I’m looking for general tips on how to safely integrate a potentially un-safe device into my network: IOT devices such as wifi cameras, thermostats, VOIP telephones, etc.
My initial thought was to segregate them to a “guest” VLAN / WiFi and keep them off of my more secure business network. That way, even if they are misbehaving they can’t do much damage. However a problem with this approach is that other devices which may want to talk to the IOT devices can’t. Simple example: A Philps HUE bridge, if it’s on the guest VLAN, can’t be accessed by iOS devices on the main VLAN.
Another approach: put the IOT device on the secure network, but firewall it tight. Closing all ports except for the few that it needs. The problem with this approach is that it’s not always apparent what ports/protocols an IOT device needs.
Thank you. Does that basically set up a one-way connection through the firewall? So VLAN 10 can’t see the untagged VLAN, but the untagged VLAN can see devices on VLAN 10?
Many of the IOT devices no longer require inbound port access. Phillips Hue bridges create and persist an outbound connection to a server on the internet. A client will make a call to that server and the server routes the request to the connection.
I would be careful of isolating all of your services to a single VLan. Some of these devices use multicast/broadcast for discovery. Some of these protocols do not allow for discovery across VLans. IPhone connecting to a Samsung TV inside of the YouTube app is one example that does not work across VLans. Phillips Hue does work across VLans and the internet. My thermostat gateway works similarly to the Phillips Hue bridge. It all depends on the service and sometimes the client.
To follow up on this, here’s what I ended up doing:
Under Network/LAN: Created a VLAN for the guest device. Inter-VLAN routing is ON (but see below for firewall rules). I’m using 1003 because that’s the VLAN ID that Airport Extreme base stations use fo their Guest WIFI network. See Using Peplink Balance with Apple Airport Guest Network
Moved all potentially unsafe devices, includsing Printers and IOT devices and the AppleTV (which serves as the HomeKit hub) onto the Guest WIFI (VLAN 1003)
Other IO devices which connect via Ethernet (such as Philips Hue bridge) were connected to one of the ports on the Balance one, set to Access / VLAN (this is found in Network/LAN/Port Settings).
Added Firewall/Access Rules:
“AllowAppleTV” Protocol Any, single address (address of AppleTV), To Network (untagged network): Allow
“BlockGuestVLAN” Protocol Any, Network (Address of GuestVLAN), To Network (untagged network): Deny
Basically, this keeps the IOT devices on the Guest VLAN/WiFi network. They can see each other, but they can not see into the trusted network. But, the opposite direction is open: devices on the trusted network can talk to devices on the guest VLAN.
What about multiple IoT vlans?
One for the devices that do not need to see each other with inter-vlan routing off and layer 2 isolation on.
Then, other devices that do need to see something else can each get their own vlan and their own SSID. Surf SOHO can now create 8 SSIDs. Each would have inter-vlan routing off and layer 2 isolation off.
Isolate what you can, share what you have to share.
If only Layer 2 isolation worked! We are touching two different Peplink Balance series routers which have L2 isolation turned on – but the wi-fi clients can see each other just fine.
Hello @Rick-DC,
With the Wi-Fi settings, there is an option to enable/disable Layer 2 between devices at the SSID level (we do this through InControl2 for Guest/Public Wi-Fi networks), have you checked that setting yet?
Happy to Help,
Marcus
I have used Layer 2 isolation for a VLAN for so long I can’t remember when I started. And, I often do LAN scans to verify its working. It works. I suspect a mis-understanding somewhere.
Are the wifi networks created by a Peplink router or by something else? If something else, all bets are off.
