IoT network Isolation experiences & ideas needed

I’m going to set up a second network at home to isolate my IoT devices.

Sadly, my eero pro doesn’t yet support VLAN (supposedly on the list for future FW update). Aside from that I really like it and don’t want to replace it, so I’ll be adding a second router behind my eero pro (LAN to WAN) using a different IP segment to provide the isolated network for my IoT devices (SmartThings hub, Hue, Bond, Nest, Ring, Android TV, Google Home, etc.).

Wondering who else has done this, and if you have any advice/suggestions/learnings, etc. I assume that I’ll still be able to communicate w/my IoT devices via the internet when I’m at home on my current Wi-Fi network (just as I communicate over the Internet when I’m away from home on 4G). So I won’t have to keep switching networks to manage my IoT network/devices.

Appreciate any suggestions/ideas, including a resonably fast/recent router hopefully at around $100 to use for the IoT network…

Staceys IoT podcast recently had a whole episode about this. If I remember correctly, they tried it and determined it wasn’t worth the trouble since all those devices end up punching a hole through your firewall to connect to their cloud, anyway. May be worth a listen.

1 Like

Thanks, I’ll listen tomorrow.

I realize the devices can get to the internet, I just don’t want them to have access to any of the computers\NAS\data on the my other network. That should, from what I’ve read, reduce the risk to my non-IoT devices.

I actually found some time tonight. What Stacey actually investigated in the recent podcast was putting IoT devices on a Guest network, which (not surprisingly) wasn’t a great solution.

I haven’t heard the whole podcast, but in the podcast notes they actually suggesting using something like Firewalla or using a router that supports VLANs (as noted I’m adding a second router since the eero doesn’t do VLANs).

Thanks for the suggestion to check Stacey’s podcast, I haven’t checked into it in quite a while, good reminder about it.

1 Like

Here is another topic related to your subject:

Great, thanks. I did some searching here but didn’t run across that thread, appreciate you pointing me at it.

I know everyone has been on pins and needles about this project :smirk: so I wanted to follow up and confirm that the new and improved network IoT isolation is in place.

Provides some added safety/security for ourselves, and probably as importantly, it was fun to learn about a few new things (VLANs! VIFs! Firewall rules!). Plus, I got to buy some new gear under the cover of statements like “Honey, this stuff is absolutely required for our family’s safety and security!” No one could stop me. :smiley:

New setup is:

  • Ubiquiti Edgerouter 12 - new
  • eero Pro (Base + 2 sats)
  • Orbi Mini (Base + 1 sat) - new

The Edgerouter is the master router, with the eero Pro and Orbi Mini attached to it in AP mode, and each router assigned to a separate VLAN:

  • VLAN1: Personal/private - Orbi
  • VLAN2: IoT/Guest network - eero

Each VLAN is assigned to four of the ports on the router (VLAN1 to 0,12,3, & VLAN2 to 4, 5, 6,7). In addition to the APs, a few other devices that live near the router (e.g., NAS) are connected directly to the router on the remaining private or IoT/Guest ports.

Everything is working well. From the IoT device perspective nothing really changed - they are attached to the same router/SSID that they have always been on, and they have the same access to the internet. I have created firewall rules (and a couple other settings) to enable access to IoT devices originating my personal VLAN to the IoT VLAN…initiation is one way only (Personal to IoT) and any new/unrelated access initiated from IoT to any other LAN is blocked. Also enabled MDNS on the router so I can cast from my Personal VLAN to my IoT VLAN. Best of both worlds.

So now I can sleep peacefully, and dream of additional hardware to purchase under my newfound “Security!!” open purchase order. :smiley:

3 Likes

I just put a udm pro in (yes, Overkill!) and a raspberry pi with pihole. I was mentally convincing myself that I now needed a unifi switch with POE and the unifi ap’s to do my segment. Buying a separate mesh for iot/guest could be cheaper…

I may need more info on how you setup the firewall rules. My Smartthings devices have been a bit flaky since I put in the udm with threat detection.

I think you mentioned that your Edgerouter was the main router that the other 2 are connected to. Where does the Edgerouter get its signal from? For example my ISP Modem/Router has a coax cable input. I don’t think the Edgerouter has a coax input. Does it get its input from an ISP Modem/Router ethernet output? Could you provide a drawing showing how the various pieces fit together? Also can you cite any helpful links that explain VLANs and other important concepts? You mentioned that SmartThings may have become a little bit sensitive to your changes. Have you resolved this. Was it worth it?