Getting Started With IOT Safe Network

Hi all,

Newbie still getting started with IOT.

So I have a few IOT meross bulbs and plugs - all setup and working using just IOS home App.

Now with some help - I managed to create a secondary Network just for IOT items (for security)

Next I am attempting to set up a new device using the new safe IOT Network.

On my phone I switched the Wi-Fi network to the new IOT network.

Then I plugged in the NEW meross plug and went to the home app and tried to add new device - scanned the QR code and waited. Previously, other devices worked fine like this however this one ultimately failed.

Also it said things like my other devices are not on this Network…

Goal: ultimately I want to switch all IOT stuff to the safe IOT network. I am not sure how to get this set up.

Q: do I need to first dismantle all the other devices and set them up from scratch on the new net work? Or, what is the best way to switch everything over to the IOT Network?

Contrary to popular online advice, a separate IOT network is not something to tackle lightly.

If using HomeKit only, the need for an IOT network is greatly diminished with everything working locally and only HomeKit itself (via HomePod or AppleTV) handling remote access from outside the local network in a secure way.

If you wish to dig in to VLANs and firewall rules, then go for it. But have a real need and not just perceived paranoia.

If you want more security but don’t want the hassle of becoming a network nerd, then I would suggest looking at Eero networking gear. It’s a great mesh upgrade anyway, and one of the few 3rd parties to support Apple HomeKit’s enhanced security mode.

That hasn’t been very popular or well supported, but if you are willing to factory reset every one of your network devices, you can enable it and let Eero and Apple handle most of the difficulty of setting up isolated IOT devices at the networking levels.

3 Likes

Thanks very much SpivR.

So are you saying that for security purposes, any HomeKit light bulb should be fine since the protocol handles security by itself?

Does that apply to light bulbs that support multiple standards?

No. I can’t make a blank statement like that. It really depends on the product and the manufacturer.

Some HomeKit products are HomeKit only and have no support for Google, Alexa, SmartThings, or other systems.

Some HomeKit products also support most popular other systems and may also have a direct API (application programming interface) allowing hobbyist/hackers or any other company to integrate with them.

Products that support HomeKit and other systems might have a “HomeKit only” mode or might allow simultaneous access from multiple systems at the same time.

Most products, regardless of the above, may need direct communication with cloud services from the manufacturer for firmware or features updates, but that can be selectively turned on or off manually as needed.

So it’s rather complex just to even understand what products do, let alone figure out the optimal way to deploy them.

For HomeKit only products, you can rather easily use some firewall/networking rules to block all non-local (i.e. outside your home) access both inbound and outbound without impacting the use of the product.

For other products, it’s more complicated, with the underlying base being lack of full trust of the manufacturer, let alone intentional bad actors or hackers.

1 Like

That’s the point of having a separate VLAN. You don’t know what they do, or for that matter need to do, so you segment them from the rest of your network. There are many cases of these devices behaving badly, and segmentation is generally a good idea.

I don’t think doing this manually is the best idea. If you can’t segment, then focus on DNS. Many of these devices try and tunnel DNS requests over non-standard ports to hide their activities.

This is an interesting discussion, especially as I’m trying to figure out what IOT/automation gear to use for various efforts.

How would you recommend ordinary MPU listers — power users, but maybe not at the extreme end of that category — go about identifying equipment that should be reasonably trustworthy? Just HomeKit-only, or are there protocols or manufacturers that are more trustworthy?

In normal IT operations, this is the right choice and why VLAN’s are so popular in business and data centers.

The challenges with smart home devices is threefold:

Dodgy products you may not trust in the first place - the best solution would be to not use them. Even if the alternatives are not perfect substitutes.

Complex interactions - As mentioned, it is not obvious which devices “phone home”, which devices need legitimate inbound or outbound Internet access, or which groups of devices must interact with each.

The common usage mode is the worst exception - this is where segmentation falls short in smart home implementations. Every client device (iPhone, iPad, Desktop) often needs to communicate with every IOT device (light dimmer, door sensor, smart speaker, hub or bridge, etc.) to be useful or used as intended/desired.

This any-to-any communication makes segmentation much more challenging.

