So I have a few IOT meross bulbs and plugs - all setup and working using just IOS home App.
Now with some help - I managed to create a secondary Network just for IOT items (for security)
Next I am attempting to set up a new device using the new safe IOT Network.
On my phone I switched the Wi-Fi network to the new IOT network.
Then I plugged in the NEW meross plug and went to the home app and tried to add new device - scanned the QR code and waited. Previously, other devices worked fine like this however this one ultimately failed.
Also it said things like my other devices are not on this Network…
Goal: ultimately I want to switch all IOT stuff to the safe IOT network. I am not sure how to get this set up.
Q: do I need to first dismantle all the other devices and set them up from scratch on the new net work? Or, what is the best way to switch everything over to the IOT Network?
That’s the point of having a separate VLAN. You don’t know what they do, or for that matter need to do, so you segment them from the rest of your network. There are many cases of these devices behaving badly, and segmentation is generally a good idea.
I don’t think doing this manually is the best idea. If you can’t segment, then focus on DNS. Many of these devices try and tunnel DNS requests over non-standard ports to hide their activities.
This is an interesting discussion, especially as I’m trying to figure out what IOT/automation gear to use for various efforts.
How would you recommend ordinary MPU listers — power users, but maybe not at the extreme end of that category — go about identifying equipment that should be reasonably trustworthy? Just HomeKit-only, or are there protocols or manufacturers that are more trustworthy?
@dealtek Just be aware that if you run Eero solely for WiFi (i.e. you have a separate router which separates your internal network from the Internet), then the Homekit functionality built into the Eero will not work
VLANs seem to be a sticking point, or overly challenging for home use.
What about just having a separate Wi-Fi router for the IoT?
iDevices, Macs, Apple TV, Plex, etc. on a 10.0.0.x Wi-Fi router, and IoT hubs, HomeKit devices, etc. on a 192.168.0.x Wi-Fi router.
Hm. Just realizing 192.168.0.x will need an iPad, HomePod, Apple TV to function as a HomeKit hub.
Maybe the best strategy is not to buy Happy Duckling light bulbs, etc. but stick to major brands?
What would you define as dodgy? A wide range of consumer products behave badly; HomeKit or not.
You have two choices:
- Create a separate VLAN; you can put end user devices (iOS based) in this VLAN along with your HomeKit devices (pros and cons of doing this). Or, you can completely isolate your IOT devices and use MDNS/Bonjour forwarding to enable segmented devices to communicate with the IOT VLAN properly.
- the second choice is to limit outbound dns request in the single VLAN as mentioned before. If you’re using a third party DNS service you can tweak rules further.
While not ideal, it’s not incredibly difficult. Many MPUers have servers, media centers, etc that are more complex to manage than enabling this setup.
Interesting discussion and I think it has become time that HomeKit gets its own category in the forum.
I am with @SpivR that making it work is not for the faint at heart. It took me a long time to get everything IoT on its own VLAN and wifi and still addressable through controllers in different networks. Even when it worked it also unexplainably stopped working on a regular basis. For a while, I had my iOS devices also on the IoT networks for that reason.
I am using Ubiquiti Unifi and firewalla network equipment, which can be configured with great granularity and I was able to make it work, including inbound VPN for remote control. It definitely doesn’t work the way Apple intended things to work assuming everything is on the same network, but with very few restrictions I feel I have hit the sweet spot between security and functionality.
I have the same setup with the IOT devices on a separate VLAN/SSID. Everything in my main LAN can communicate with the IOT network but the devices on the IOT network cannot initiate communication with the LAN network, only respond.
If you ask me how I set it up, I don’t think I would be able to remember. I am also using the Unifi gear.
I spent quite a bit of time on it and was quite proud when I had set it up, my wife was less impressed.
Isn’t that a fundamental tenant of segmentation, management networks, and networking in general? I don’t care if you’re doing it to protect SCADA systems with one-way network diodes (done that btw), or if you’re a HomeKit hobbyist; it’s all the same in principle.
I agree, it’s not optimal, but you can’t say that’s “totally the wrong solution”. It’s the best solution we have without running a parallel network or completely blocking access to the internet.
