Home network segregation

marshac

American Hero
Joined
Mar 25, 2003
Messages
2,551
Moving into a new home and want to take the opportunity to better secure the home network- more and more IoT devices are on my home network, and since they're essentially black holes I would like to move them onto their own network. Devices would range from lightbulbs, cameras, appliances, TVs, speakers, etc. It's possible some devices will need to contact other devices on the same network, so device isolation isn't necessarily desired, although if it could be accomplished on a per-device basis that would be amazing. In the case of the TVs specifically, it would be nice to allow them access to a NAS running Plex, so some sort of router/firewall between the two networks would be needed.

What hardware should I buy?
 
You probably want to get a device that is a real firewall device. Most consumer grade routers suck at being a controllable firewall. You want something that easily allows a default rule block everything to everywhere for both inbound and outbound traffic on a Lan by Lan basis. You want something that has multiple Lan ports that can each be as separate Lan with its own DHCP server and such.
While I don't really recommend it anymore, look at the Juniper SSG5 as an example of the type of device you might want. It has 7 independent ports, each of which can be its own Zone(Lan) with its own address range, and rule set between itself and the other zones. The SSG5 can be a DHCP server for each zone. And it has more then enough routing capability for the average home user. The SSG5 itself is a near EOL device that only supports 100mb on each port and requires a support contract for firmware updates.

I use one because my last employer used a bunch of them and paid for training on how to use one. Picked one up off ebay for around $100 many years ago. Still works fine for an edge device for a DSL line.

The multiple zones will allow you to easily segregate the various gizmos in your house. WAN, LAN, Wireless, IOT-1, IOT-2 etc. maybe IOT-1 can get to the internet and IOT-2 can't. It is far easier to do general rules on a Zone by Zone basis then have a long list of rules for each device.

Depending on how may zones you want, one of the Ubiquiti Edge routers might work.
 
I'll likely go with Ubiquiti after checking out your suggestion- looks like it would be nice to have everything including wifi under one management suite. My parents are also going to be building in the same development as us in order to be closer to their grandkids and I've been thinking about sharing my internet connection with them- they won't be torrenting or anything nefarious, so I'm not at all concerned about potential abuse- checking out some of the Ubiquiti bridge products I see that they have a 900MHz and 3GHz bridge- it would be nice to use something other than 2.4/5GHz, and the 900MHz in particular is increasingly vacant and the lower frequency would likely penetrate through other houses easier (we won't have line of sight between the houses, but the distance is only about 1/8 mile). My only concern with the 900MHz equipment is that Ubiquiti only offers yagi antennas and I would like to make everything as unobtrusive and inconspicuous as I can- any thoughts about throwing a 900MHz yagi in the attic?


Internet -> router
-> wireless bridge -> parents
-> IoT crap
-> wired network
-> home wifi network


It looks like the ER‑X‑SFP or the ER8 would work just fine.
 
I looked at the Ubiquti site. Picked up the latest firmware for my ER-Lite. Bought one up shortly after release in case my SSG5 died. I think I have the 1.3.x release FW. Just downloaded 1.9.x Have to load it and check out the improvements.

You might check out the Ubiquti NMB9 antenna. Looks very similar to a Dish TV type. Other then being not being pointed at the sky, would probably blend in well on the outside of the houses.
 
Make sure you are going into this with the realization that many things in "home network land" ditch what most professionals would deem best practice and expect a single flat network. Some of these can be overcome others not so much. I'll add that I've have used a Fortigate for this purpose for years.
 
Last edited:
wouldnt just putting IoT on guest network and making it have internet access only and not have access to network or other devices solve the problem?

Thats what I have done. I had wifi 100% off home network until I built a NAS and than set up my network and a guest to be as safe as possible. Make sure you turn WPS off too obviously.
 
The best recommendation I can give on top of what others have said is to write out your devices, and which ones need to communicate with what. Additionally, write down if any inter-zone firewall rules need to be created (if an IoT television needs to communicate with a media server on the LAN, for example). Then come up with an IP scheme and network scheme and build your firewall in parallel with all of your rules before you place it inline. This will save you tons of headache going forward.
 
While I haven't really started using "IoT" devices, most require to be able to talk to a wireless pc/phone/tablet directly to set them up. So to keep the IoT subnet isolated, you might want to dedicate an inexpensive wireless device to be on the IoT subnet and keep it off the 'trusted' network. Creating a rule for individual devices traversing zones can get tricky if you haven't worked with higher-end firewalls. Remember, KISS. And, like Cmustange said, putting together a list of what will go where (zones) will allow you to create the firewall zones and rules. Just create a /24 for each zone/subnet/firewall interface, no need to get too fancy.
 
While I haven't really started using "IoT" devices, most require to be able to talk to a wireless pc/phone/tablet directly to set them up.

In business practices, I always recommend administrators to have a "staging network" as an untrusted network that allows all traffic out and in, and all traffic to communicate intra-zone. After devices have been setup, phone home, update, etc... they can be migrated to the appropriate "production" networks. Good luck!
 
And I am appropriately embarrassed that I misspelled Cmustang87's name.
 
Back
Top