Realistic implementations have many exceptions that need to be put into place.

e.g. Put all the Wi-Fi dimmers into their own segment. But make an exception that allows every iPhone in the home to talk to all of them.

Want to stream music to the HomePods? Well, are they HomeKit Hubs in the IOT segment, or are they peer devices to all the iPhones and iPads in the user devices segment?

Want to have a local video or music library on a Plex Server or Synology NAS?

You quickly need to manage firewall rules, VLAN exceptions, and poke holes through the ideal “pure” segmentation model such that it looks like Swiss cheese when you are done.

And then add the layer of complexity of inbound versus outbound. Maybe it’s ok for your smart plugs to reach out to the Internet to check for firmware updates, but you don’t want to all inbound connections that aren’t in response to those initiated outbound ones?

I’m not saying it can’t be done, and work. Just be prepared to learn more than you may want and to become a unwilling IT support person.

The first time your spouse or family member has trouble streaming music, watching YouTube, or just surfing the web, they really don’t have the patience to hear about firewall rules, DNS settings, tunnels, and other jargon - they just want their MTV.

If you want to segment and master VLANs, also be aware that most consumer network equipment either doesn’t do it very well, or not at all. You’ll need to upgrade to prosumer level products.

And no, just creating separate SSID’s for your IOT versus your regular devices is not really segmentation. You can’t simply use the GUEST network of your ISP Internet box to do this properly and securely.

4 Likes

@dealtek Just be aware that if you run Eero solely for WiFi (i.e. you have a separate router which separates your internal network from the Internet), then the Homekit functionality built into the Eero will not work

1 Like

Thanks @SpivR et al. for your insights.

VLANs seem to be a sticking point, or overly challenging for home use.
What about just having a separate Wi-Fi router for the IoT?
iDevices, Macs, Apple TV, Plex, etc. on a 10.0.0.x Wi-Fi router, and IoT hubs, HomeKit devices, etc. on a 192.168.0.x Wi-Fi router.

Hm. Just realizing 192.168.0.x will need an iPad, HomePod, Apple TV to function as a HomeKit hub.

Maybe the best strategy is not to buy Happy Duckling light bulbs, etc. but stick to major brands?

What would you define as dodgy? A wide range of consumer products behave badly; HomeKit or not.

You have two choices:
- Create a separate VLAN; you can put end user devices (iOS based) in this VLAN along with your HomeKit devices (pros and cons of doing this). Or, you can completely isolate your IOT devices and use MDNS/Bonjour forwarding to enable segmented devices to communicate with the IOT VLAN properly.
- the second choice is to limit outbound dns request in the single VLAN as mentioned before. If you’re using a third party DNS service you can tweak rules further.

While not ideal, it’s not incredibly difficult. Many MPUers have servers, media centers, etc that are more complex to manage than enabling this setup.

Beware, mDNS problems, especially using any forwarding across segments or VLANs is exactly where all the problems can start.

If you have ever had “no response” error message from HomeKit devices, you probably understand.

As a simplified view (really too complex a topic to do justice in a small post), mDNS was designed to NOT cross lan segments or VLANs.

Yes, there are methods around this, but the majority are based on open source stack called “Avahi” which can be problematic in many implementations.

In a very bad analogy, consider the design of a mechanical lock. Every key is supposed to be unique as an intrinsic part of the security. Nobody else’s key should unlock your door.

Now consider the ubiquitous skeleton key - a key expressly designed to open many locks - for convenience and other reasons that reduce rather improve security.

Now I’m not saying that mDNS is anything like a lock or key, just that the process of sending mDNS over other lan segments and VLANs “so things keep working” is totally the wrong solution and creates even more problems much more difficult to troubleshoot.

Again, this is all in the category of 100’s of people will say “I’ve done it and it works perfectly fine, never had any problem” but there are 10’s of people that will also say “it’s been a nightmare and I’ve constantly had problems I can’t fix”. Such is the nature of networking (and probably too many other) tech issues.

Absolutely. I think that is why pundits periodically call for Apple to make more smart home devices and not leave it all to others.

But the real issue here:

How much complexity and ongoing admin/management of your home network do you want to undertake to protect against perceived, real or theoretical security risks?

