Hi!
I’m a newbie wandering through the wilderness. I need some help with how to set up my Surf Soho 3 for the first time. I have no experience with VLANs. So far I have:
Untagged LAN with its own SSID
VLAN Guest network with its own SSID, no interVLAN routing, layer 2 isolation
Now I want to set up a VLAN for IOT devices which only need internet access. One device is connected by ethernet and the rest are wifi.
Do I put them all on one VLAN with no interVLAN routing and layer 2 isolation?
Is it better to have a VLAN for each device?
Do I create one SSID for all the IOT devices?
I need to communicate with several of the IOT devices using smartphone apps or a tablet. Will no interVLAN routing and layer 2 isolation on the IOT VLAN block my smartphone from communicating with the IOT devices?
Can I accomplish what I want without resorting to firewall rules?
Thanks for any help.
Hi!
I’m a bit less of a newby (I have set up 4 Surf SOHOs for customers and I have two more - one at home and one at the office.) I use this page as a guide:
If you read everything that Michael Horowitz has written, you’ll be back here sometime next year.
I use the Untagged LAN as the primary (secure) network, and configure the first Wifi AP to that network.
Then I create a VLAN for Guest (or IOT) use, and use a different IP network addressing for that SSID.
In your scenario, I would suggest using separate VLANs for Guest and IOT. But you don’t need a separate VLAN for every device, unless you want to be sure that no devices can see each other.
TimC, thanks for your reply. I also followed the initial setup on the routersecurity site. I have set up a separate VLAN and SSID for IOT devices just as you suggested above. It seems like the point of having a separate VLAN for IoT devices is to allow them internet access, but not allow them to communicate with any other network by blocking interVLAN routing. But if you block interVLAN routing, how can a smartphone on the unTagged LAN communicate with an IoT device? Maybe switch to the IoT SSID on the smartphone and uncheck level 2 isolation for the IoT VLAN? Maybe level 2 isolation isn’t necessary on the IoT VLAN?
You are correct that all IoT devices are not the same. Some only need access to the Internet but others also need to communicate with another device in your home.
To that end, create one SSID/VLAN that is totally isolated and another SSID/VLAN that does allow devices in that SSID to see each other.
If you are really ambitious create a different SSID/VLAN for every IoT device that needs to communicate within your home. That way you share and isolate the sharing at the same time. All the ones that only need the Internet can be on the same SSID/VLAN.
Thanks for your reply Michael234. Much appreciated. If I follow your advice I’ll end up with 4 or 6 SSIDs. I don’t know if that would impact the performance of the router. I wonder if there is a way to use firewall rules to achieve the same effect?