SN 783: IoT Isolation Strategies

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

1 Like

@Leo, have you looked at using VLANs? I have a management VLAN, one for WiFi, one for VoIP, for IoT (currently empty), guest network, printers etc. Then I set the firewall to allow our block traffic between the VLANs .

3 Likes

VLANs are an interesting idea, but they’re more expensive because you need higher end networking gear to support VLAN tagging and you need more time to set it up, manage it, and debug it when it inevitably screws up and you forgot to document your original plan and don’t remember it. :wink:

Hello Leo. I just finished listening to the show. I recently isolated, not only my IoT devices, but further isolated my security system’s and home Wi-Fi connections using Ubiquiti’s UniFi Network/Wi-Fi solutions.

While I recognize that most people won’t invest in such a setup, it was the best solution for me since I’m a SOHO and run my consulting business from home.

I run a pfSense router up front. I run VLANs for all my required networks. I have two UniFi APs (HD Nano). These APs allow me to have multiple Wi-Fi networks (SSIDs) all associated with a respective VLAN. Likewise, I can turn on/off the dual-band (2.4 or 5 GHz) radios and hide SSIDs as required.

Wi-Fi SSIDs/VLANs:
VLAN 10 - IoT devices, TV, Alexa, lights, Chromecasts, etc
VLAN 20 - Security System’s hub, cameras, controllers, etc.
VLAN 30 - Home network’s PCs, mobile phones, tablets, printers, etc.
VLAN 40 - Work/client PCs and BYOD devices.

Other than that, everything else is wired. This setup works great and I can monitor it all from the pfSense and the UniFi Controller.

Again, I know it may be overkill and costly for some, but piecing it together with spare devices is complicated to mange and the up front expense sure does allow me to sleep at night knowing I have persistent connections going overseas. :slight_smile:

Jose

3 Likes

Correct, although I work in IT, so I always document it all ahead of time or as I am doing it and i was suggesting this for @Leo, because he is somebody who would appreciate such a set up and has the technical acumen to set up something like this. I agree, it isn’t for the average user.

@mbravo16v I have a similar set-up. I use the Ubiquiti AC Pros for wireless, I have a Unifi PoE switch and a Unifi USG firewall, as well as a 24 port Zyxel switch.

You say this like it’s a bad thing :wink:

I use an IoT VLAN and have gotten HomeKit to work quite well, and I am fairly confident that a compromise light bulb will be of little use to anyone who happens to hack it

I am one of those crazy paranoid people who segregate their home LAN for IoT devices. As you said ages ago the S in IoT stands for security.

I thought I would describe my setup. I use a Unifi system for wifi, switches and gateway firewall so this is much easier. I can create VLANS in the unifi controller and instantly all my devices are aware of them, And I can setup firewall rules to control traffic.

My general principle is to allow connections initiated inside my “secure VLAN” to my IoT VLAN. This, along with an mDNS reflector, allows local control of most IoT devices. Connections initiated from the IoT VLAN are not allowed into my secure network.

However in order to get HomeKit (my preferred IoT controller) to work I had to allow some small amount of traffic between VLANS. My AppleTV is my HomeKit hub so IoT devices need to be able to talk to it, over ports 80 and 443. I Keep my AppleTV box up to date, and am fairly confident in Apple’s ability to patch tvOS if a vulnerability is discovered so this small amount of potentially compromised traffic is an acceptable risk.

If you use Alexa or Google home this is likely not an issue since as they tend to default to cloud control vs local control of IoT devices.

I have found interesting behaviour in some IoT devices when setup this way as the manufacturers didn’t expect them to be installed on locked down networks. For example I had some wemo smart plugs and I had to ensure that they could receive a ping response from the gateway or they would just assume they had no internet connection and flash an annoying LED to alert me that something was wrong. Unfortunately these behaviours are not documented anywhere so it is a bit of a trial and error (and reading obscure forum posts) to figure our why things aren’t working. Eventually a wemo firmware upgrade removed this ping requirement.

And because the Unifi equipment make it easy to do I have an even more secure VLAN, and that is the only VLAN that can configure my networking equipment or access my server.

Is this overkill. Probably, but it was fun to setup.

