All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Home VLAN Switches and APs to Isolate IoT Devices
My home has more than the usual number of internet enabled devices that are often described as the Internet-of-Things (IoT). I would like to isolate them from each other on the LAN and also on the WiFi wireless network.
The cables feed from an unmanaged 24 port switch to Ethernet jacks throughout the house. There are also two 5-port switches in rooms where IoT devices need to share an Ethernet jack.
We have four WiFi access points scattered throughout the house. We could probably get by with fewer. They currently operate on the same channels and SSIDs to allow continuity when moving from one access point to another. We have one WiFi-only IoT device that I would like to isolate now, but I predict that we will acquire more WiFi-only IoT devices in the future.
Requirements:
- A given device may connect via Ethernet, WiFi, or both.
- Isolate IoT devices so that they can see the internet, but cannot communicate directly with other devices on the LAN.
- The isolation requirement applies to selected Ethernet devices.
- The isolation requirement also applies to selected WiFi devices.
- The design supports authorized connections where appropriate, such as between family computers and servers on the LAN. That includes systems that VPN into the LAN through the firewall.
- The design supports a central 24-port switch with two satellite 5-port switches, but can support additional 5-port switches in the future if needed.
- The design supports the usual scanning and monitoring on the LAN (Ethernet and WiFi) from authorized devices. (e.g., Run a port scan to find all active IP addresses and open ports on the LAN.)
- The network can be easily managed from a computers on the LAN or VPN.
An acquaintance has a similar setup in his home. He told me that he is using Netgear managed switches for small business and Netgear WiFi access points that support isolation through multiple SSIDs. I went to Netgear's website, but it was difficult to determine which hardware to buy. I am not sure that Netgear is the best solution, either.
I realize that specialized features cost money, but I have a basic small network. Hopefully someone makes entry-level smart switches and access points that are easy to manage and relatively inexpensive, but still meet my requirements.
-> Can you recommend basic hardware to replace my unmanaged switches and access points with ones that will let me isolate IoT devices from the rest of the LAN?
Comments
yes ubiquiti networks
Not much help probably but as far as wifi is concerned i run a software AP based on a Linksys PCI card (~10€ on ebay). IIRC the cards supports multiple SSID in master mode. So if software AP is an option for you that is something you might look into. Works nicely in a repurposed Simens Futro S400 thin client which again is like 10€ on ebay and comes with onboard Gbit ethernet.
I think there is some over thinking going on here.
How big is your house to the point that you need 4 access points?
How many wireless and (IOT) devices are currently on the network? How many pc's?
Segmenting any device(s) onto a separate LAN and or wireless network is pretty straightforward - especially since you have small network, of which you describe as
"basic."
For the average home user, managed switches etc are way overkill and only serve to lighten your wallet. Do some Google research on what you you think you need and what is far more practical without spending a boatload of money
I'm planning on a similar setup for my home and to isolate Iot devices, I'm looking in to Pfsense and a router which can run pfsense with AES-NI support for Pfsense 2.5 and above. As you already have wifi routers which can run on AP, I would suggest you to go with pfsense.
The best way to isolate poorly-conceived IoT devices is with a soldering iron.
Soldering iron is conductive, to isolate try duct tape.
Wrapping a soldering iron in duct tape smells pretty bad.
As for the OP, get a single managed switch to start with, and familiarize yourself with the concept of VLANs. This one will do: https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I/ref=pd_sim_147_6
and can later be used where you have your current 5-port ones.
For access points, I'd get any TP-Link which is on LEDE's compatibility list (and of course flash with LEDE). It will support multiple SSIDs on AP, each bridged to its own wired VLAN.
It might be overkill, but a routerboard (mikrotik) could do that too. I have had various issues with cheap plastic wifi routers and access points, but this one serves me for a fairly long time without interruptions and hangs, has good range to the point of covering the street through 2 walls and floors 100+m away and can do almost any kind of isolation, including own IoT ssid with NAT and VLANs.
I admit it. Most people are happy with what they have with much less security. Isolating IoT devices on both Ethernet and WiFi may be overkill, but that it what I am trying to spec out for pricing. I reserve the right to look at the cost and say no.
My house is long, skinny, and old. It has lathe and plaster walls that block WiFi signals more than newer homes. I need three access points. One is at each end of the house, and one in the middle. The fourth access point was an early attempt at isolation for two IoT devices, but it is useful for getting the WiFi signal out to the backyard.
A lot. There are multiples of DVRs, DVD players, Apple TVs, game consoles, hobby systems (e.g., single board systems such as Raspberry Pi). There is also a "smart" pool filter system and a WiFi-only oven. I foresee WiFi cameras, doorbells, smart assistants, etc. in our future. Each family member has their own personal computer and cell phone, and we have a few servers (a primary server and some older ones that need to be offloaded and retired).
Agreed, but it is what I want to spec out to see how much it will cost. That is why I am looking for advice from the experts here to figure out which hardware to include in a "reasonable" system sized for a small business, that happens to be my home.
It's not going to be cheap, but an Ubiquiti setup would easily meet your requirements.
What you will need:
1x VLAN aware Router
1x 24 port managed switch
3-4x Ubiquiti APs
2x 5 port managed PoE switches
1-2x PoE injectors
With the Ubiquiti APs, you can have 4 of them set up with 2 different SSIDs and each SSID will be mapped to a separate VLAN (your main VLAN and IOT VLAN). Each port on each of the 3 managed switches will be configured to ACCESS on one of the 2 VLANs or as a TRUNK for connecting between switches and the APs.
For the average home user, managed switches etc are way overkill and only serve to lighten your wallet.
Most certainly, like that fucking $30 managed switch I linked above. Stop living in 2004 when this stuff was expensive.
Also any LEDE router also doubles as a managed switch of sorts, it typically can control the onboard switch chip well enough to set up VLANs, and can even route/firewall between those, which real managed switches won't.
I'm a big fan of Mikrotik routers and Ubiquiti APs. You can't go wrong with either for this application and they have the feature set you need.
I strongly suggest against relying upon this in production. Depending on the hardware, this doesn't always work very well. Some Realtek is oddly stable, as well as Atheros. Other stuff is kind of iffy.
Funnily enough, Atheros and Realtek are all I used with this feature (or with OpenWRT/LEDE in general). Primarily Atheros, in all the TP-Links.
Thanks to everyone for their help. I am bumping this thread again to see if I can get more responses, advice, and suggestions.
UBNT unifi for the AP's, If you want everything in one dashboard then UNIFI switches if not then you get smart (Web managed) switches considerably cheaper.
For the router either UBNT again (Either the edgerouter or USG) or Mikrotik, tik has a steeper learning curve but is a bit more flexible.
Honestly I feel like this setup is overly convoluted.
You can use vlan isolation with port specificity with the proper router and then connect a switch to that port to separate your aps and iot wireless devices.
You either have to invest in business hardware or take a router that is DD WRT/Lede/Tomato compatible and start customizing it.
I have used the cisco rv325 router on a few locations which supports a lot of what you are asking for if not all. I am just not sure because it seems like some of your statements just aren't necessary with this setup.
Like the one above, turn on or off file sharing, no need to do so at the router/switch level.
Ubiquiti Unifi if you have some bucks left over.
Or just start with a managed switch and if your WiFi APs do not support multi-SSIDs routed into different VLANs, then either re-use one specifically for IoT SSID or add more / replace them bit by bit (you will probably not need the IoT WiFi „everywhere“ from day 1 on).