With my clients, I find most are surprisingly lean heavily towards simplicity and cost effectiveness versus paranoid security.

Pragmatic examples:

Worry about security cameras is virtually eliminated, for many, by having only outdoor/outward facing cameras.

Worry about non-critical IoT devices is reduced by using name brands, non-remote enabled products with HomeKit or other large systems. No HomeBridge, HOOBS, Home Assistant or other powerful but hobbyist products.

Risk assessment per devices - the risk of someone hacking your lights and turning them on or off at 3am versus the risk of someone gaining physical entry to your home by hacking the smart lock.

For lights, a lot of people simply don’t care. For locks, they prefer keypad locks without any connection to any other system. It gives them enough flexibility (use a code for entry instead of a physical key, ability to pre-assign and give codes to others on a temporary basis).

For garage doors, instead of an automatic door controller, just a camera or sensor so they can verify if the door is open or shut, but hacking can’t remotely operate the door itself.

Just some practical examples. Everyone has to make their own decisions and trade-offs of fun features or automations versus level of risk and comfort.

2 Likes

Interesting discussion and I think it has become time that HomeKit gets its own category in the forum.

I am with @SpivR that making it work is not for the faint at heart. It took me a long time to get everything IoT on its own VLAN and wifi and still addressable through controllers in different networks. Even when it worked it also unexplainably stopped working on a regular basis. For a while, I had my iOS devices also on the IoT networks for that reason.

I am using Ubiquiti Unifi and firewalla network equipment, which can be configured with great granularity and I was able to make it work, including inbound VPN for remote control. It definitely doesn’t work the way Apple intended things to work assuming everything is on the same network, but with very few restrictions I feel I have hit the sweet spot between security and functionality.

1 Like

I have the same setup with the IOT devices on a separate VLAN/SSID. Everything in my main LAN can communicate with the IOT network but the devices on the IOT network cannot initiate communication with the LAN network, only respond.

If you ask me how I set it up, I don’t think I would be able to remember. I am also using the Unifi gear.

I spent quite a bit of time on it and was quite proud when I had set it up, my wife was less impressed.

1 Like

ditto experience here. But all good once it all worked …

Isn’t that a fundamental tenant of segmentation, management networks, and networking in general? I don’t care if you’re doing it to protect SCADA systems with one-way network diodes (done that btw), or if you’re a HomeKit hobbyist; it’s all the same in principle.

I agree, it’s not optimal, but you can’t say that’s “totally the wrong solution”. It’s the best solution we have without running a parallel network or completely blocking access to the internet.

mDNS was designed only to be used on a single local segment.

Contorting it to run across multiple segments is the wrong solution. That is not a supportable way to maintain network reliability and security.

Just like a skeleton key is the wrong way to make locks easier to manage.

It’s the whole reason Apple is refusing to create an encryption back door password for the US government. It is so fundamentally flawed, doing it destroys the benefit of having security in the first place.

I still believe that disabling/bypassing/watering down the inherent boundaries in LANs and WANs for the convenience of operating IOT devices in configurations they were not designed for makes the process of segmenting much less valuable and not worth the complexity in most, but not all, typical home installations.

It’s another discussion, but networking professionals and vendors view firewalls and segmentation as obsolete technology.

The focus has moved towards more SDN’s (software defined networks) and a zero trust model instead of the boundary/segmentation traditional firewall trusted/untrusted segmentation model.

Apple’s HomeKit Security router feature is a step in this direction but hasn’t been well accepted or adopted.

Again - my comments are heavily weighted toward the typical consumer network without a full time network admin and either basic ISP provided router/modem or standard consumer-grade simple Wi-Fi gear.

I promise you, this is 1000% false. Yes, there is certainly a move towards zero trust and software defined. But if anything, there is more segmentation being put in place; not less.

I’m not trying to argue, but what you’re saying just isn’t true. Half of it isn’t relevant. I helped write the zero trust framework that was put in place for the US Public Sector, have worked with Google/BeyondCorp, and have briefed leaders working on the largest networks in the world. I don’t know much and I make mistakes everyday; but I do know that firewalls are still very relevant and segmentation is FAR from obsolete…

The “focus” has moved. Not saying existing gear is being ripped out.