1 Like

How many switches does your network contain? If you don’t have switches that support VLANs then I presume your tagging is failing you. If you have VLAN aware switches, then you know they’re significantly more expensive than “dumb” switches.

I have 60+ devices on my network… I’ve yet to afford enough managed switches to manage all that. And at least 30 of the devices are wireless, and I don’t know how you can separate them out into VLANs without having multiple wireless networks, and that just seems to lead to a nightmare of overlapped signalling.

All Unifi kit is VLAN enabled, the wireless APs as well as the switches. They are a doddle to set up.

I also have a 24 port Zyxel VLAN capable switch, it cost around 120€. The Unifi 8 port PoE switch was also around 100€ and the USG also 100€. The Unifi AC Pro (long range) APs were 130€, but they offer cheaper versions for around 80€.

I also have a CloudKey 2, but you can use any Debian/Ubuntu Linux host as a management server - I originally had it running as a container on my QNAP NAS, but QNAP’s container update method was borked and wiped out the configuration.

The Unifi kit also automatically takes care of multiple SSIDs and band overlapping.

2 Likes

Last time I looked, I couldn’t buy Unifi here… they only sell through resellers to professional installers. They seem like they would be fun to mess with though.

Zyxel is not really much of a brand around these parts.

I bought all my Unifi kit from Amazon and Alternate, here in Germany.

Zyxel is mostly known for cheap home kit that often leaves lots to be desired. But their business kit works just fine.

I have three switches 2 Wifi APs and 1 Gateway. As @big_D said they are all VLAN aware. They are more expensive, but I am one of those crazy people who likes playing with networking equipment, so it was worth the extra cash for me.

In terms of Wifi SSID’s the unifi system allows you to create up to 4 per access point each tagged with their own VLAN. I believe it is possible to use a single SSID and create policies based on WPA Enterprise to automatically assign the desired SID to each device, but I haven’t tried this yet.

This has not been my experience. I manually set the channels on both access points, to ensure they don’t use overlapping channels and clobber each other.

I also have lowered the radio transmit power so that Apple devices properly roam between access points. Non-apple devices have inconsistent roaming properties, and lots of IoT devices never properly roam though.

For example my thermostats will always connect to the lowest 2.4Ghz channel, even if the signal is very weak, and there is a better AP that is much closer but happens to be on channel 11.

1 Like

I have gotten into UNIFI myself. I actually isolated my govee water leak sensor hub into its own SSID+VLAN, and another SSID+VLAN for my cloud-only Zmodo cameras. Then with pfsense I can snoop on the vlans when I want to understand what it is they are doing. Finally, I have region blocks in my pfsense so instead of reporting to china directly, some devices end up going to some google or aws cloud services.

For sure, any isolation measures mentioned here or in the show episode require some care in design/engineering and configuring, hopefully with some notes to boot. But as they say nothing ventured, nothing gained!

FWIW there’s a post on the home server show forum where a guy has about 10 vlans and gives each of his IOT devices a dedicated SSID+VLAN path.

This might not be a great idea, as each SSID does insure some bandwidth overhead for beacon broadcasts. The broadcasts are down at the slowest speed supported by the AP. This becomes a very big issue when you have many APs.

This is useful calculator to help is determining how much overhead is created by all your SSIDs

1 Like

nice tool, I downloaded the sheet and played around with it, I will keep it for reference. this is motivation for prohibiting low bit rate modes/clients on ones network. in the worst case, though, if a IOT device reports in with 3 packets every 2 minutes it doesn’t seem to be too big of a deal.

thanks for contributing to my goal of learning something every day!

That is the number one takeaway. One slow device on your WLAN will harm the performance for other devices so the benefits are even greater than what this calculator shows

1 Like

Yes, and a WiFi 6 only network will address this… but that will probably never happen. (Too many crappy, yet essential, legacy devices.) WiFi 6e has some potential benefit here because there are no legacy devices in that band.

Wifi6 helps with this a lot but it doesn’t eliminate the issue. It might help enough to make it a non-issue, but I still have so many 802.11n devices kicking around that I am not holding my breath of having a majority wifi6 network running anytime soon.

DD WRT will do VLANs on cheaper or older consumer routers