How to create an isolated and secured vlan for iot devices?

I don’t want my iot devices to send data to internet or be easily access from internte.

My idea is to put all the iot devices in an isolated vlan that lets them interoperate, but not let them connect to internet, just to the router.

I want to minimize the number of routers or gadgets installed (to reduce the risk of misconfiguration and the power consumption).

I have two routers at home:

  • The one connected to internet and provided by the internet provider. It is my gateway, but not provides other services like DHCP. It provides ethernet connection to a couple of computers and WIFI connection to devices in the back side of the home.

  • A router FritzBox router with openWRT installed that does the hard work. It provides DHCP, MQTT borker (mosquito) and DNS for local names, forwarding other DNS queries to internet.
    I provides ehternet access to my NAS (where openHAB is installed in a docker container) and WIFI connection to devices in the fron of the home. Both WIFI poinst share SSIDs and passwords in order to be able to itinerate from back to front.

That would be my home network, were computers, tablets, phones… do connect.
It cannot be reached from outside, except using a VPN that provides my NAS.

I would like to have other WIFI SSID for the iot devices (both routers can create more than one wifi point) and a VLAN for it configured in a way that the iot devices won’t access internet and cannot be reached from outside.
It would be the iot network (most of the devices connected from wifi in one of the routers).

How should I configure it?

  1. I suppose iot devices should be able to interconnect among them.
  2. I think they should have a separate IP network with different address provided by the router using DHCP (but don’t know how to configure DHCP to provide address for devices in specific WIFI SSID).
  3. Of course iot devices should be accesible from router and from the NAS, but I think it would be good to be able to access them from any devices in the home in order to be able to interact with themo. But don’t know if it has some security risk.

I have been trying some tests with VLANs and creating another wifi but could not implement it correctly.

Just a few thought on how it’s working for me, but it heavily depends on hardware and it’s capabilities.

Usual approach would be to have a VLAN defined on your router (this also gives you then the DHCP for it; I use pfSense).
The second step would be to either have a VLAN capable wifi AP and create a dedicated SSID there that is also tagged to said VLAN, or you need a dedicated AP that you hardwire into your router’s port which is then assigned to that VLAN.
Your Synology box needs to be a trunk then as you might want OH on the VLAN but other services not, hence it needs to route all VLANs etc.

Ok the firewall end you will need to create rules to block all traffic from the IoT VLAN to anything else in the network (i.e. my IoT network is actually blocking anything internal, but can talk to outside via piHole (to block some stuff)).

Take note though that i experienced with some devices that they need to be on the same subnet as OH (i.e. my Samsung TV did not like to be on my IoT VLAN whereas OH was on another one).

Currently on my phone, otherwise I would go into more detail, but hope above helps.

Thank something like that is what I have in mind.

But I have a openWRT router (opensource and installed substituting a FritxBox firmware).

That router lets me create a new VLAN with a new isolated interface and another WIFI SSID and associate only that wifi to the interface of the VLAN iot.

In theory I can assign DHCP IP different address to that interface and hence to the devices that connect to that VLAN (the IOT wifi and if needed a ethernet device connected to the router in a ethernet port that I assign to that IOT VLAN).

But I have two problems:

  • I can create the new iot wifi without problems, but as soon as I create a new interface to attach to the VLAN my home network looses connection to the internet. I don’t know why, as I have changed nothing int the interface assigned to that network (switch ports or wifi) and I only assign to the new iot interface the new iot wifi (no other ethernet port int the switch).

  • The gateway from the internet provider is in the backside of the home, it provides only ethernet connection to a couple of computers and wifi connection (configured as access point with the same ssid and password as the openWRT router in the frontside to provide itineration). I is configured as the gateway in the DHCP config in the main openWRT router (in the frontside).
    It can create second WIFI SSID which I configure with the same SSID and passord assigned to iot WIFI. The problem is that I don’t know how to tell the DHCP router to assign an adress of the iot pool and not the home pool to devices connected to iot wifi in that external devices (as it is supposed to do automatically to the devices connected in the iot wifi that that router provides, as it is assigned to the interface of that pool).

