Layer 2 Isolation and IoT devices

So here’s my scenario. I’ve got a small but growing number of IoT devices. For quite some time I’ve been hesitant to use these gadgets mainly due to the security issues they create, but that can be managed and some have real utility. To that end, I’ve created a VLAN specifically for them, with inter-VLAN routing “Off” and Layer 2 Isolation “On”. So they are fully sequestered, able to see nothing but the internet.

Many of these gadgets work differently, and my latest addition, a high-end ceiling fan, presents a new case, one I’ll probably encounter again. Connecting the fan to my IoT SSID worked fine; that part of the setup was no problem and I could see the fan as a client on the 20X. For the fan’s corresponding app to work on my iPhone, the phone also needs to be connected to the IoT SSID, but with Layer 2 Isolation on, the phone and the fan can’t see each other and the app can’t “find” the fan. Turn off Layer 2 Isolation and everything works fine.

But I don’t want to turn off Layer 2 Isolation, and I don’t really want to connect my phone to the IoT SSID either, but that’s less of an issue. I’ve read the material on sharing a printer; that’s a similar case, but not quite the same. What I think I need in is an exception in the IoT VLAN that enables only the phone and fan to see each other. Or at least that’s what I think I need. I’ve thought of creating another VLAN for IoT items such as the fan, and then limiting what they can and can’t do with firewall rules, but not sure that’s the way to go to solve this.

Any suggestions on the best solution?

I also wish to thank @Michael234 for his Router Security website. I bumped into this site 4-5 years ago when I began researching a secure replacement router for the one I had. The site has been enormously helpful and educational.

This is going to really depend on how the application finds its peer devices. If it sends out a local broadcast, hey… any FAN’s on this network?.. come talk to me. Then it will only work when you join that SSID and have Layer 2 off.

Can you specify the IP addresses of the FAN’s by hand?

If the fan uses dns-sd (bonjour) then you could enable bonjour forwarding, you would have to allow inter-vlan routing, but you can block the unwanted traffic via Outbound policy rules and Firewall rules.

All of this is going to be a lot of experimentation with packet captures, firewall logging rules etc. You are going deep into technical packet rules where the designers of the product had no care at all for security and any network other than a single SSID and open /24 network.

If the product has a “manage from outside of the house” or “cloud” mode then that should work as the commands are relayed from “fan central”… Of course this has its own security implications, but that is how all of those other IOT devices work.

My suggestion would be to create a new SSID and a new VLAN just for the fan. Turn OFF Layer 2 isolation for this SSID, but do block inter-vlan communication. When you want to talk to the fan, just connect to its dedicated SSID.

If you have 35 IoT devices in the same situation, this solution does not scale. I think the Balance 20x is limited to 8 SSIDs. maybe 16? Not sure. Until you hit the SSID limit, you don’t have to bother with inter-VLAN firewall rules.

1 Like

Thanks for the replies. Yes, key to all of this is how these devices communicate and they way the developers chose to bolt them together. There’s probably no more than 3-6 ways these things work, and reading product manuals of devices under consideration yields an educated guess.

I think a number of IoT VLANS with varying privileges and firewall rules is probably where I’m headed, with carefully selected devices that do something useful enough to bother connecting them. Coming back to my fan, I’ve disconnected it from my router. It’s an interesting case, but the short story is the app doesn’t provide additional functionality I much care about, and this fan when not wifi connected actually broadcasts a hotspot I can connect to enable the app if I choose. It’s an unsecured hotspot, so I suppose my neighbor could connect to and operate my fan (assuming the signal broadcasts that far) - which is certainly is an interesting design choice. That said, this fan was not purchased for its IoT capabilities.

My bet is most people simply connect all of this stuff to their main SSID and continue on their way. That won’t be my approach, and fiddling with it all and figuring out the best way to set it up is part of the fun.

Hi @JoeC945 . One thing you may wish to consider. You may want to get your fan to connect to “something” – even if you “firewall” or “black-hole” it – so it will stop behaving as a hotspot. You may not want to pollute your near-field 2.4GHz environment with another emitter. And, you really don’t want this thing blasting away on a channel you are using.

1 Like