Would like to split smart home devices on a separate network

[MatrixGeeker]

Hey everyone. So basicaly want I would like to do is sperate my smart devices from ym regular internet wifi. I notice that I could use guest networks but kind of confused by it, I didn't think that if I put all my devices on the guest network and tried to controll them using my phone app on the main wifi network that it wouldn't work among a few other concerns. I also looked in to using YAZFi as well. The smart devices include TV, Shield Android TV boxes, Google mini, nest door bell and yale lock, wifi plugs and light bulbs. I would like them all to see and communicate with each other but not access the intranet. I will be using IFTT and google home on my devices on the main network.I have a old second asus router as well I can use. What is the best way to set this up?

Any help is appreciated

 

[bbunge]

Guest network is the way to go. I have Dish boxes, Garage door opener, Ecobee et. al. on Guest 2 2.4 GHZ and can control from phone or tablet on the main LAN. About the only thing is to not put devices you want to stream to on the guest WIFI.

 

[dosborne]

Each device is different. Some "call home", or take directives from the internet. Some need direct communication between controller (app) and device (same network).

These days, most devices will work if segregated to a guest network. Just be prepared for the ones that don't.

 

[MatrixGeeker]

Guest network is the way to go. I have Dish boxes, Garage door opener, Ecobee et. al. on Guest 2 2.4 GHZ and can control from phone or tablet on the main LAN. About the only thing is to not put devices you want to stream to on the guest WIFI.

I just thought about something. What about wired devices, can those be force to the separate subnet?

 

[MatrixGeeker]

Each device is different. Some "call home", or take directives from the internet. Some need direct communication between controller (app) and device (same network).

These days, most devices will work if segregated to a guest network. Just be prepared for the ones that don't.

^^

 

[cooloutac]

I just thought about something. What about wired devices, can those be force to the separate subnet?

not on the regular asus routers no, only wifi.

I have my echo, blink, and ring devices on an isolated guest network. smart lights and smart plugs on another. They all communicate through the internet so its no problem accessing them through my phone. But My smart TV's and printers I have on my main network where I have my mobiles and desktop pcs because i like to use chromecast with them and be able to print through network. I have samsung camera devices on another guest network where I temporarily allow intranet access which is necessary to change settings through my phone, but then I put intranet back to disabled which is good enough to see live video and get motion alerts from them. I also have a thermostat alone on a separate guest network to keep it isolated from the rest. So it all depends on your devices you will have to test them to see if they work or if they need access to main network or not.

Guest 1 seems to be more isolated then the rest so if you have issues might want to try guest 2 and 3 which is what I did with my fire stick and echo home theatre setup or might have to put a setup like that on the main network.


IMO< there is no point in setting up a guest network with permanent intranet access. You might as well just use the main network. Only other reason I can see is if you want to group alot devices together to easily limit bandwidth maybe or have it on a specific schedule and timelimit.

But I gotta say it all seems pointless for security purposes because all it takes is one compromised device. Once I start putting smart tv's, printers and a copule smart devices on the main network it kind of defeats the purpose. At this point it feels like something I'm doing as a tech experiment rather then for any real practical purpose. But I guess something is better then nothing.

 

[galfert]

Just what problem do you think you are solving by putting IoT devices on a separate Guest WiFi? They will still phone home. I think you are just causing issues by removing yourself form directly accessing them from your LAN....meaning you'd have to join that Guest WiFi to control them....and then when you join the Guest WiFi well then there you are...why not have left it all in one network to begin with. If you think you are solving some protection from these devices then why not look at the hardening and security of all your devices so that it isn't a concern. Meaning that your computers are up to date and that you have their software firewalls enabled. No other device on your network can spy on other devices today because most of every communication is done with encryption https and TLS and so on....and you can even do DoH (DNS over HTTPS) for even more privacy. If you want to prevent some devices from phoning home and reporting on telemetric data then a Pi-hole can help your entire network do that. If the premise to separate the IoT device is to enable more WiFi bandwidth to more important devices then you should set up an extra access point (on the same network) using a different WiFi channel and then you'll have an SSID for important devices with separate bandwidth allocation. Bottom line is that I see no point in putting IoT devices on a separate LAN....you are just complicating your life and gaining nothing from it. But I'd be willing to hear what others have to say.

 

[cooloutac]

Just what problem do you think you are solving by putting IoT devices on a separate Guest WiFi? They will still phone home. I think you are just causing issues by removing yourself form directly accessing them from your LAN....meaning you'd have to join that Guest WiFi to control them....and then when you join the Guest WiFi well then there you are...why not have left it all in one network to begin with. If you think you are solving some protection from these devices then why not look at the hardening and security of all your devices so that it isn't a concern. Meaning that your computers are up to date and that you have their software firewalls enabled. No other device on your network can spy on other devices today because most of every communication is done with encryption https and TTL and so on....and you can even do DoH (DNS over HTTPS) for even more privacy. If you want to prevent some devices from phoning home and reporting on telemetric data then a Pi-hole can help your entire network do that. If the premise to separate the IoT device is to enable more WiFi bandwidth to more important devices then you should set up an extra access point (on the same network) using a different WiFi channel and then you'll have an SSID for important devices with separate bandwidth allocation. Bottom line is that I see no point in putting IoT devices on a separate LAN....you are just complicating your life and gaining nothing from it. But I'd be willing to hear what others have to say.

I dont' think people are trying to stop them from phoning home. In my case Sniffing network traffic is part of it, but a vpn app helps with that. Its mostly the worry they would compromise other end point devices on network, like phones or desktop pc's used for sensitive tasks. We know everytime we update our devices we learn that exploits are always present. But as you say alot of devices can't be on a separate network if you want to use all their functions

 

[MoonPie2000]

Interesting info but I do have an actual technical reason why I separate out my IoT devices on a separate 2.4 guest network and it isn't for bandwidth, security or need for complexity but actually for need of simplicity. The way my IoT configuration application works is it switches between IoT and Home wireless when configuring a node so while I have Smart Connect configured when I use a device to configure my nodes that has 2.4 and 5 capabilities it can, and usually does, switch to the 5 channel during config and causes my configuration effort to abort. I know, I know there are a 100 different ways to resolve this but this is my way and I like to do it my way.

 

[galfert]

MoonPie2000,
Putting devices on 2.4 or 5 GHz isn't really separating the devices on the network. You still end up on the same network regardless of how it got on the network (2.4 or 5). What you are referring to has to do with the initial pairing process as some devices don't have 5 GHz capabilities and if you are on the 5 GHz with your mobile device that is doing the configuring well it can't pass those credentials to the device that you are trying to join into the network. Again this talk of 2.4 vs 5 GHz is not considered separation of networking as it is all the same VLAN. Because once the 2.4 Ghz device joins the network you can go back to 5 GHz on your mobile and you can still see that other device that is using 2.4 GHz. The point I brought up only concerns people that create separate VLANS (different subnet) where network traffic is routed differently and device can't see nor talk to each other....and they only have a path to the Internet.