  1. Not necessarily. If you are very paranoid you could control that in the firewall. However, the devices will need to see and be seen by OH. That means they can see and be seen by your NAS which is probably going to be the highest value target on your network.

  2. OH will need to be on both networks.

  3. If your primary concern is the devices talking out the internet, you don’t need a VLAN or any of the extra complexity from that. Just configure your firewall to serve out static DHCP IP addresses to your IoT devices and block them from talking to the Internet in firewall rules. If you stick to a contiguous range of IPs you can block the whole range in one rule, though you might want to be able to individually enable a device here and there for updates and such. You only need to worry about separate networks and stuff like that if you want to keep your IoT devices from seeing other stuff on your network.

Honestly, this stuff is hard to get right even for professionals sometimes, as you are finding. When there are Internet wide outages like the one from Amazon last week, it’s almost always caused by someone messing up a networking config. If you want to go down the VLAN route, I recommend looking into something a little more capable and robust than DD-WRT like pfSense (recommended by @chrismast) or opnSense (I moved off of pfSense to this about a year ago). But it sounds like you are OK with all your LAN being able to see each other and a VLAN isn’t really intended to address that sort of thing. Just looking into firewall rules may be sufficient to meet your requirements.

1 Like

Yes, I have experience with setting IP networks, masks, and that stuff. But from time ago.

Since then, things got much more complicated, and it is quite difficult to get it all working, as you say, you touch one thing here and som other thing drops there.

I am not specially interested in setting vlans, nor specially paranoic, just would like to protect a bit the iot network from outside sniffing and to be more or less sure that the iot devices are not sending all the info to a cloud service somewhere without my knoledge.

For now I don’t have any iot device connected using ethernet, just WIFI, so creating a separate SSID and assigning it a new interface to be able to set a different IP network should be enough, I think.
And then setting the firewall rules to be sure that iot devices in the iot network cannot reach internet (no sure if they should not reach home lan network) and home lan network computers can access iot devices (that would be easier to use when you want to access one device through http for example, but not sure it would be a big security risk).

I think my problems are in configuring firewall rules.
And in assigning IPs in the iot network to devices that don’t connect to the main routers WIFI AP but to the AP in the back of the home (with same SSID).

If I can solve it using openWRT I would prefer, as is what I know and is “easy” to use.
Changing to another system would put all my network upside down for too much time, and may family won’t be happy.

Well, unless you’ve opened ports on your firewall that’s not going to happen anyway.

The problem a lot of people run into though is that the IoT devices themselves either set up UPnP to open ports in your firewall for you (turn that off) and they will reach out to the Internet on their own to download updates and such. So the device can reach out and pull down something malicious and then the attacker is already behind your firewall.

This is what a VLAN will help you with. Even if the device gets compromised because of something it downloaded on its own initiative, it can’t see anything interesting on your LAN to attack.

But if you block the device from communicating to the Internet at all, assuming it’s not already compromised, it can never become compromised (with exceptions) because it has no exposure to the Internet. In that case maybe it doesn’t matter if all your LAN can see them.

However, there are some attacks that can run from your browser. For example, you open a compromised page which has some code to scan your LAN for a certain make and model of IP camera (for example) and exploits it. In that case the camera becomes compromised even though it cannot be directly reached from the Internet. However, it’s limited in what it can do because it can’t connect to the Internet. Even if it sucks up all your banking info, it can’t publish it back out.

The best would be a VLAN and being blocked at the firewall, but that has opportunity costs since it becomes harder to set up and configure your home automation system. But for the average user and the average threats out there, I think simply blocking them at the firewall is probably sufficient. But you need to go through the list of threats you want to mitigate (i.e. what are you worried about) to be sure.

Probably not. You also have to worry about DHCP, routing, and firewall settings too.

The easiest might be to get and deploy a wholly separate WiFi gateway for the IoT stuff. Then configure that network completely separately. The WAN port will connect up to your main network device which in turn has their WAN connected to your ISP.

