SmartThings and VLANs

So I am not sure if this is the correct location for this or not but whatever since this was a project I was working on at home and it involved SmartThings to some extent we’ll go with it here.

Now to probably oh lets say 90% of the ST population this will not apply to you.

Here’s to the rest of the 10%. If you’re like me at home and you have your own home lab setup with servers and firewalls and vlans then this applies to you.

Up until recently I had 2 VLAN’s in my house. 1 for everything and 1 for the DMZ.

So I recently decided to change my firewall over from Sophos UTM to PFSense. If you’re curious why I did that PM me and I’ll let you know. So in doing so I decided that it was also a good time to slice the house up into multiple VLANs.

So we now have the following
LAN (you know just PCs)
Servers
DMZ
Management
Cameras
Kids
Connected Devices

So once I sliced it all up I then moved all of my Kodi boxes off to the connected devices because there is no reason for the FW to proxy them or filter them with squid guard so off you go to your own vlan.

Ok so you’re probably like get to the point. So here we go.

What I discovered when I initially did this is that with ST still on my regular house LAN and the Kodi devices off on their own vlan, ST will no longer talk to them. It doesn’t know how to properly utilize its gateway and just let the router take care of routing the traffic off.

So what I ended up doing was figuring out which port ST was plugged into, in my switch and I moved it off to the vlan with the rest of my connected devices so now ST is able to once again talk to Kodi as well as some other things over there like a Foscam WiFi camera.

I’m not sure if this has been brought up before or if ST staff like @slagle knew about this either.

Like I said at the beginning to most of the user community this is a moot and null issue but for those of us who go a little more on the advanced side it could be a headache when you’re like why won’t you just talk to them.

I had acl’s forwarding all broadcast/multicast through my vlan’s when I did this, it worked, kind of…

The multicast did with SSDP at least. Not sure I saw anything where the hub didn’t work due to not using it’s gateway though…I had a foscam, and some Sonoff wifi switches working with it on a different vlan/subnet.

I liked PFsense back in the day, always have, good choice!

I went the reverse of what you did, had an HA vlan/wifi network, had random bs issues, removed the vlan, put the hub on my normal lan, and kept the wifi network just for those specific devices, all my issues went away.

So are all of iot completely isolated from rest of network now?

@Crussell more or less. I have a few rules for that VLAN to let a few things pass through from that subnet but for the most part they’re now off on their own.

@michaelahess One of these days I need to document the whole F’n setup lol so that just in case something happens to me, my wife can hand the document over to a friend of mine and ask them to fix something if it breaks.

I actually did this, because my house would seem possessed if I die and something goes wrong. Showed it to my wife, she patiently waited for 10 minutes as I went over the highlights and then she looked at me, and just walked off.

Really would love to know what would happen if I disappear…it would be entertaining I think.

4 Likes

that was quite nice of her to at least watch the presentation.

Mine understand why I split the whole mess up into multiple vlans, and it sure is nice having the heavy content filter turned on for the kids.

Someday I’d like to get radius setup and rocking and have dynamic vlan assignments :slight_smile:

1 Like

This is how my whole network is setup, ST, servers, laptops, tvs, etc.

Depending on your level of paranoia, use an AP that has multiple SSIDs mapped to separate VLANs. Then with a firewall or access lists, you can control what each VLAN has access to, then you need to break the devices into classes of connectivity:

Need just a constant "cloud" connection to work properly
Need no connection except for initial config/updates, need local connection
Need both a cloud connection and a local connection to work

If you have a class of devices that are truly cloud-based (i.e. they don’t use any local traffic, it all must go out to the internet and back) creating a SSID and VLAN that segregates traffic is a simple measure to make sure that any hostile activity it might be repurposed for is sheltered from high value targets like your backup server. Putting devices that need some sort of always-on connection in their own class keeps them sidelined if there is some sort of remote compromise of their command and control structure (the cloud.)

If you still need local access to some of those devices, say to give your phone just the ability to access port 80 on your TV or your light bulb (if that’s how the smart remote works) a stateful firewall rule can enforce that only your phone, to only that port on the TV, will be allowed. If your TV needs no internet access and only protected local access, this would fall into another category which would need it’s own SSID, and if you really want it to be able to talk to the internet but no other devices, and be all by itself, it would need it’s very own SSID and VLAN, which many can be created if needed.

One measure that could also go a long way if your network is subject to transient devices (i.e. relatives tablets or laptops dropping by from time to time) is putting just those on a different VLAN, since for example your smart light bulb, unless you purposefully open a port from the internet at large, is of no harm even without a password since you (hopefully) trust all the other devices on your network to not be under malicious control.

Several inexpensive Wifi/Router devices that can be loaded with OpenWRT or DDWRT can be configured this way. The challenge isn’t how to pull all this off, it’s how to keep it all working smoothly and not throwing up your hands admitting that it’s easier to just live under the spectre of network Armageddon in order to not have to unblock a port every time your phone TV app updates, and it says your TV firmware is now out of date. If you’re like most people, you just harden what you can: automatic or alerted updates on all devices that support it, smart firewall rules with anything like uPNP disabled, and carry on with your life.

After that slap firewalls on and good to go!

Then no problems at all. In fact I think it made my network even more optimized

1 Like

I used to do that with a free radius network, can’t remember what it was called, mid 2000’s though I think. It worked well for everything I had at the time, also ran a full windows domain structure and ldap on my linux stuff. Then I had an epiphany…I spent SO much time fiddling with all that crap, I never really got to enjoy being home. I mean I love this stuff, but there comes a point…Having your own tac/radius server for network lab stuff is great though.

My rack is now a few cisco switches, juniper firewall, some wifi stuff, and all my IOT hubs, it’s kinda depressing so I put the door back on it (in my closet) added ventilation fans and a temp display to go on the door so I know if things are on fire.

My life seems a bit better now tbh.

This! I gave in to Armageddon. :slight_smile: I used to have mac lists on all my ssid’s, vlan’ed out, the acl’s very similar to what you stated. It was awesome, except it was a PIA to troubleshoot, and things just didn’t always work.

I use Microsoft Family Security for the kids, with some select firewall filtering, and that’s basically it. Some of my hub/ha devices are still on some ports in a pvlan but that’s about it.

Asus with Merlin… Makes it a lot easier

Yeah I use Ubiquiti WAPs at the house and they’re now broadcasting like 4 SSID’s for all the different VLANs including my guest network which where I send relatives off to lol.

One of the main reasons for the VLAN was not only to segregate the network a bit and optimize it. I also now have a few IP Cam’s at the house and if someone wee to compromise one of my external cam’s they now have a direct link to the network so by those switch ports now being isolated have fun :slight_smile:

I need to lock down some of my VLANs a little bit more but all in due time but I am making the network a little more secure. Of course things like my PC and the wifes have some pretty lax rules compared to the rest of the network :slight_smile:

2 Likes

Wow that’s perty, but I don’t have any Asus’s :frowning:

My juni is fully scriptable, and I’m an “expert” with it, just gotten lazy at this point. DD-WRT on one of my AP’s, the other is a Portal at the moment, replacing my Cisco AC AP actually, and working better…not nearly as flexible but I don’t need it for it’s purposes.

Yeah my DVR for my security system is on that previously mentioned pvlan, with an allowed triangle route so I can still hit it “publicly” with my phones/tablets. That’s the easiest thing in IOT to exploit it seems…{stating the obvious once more}

You could always spoof your cameras that you’re worried about, then stream a short loop of video embedded with buffer overload script…

2 Likes