IOT (Internet of Things) security with Peplink

soylentgreen · January 22, 2017, 5:09pm

I’m looking for general tips on how to safely integrate a potentially un-safe device into my network: IOT devices such as wifi cameras, thermostats, VOIP telephones, etc.

My initial thought was to segregate them to a “guest” VLAN / WiFi and keep them off of my more secure business network. That way, even if they are misbehaving they can’t do much damage. However a problem with this approach is that other devices which may want to talk to the IOT devices can’t. Simple example: A Philps HUE bridge, if it’s on the guest VLAN, can’t be accessed by iOS devices on the main VLAN.

Another approach: put the IOT device on the secure network, but firewall it tight. Closing all ports except for the few that it needs. The problem with this approach is that it’s not always apparent what ports/protocols an IOT device needs.

Anyone solved this?

TK_Liew · January 25, 2017, 9:20pm

Assume main network is Untagged Vlan. Below is my suggestion:

Group the IOT devices in a Vlan, for example Vlan 10.
Internal Network Firewall (Network > Access Rules > Internal Network Firewall Rules)
2.1 Add new rule to allow Untagged Vlan accesses to Vlan 10.
2.2 Change Default rule to deny any any.

soylentgreen · January 29, 2017, 5:57pm

Thank you. Does that basically set up a one-way connection through the firewall? So VLAN 10 can’t see the untagged VLAN, but the untagged VLAN can see devices on VLAN 10?

jmjones · January 30, 2017, 8:08am

Many of the IOT devices no longer require inbound port access. Phillips Hue bridges create and persist an outbound connection to a server on the internet. A client will make a call to that server and the server routes the request to the connection.

I would be careful of isolating all of your services to a single VLan. Some of these devices use multicast/broadcast for discovery. Some of these protocols do not allow for discovery across VLans. IPhone connecting to a Samsung TV inside of the YouTube app is one example that does not work across VLans. Phillips Hue does work across VLans and the internet. My thermostat gateway works similarly to the Phillips Hue bridge. It all depends on the service and sometimes the client.

Good luck

soylentgreen · February 10, 2019, 11:43am

To follow up on this, here’s what I ended up doing:

Under Network/LAN: Created a VLAN for the guest device. Inter-VLAN routing is ON (but see below for firewall rules). I’m using 1003 because that’s the VLAN ID that Airport Extreme base stations use fo their Guest WIFI network. See Using Peplink Balance with Apple Airport Guest Network

Moved all potentially unsafe devices, includsing Printers and IOT devices and the AppleTV (which serves as the HomeKit hub) onto the Guest WIFI (VLAN 1003)

Other IO devices which connect via Ethernet (such as Philips Hue bridge) were connected to one of the ports on the Balance one, set to Access / VLAN (this is found in Network/LAN/Port Settings).

Enabled Bonjour Forwarding (See Network/LAN) ServiceNetwork=Guest VLAN, Client Network = Untagged.

Added Firewall/Access Rules:
“AllowAppleTV” Protocol Any, single address (address of AppleTV), To Network (untagged network): Allow
“BlockGuestVLAN” Protocol Any, Network (Address of GuestVLAN), To Network (untagged network): Deny

Basically, this keeps the IOT devices on the Guest VLAN/WiFi network. They can see each other, but they can not see into the trusted network. But, the opposite direction is open: devices on the trusted network can talk to devices on the guest VLAN.

So far so good!

Michael234 · February 26, 2019, 3:52pm

What about multiple IoT vlans?
One for the devices that do not need to see each other with inter-vlan routing off and layer 2 isolation on.
Then, other devices that do need to see something else can each get their own vlan and their own SSID. Surf SOHO can now create 8 SSIDs. Each would have inter-vlan routing off and layer 2 isolation off.
Isolate what you can, share what you have to share.

Rick-DC · February 26, 2019, 4:18pm

If only Layer 2 isolation worked! We are touching two different Peplink Balance series routers which have L2 isolation turned on – but the wi-fi clients can see each other just fine.

mldowling · February 26, 2019, 5:30pm

Hello @Rick-DC,
With the Wi-Fi settings, there is an option to enable/disable Layer 2 between devices at the SSID level (we do this through InControl2 for Guest/Public Wi-Fi networks), have you checked that setting yet?
Happy to Help,
Marcus

Rick-DC · February 27, 2019, 2:49am

Hi Marcus! Yes. We never use InControl but have ensured L2 isolation is on for networks which host guests and IOT devices.

Michael234 · February 27, 2019, 8:20pm

I have used Layer 2 isolation for a VLAN for so long I can’t remember when I started. And, I often do LAN scans to verify its working. It works. I suspect a mis-understanding somewhere.

Are the wifi networks created by a Peplink router or by something else? If something else, all bets are off.

Rick-DC · February 28, 2019, 2:50am

@Michael234 On SOHO or Balance?

g.shawn.jones72 · May 29, 2024, 6:27pm

I follow everything that’s been said thus far; however no one has mentioned the issue with supporting WPA3 for non IOT devices while also supporting WPA/WPA2 for all the IOT devices. I tried setting up a separate SSID to do this but the UBR LTE I have won’t allow a 2.4Ghz SSID and a separate 5Ghz/2.4Ghz SSID to run concurrently. InControl shows the config but the router doesn’t. Also, it’s unclear whether WPA3 will work on the UBR LTE. Docs seem to say yes but the device UI doesn’t have the option, whereas InControl show it. Any thoughts? I have to switch over to WPA3 for work reasons and I’ll lose all my IOT devices if this is the limitation.