Then all you have to manage separately will be the routes. However, you also might have to deal with interference.

Oh, sorry, I see I have not clarify everything.
When I speak about firewall rules I was speaking of rules in the main router in order to isolate traffic or stop it form home lan or iot net using openwrt rules.

By ISP gateway (the one that is in the back of the home and connected to internet) has a firewall too.
And it is configured to drop all incoming traffic except for a VPN to be able to connect to internal network from outside.
The connection to the VPN port is redirected to my QNAP NAS were the software is installed (I will try to move it to the openWRT router later).

So yes, the home network is protected from the outside and the wifi connections with WPA2/WPA3 encryption and a strong password.

BUt as you say, if you install software in a pc or buy a iot device with malicious firmware, you have the enemy at home.

If course my home is not NASA or Central bank and there is nothing too interesting, but as you know most of the attacks nowadays are not discriminated, are bots using your devices for their own interests or trying to get info about your activities or keyworkds you use in your bank.

So I am just trying to make things to them a bit more complicated, without too much effort and without making connection from my own home lan to my iot devices too difficult.

In open WRT I have configured a separate wifi to iot devices and created a new interface for them, with other set of IPs different from IPs in my home network.
As long as I know that is created using VLANs internally, what I don’t need for now is assigning the ports in the virtual switch to that VLANS. The interface for the iot devices is only attached to the iot wifi.

Devices connected to that router have the correct IP and are separated from the others (I have yet to test the rules of the firewall to be sure they cannot access internet or home lan and can be accessed from home lan).

The problem is with the devices that do connect to the iot wifi in the other access point outside oepnWRT router, as DHCP does not know that device has connected to wifi and what wifi is connected, and it assigns IPs from the home lan.

It could be solved if I used a separate access point and connect it to the main router (using vlan and switch configuration to put the port in the same vlan as the iot interface). But the problem is that I cannot wire directly that access point to the main router, as there is only one ethernet wire between that points.

I don’t know if wifi traffic can be tagged in order to be able to separate it later using vlans.

Typically if one has two subnets, one needs a DHCP server for each one. If you configure your DHCP server for one subnet it likely breaks the other network.

Wire it to the main one.

ISP Gateway.  <---> Main Gateway. <---> IoT Gateway

The ISP Gateway has its own DHCP service. It supplies the IP for your Main Gateway’s WAN port (or sometimes it’s static).

Your Main Gateway has it’s own DHCP service that supplies the IPs for all the devices directly connected to it.

The WAN IP for the IoT Gateway comes from Main Gateway’s DHCP. The IoT Gateway has its own DHCP service that supplies all the devices connected to it. It also has a different SSID from the Main Gateway.

On the Main Gateway, firewall settings limit the ability for any traffic coming from the port the IoT Gateway is plugged into from reaching the Internet. Routes are set up to route traffic between the IoT network and your Main network.

In openWRT you can create a different DHCP configuration for each interface: one for the iot network interface with its own wet of IP adresses and another for the lan network interface with another set.

As long as you connect to that router you get the appropiate IP for the iot or lan.

The ISP router obtains its WAN IP from the central ISP router to wich it is connected.

By default it has its own DHCP activated to provide adresses to devices that connect to it in the lan ports or wifi.

But I have deactivated the DHCP server in it in order to let the main router be the one that provides the network adresses and configuration (set the gateway adress, mask, and dns servers).

But may be you have provided me with a good idea.
I have to see if I can configure the ISP router DHCPto provide iot wifi devices with a IP address in the same net but not overlapping with the ones in the other router.
So the devices connect with appropiate IPs.

But they won’t receive an appropiate DNS name (the openWRT has an integrated mDNS server that permits you assign static IPs from MAC adresses and a dns name, or create alias, that is another reason that decided me to not use the DHCP server in the ISP gateway, and centralize DNS and DHACP on the main router).
I can install as you say another router with openWRT as iot wifi connection and try to see if that is more easily integrated with the main router.

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.