cases, you might be better off to use something like Yazfi, where you have more flexibility when it comes to these types of issues. Or else use a separate router dedicated to IOT and daisy-chained to the primary router.
Thanks. I am using Merlin and have a guest network setup for visitors so I noticed that "intranet access" toggle. I'll probably set up another guest network for the IoT devices but leave the Roku on my regular network. When adding a channel it's more convenient to do it with the computer and I guess that's where they need to be on the same network. Or I suppose I could just toggle intranet access to yes when I need the Roku on the PC on the same network. I looked at the Yazfi thread and that requires a level of expertise that I don't possess!
 
You may want some devices on your network and not on the guest work. For instance, if you put a network printer on a guest network, you won't be able to access it. It will be isolated from the rest of the network. Same with a media server. It doesn't work very well to have a network media server if you can't access it. Any device which you want to share should be on your regular network. Also, some devices (not all) require devices to be on the same network to cast screen. So if you are trying to cast your phone screen to a TV and they are on different networks, you may not be able to do it.
 
You may want some devices on your network and not on the guest work. For instance, if you put a network printer on a guest network, you won't be able to access it. It will be isolated from the rest of the network. Same with a media server. It doesn't work very well to have a network media server if you can't access it. Any device which you want to share should be on your regular network. Also, some devices (not all) require devices to be on the same network to cast screen. So if you are trying to cast your phone screen to a TV and they are on different networks, you may not be able to do it.
Thanks. You gave me more to think about.
 
The answer to the post's title is 'Yes. They should be on someone else's network. Not on our own.'. :p

Until IoT devices catch up to 2021 standards of security, privacy, and transparency, they should be ignored and left on store shelves until the manufacturers get forced to make them so. Right now, there is no incentive for them to do anything at all.
 
I’m concerned they do have their own network and looking into LoRaWAN to see if this suspension is correct.

If what little I do know and the transmission being low power with something in the kilometers in distance there would be a few things I can think of that are concerning.
 
Thanks. I am using Merlin and have a guest network setup for visitors so I noticed that "intranet access" toggle. I'll probably set up another guest network for the IoT devices but leave the Roku on my regular network. When adding a channel it's more convenient to do it with the computer and I guess that's where they need to be on the same network. Or I suppose I could just toggle intranet access to yes when I need the Roku on the PC on the same network. I looked at the Yazfi thread and that requires a level of expertise that I don't possess!
My understanding based on my experience.

You should be able to add channels to Roku even if Roku is on the IOT isolated network. Like most devices that have a internet based web interface, Roku does not talk to its web interface over the local network. When you log into the Roku portal and make changes they get pushed to your Roku over the internet, so if your Roku has intenret access all should be well.

For printer, I have it on my primary network, but I have disabled its internet access...
 
Whole point of putting IOT devices in separate network is to isolate untrusted devices like your smart plug or vacuum cleaner into its own network. If a devices receive regular updates like nest or chromecast, while they should ideally be on a separate network. I would not worry too much about them being on main network.
 
Dumb question, if the IOT device is hooked up via Ethernet, how does one isolate it?

Depends if you're talking about ideally, or specifically using Asuswrt/Merlin. Ideally, you'd typically define a new bridge for IOT devices (e.g., br1) configured w/ at least one wired port and one or more wireless APs/VAPs, then use the IP firewall to isolate the new bridge from the existing private network's bridge (br0).

But using AsusWRT/Merlin, since it doesn't support additional bridging or VLANs, your only option is to use a guest network, which by definition is limited to wireless. IOW, AsusWRT/Merlin is NOT a good solution for IOT if you need wired support (not unless you're willing and able to hack it w/ some scripting). It's why I use FT (FreshTomato) on my own primary router, which provides this kind of support natively.
 
I use Fresh Tomato and setting up VLANS and virtual APs simple.

If you want to continue using Merlin on your router then the simplest solution probably is to buy a smart switch which will allow you to set up port based VLANS. Currently Amazon has an 8 port TP-Link smart switch on sale for US$24.90. Each port can be its own VLAN connect your IoT devices.

Smart switches have other useful features which you may or may not need.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top