I promise you, this is 1000% false. Yes, there is certainly a move towards zero trust and software defined. But if anything, there is more segmentation being put in place; not less.
I’m not trying to argue, but what you’re saying just isn’t true. Half of it isn’t relevant. I helped write the zero trust framework that was put in place for the US Public Sector, have worked with Google/BeyondCorp, and have briefed leaders working on the largest networks in the world. I don’t know much and I make mistakes everyday; but I do know that firewalls are still very relevant and segmentation is FAR from obsolete…
Has it? Zero trust was a more of a financial decision than anything else (purely my opinion). And you’re right, the days of the firewall as the VPN concentrator and traditional big iron are absolutely going the way of the dodo. But the firewall business is alive and well. Seen Palo Alto’s earnings/stock lately?
A suboptimal solution is still a solution. Especially if it’s the only one that can be done without extra gear or a manual process.
@95omega My experience is with @SpivR. While traditional businesses remain with their On premise firewalls & segmentation and those who rent datacentre space for their own tin do similarly, Infrastructure as code is becoming more and more prevalent. I’d be surprised if most SaaS (especially those which run on Azure, Google and AWS) deployed on IaaS aren’t moving in that direction, if not actually there already. It massively reduces overhead, costs and improved the quality and consistency of deployment.
I don’t disagree. The comment was that firewalls and segmentation are an “obsolete technology”.
Segmentation/firewalls have and will always be there; what changed a few years back is that products were introduced that allowed you to automate segmentation policy at the OS/application level in the data center and in the cloud. It started with IaaS and then moved to PaaS. SaaS apps are obviously different because you depend on provider API’s for access/enforcement.
Even if implementing IaC, it is still best practice to leverage (micro)segmentation. A lot has changed over the years; management, automation, process level enforcement. But, in principle it’s all the same.
Last point on costs. The transition to cloud DOES NOT reduce costs. Automation? Yes. Cloud? Absolutely not. In fact, it is significantly more expensive because cloud governance is still a massively underserved market (my opinion). There is recent research on this, but that’s a different discussion.
All of this is very specific to what you’re running, but it definitely reduces up front and ongoing capital costs (I should have been clearer on this)
Up front, sure. Cloud is cheaper by nature; up front. Ongoing capital costs are significantly more expensive over time. See this paper from Andreesen Horowitz.
“However, as industry experience with the cloud matures — and we see a more complete picture of cloud lifecycle on a company’s economics — it’s becoming evident that while cloud clearly delivers on its promise early on in a company’s journey, the pressure it puts on margins can start to outweigh the benefits, as a company scales and growth slows. Because this shift happens later in a company’s life, it is difficult to reverse as it’s a result of years of development focused on new features, and not infrastructure optimization. Hence a rewrite or the significant restructuring needed to dramatically improve efficiency can take years, and is often considered a non-starter.”
This is a really good read. This has also been my experience in the field and with peers that run Devops/Operations for large enterprises.
It’s complicated (to me). A lot of companies saw a market opportunity and decided to cram existing products into these zero trust models/frameworks. What happened is that the definition(s) slowly started to change. Not to mention a lot of debate within industry think tanks and the transition of key people from these places to “industry”.
In short, micro-segmentation became synonymous with zero trust. But micro-segmentation alone is not zero trust. Zero trust changes the way we authenticate (users, devices, applications), introduces the concept of trust algorithms, and (in theory) moves to flow authentication. It’s been over-complicated and now is no different than “defense in depth”. Microsoft based enterprise environments can get 80% of the way there by turning on domain isolation and using certificate based authentication. EDIT: The “Microsoft” comment is a slight exaggeration…
Sorry for the long winded answer; for the home user I think it’s as close as we’re going to get…
I have VLAN A and VLAN B. VLAN A has my Apple TVs and VLAN B has IoT devices like Abode which is homekit certified. I have an mDNS reflector between the VLANs and mostly it works, but I’m having trouble with Abode sometimes. My question is, is mDNS enough ? or do I have to open ports between the VLANs. I always thought mDNS was enough, but it occurred to me that maybe I have misunderstood all along—and mdns is just the discovery but the traffic has to go like all other traffic so you have to open ports.