VLANs & IOT devices

So…got a cheap webcam from a company that seemed to not be China based. Not the case, as it turns out. And I’m sketchy about having that camera on the same network as my “important” stuff.

I’m running a TP Link Deco mesh system, which is fine for what I need otherwise - but apparently there’s a way to do traffic segmentation with something called a VLAN, and my mesh doesn’t seem to support it.

If I want a mesh system with the ability to isolate wireless IOT devices to their own separate little area, do I need to just bite the bullet and get a second router? Or can I solve this problem by upgrading my mesh system to something a little fancier?

Anybody done this themselves? Any tips?

If your system supports a guest network and you don’t use it for guests, that would be one option. Guest networks are separate from the main network and devices on the guest network usually cannot talk to other devices also on the guest network.

The higher end option I’m considering if I go the VLAN route would be a Ubiquity Dream Machine (probably Pro) setup. That would provide enterprise level controls and flexibility but at a higher cost and admin effort than my current Eero setup. At least Eero with HomeKit support can somewhat limit device interaction on the main network.

3 Likes

You seem to have less trust in products from China, but you do use a TP Link router?

This is what Wikipedia says about the country of origin of that manufacturer:

TP-Link Technologies Co., Ltd., is a Chinese manufacturer of computer networking products based in Shenzhen, Guangdong, China.

VLANing allows a network switch to carry data for multiple IP ranges. Unless you have more expensive switches, you’ll also need a router which supports VLAN trunks and multiple IP ranges on the same port.

I don’t think it’s possible to do true VLANing on Wifi unless you’re looking at enterprise level access points.

As someone else points out, guest networking on something like an eero might work, but in the end, depending on what you spent on your camera, you might be cheaper to buy a more expensive named brand.

Was it from Apple?

Just kidding:

A guest network is only useful if you want to segregate traffic, it will not stop devices calling home. You could use a network sniffer / pi-hole dns to block unwanted traffic?

1 Like

That’s a good idea! (and it will work)

1 Like

Yeah, not ideal. I’ve evolved in my opinion of such things since the router was purchased. That said, TP-Link seems to have put some effort into UI/UX, so if my data is being stolen at least they’re being polite about it.

This camera’s iPhone app had a few lines of text that weren’t even in English.

An upgrade to the router may be in the cards, which is yet another reason for the question.

Security concern is twofold, and that’s the lesser of the two. The primary one is having a device on my main network with my computers that I use for work.

So in this scenario, the camera could still send video to the Internet whenever it wanted - but it couldn’t (theoretically) access my Mac? And my cameras and light bulbs couldn’t all get together and plot against me? :smiley:

This is a really good potential option. I could theoretically just drop the pi-hole between the router and the cable modem.

1 Like

Do you know offhand if the connection is allowable if it’s initiated from the main network? I.e. if I had a smart bulb that I had to manage via wi-fi, would I have to drop the main network and join the guest network to do that?

Maybe I am misunderstanding your question, but your guest
network will have different addresses from your “home” network.

Guests (and IoT devices) get 192.168.x.x address
Your home network is 172.31.xx (whatever)

The 192.168.x.x folks can’t access the 172.31.x.x folks
ALL can get to the Internet

1 Like

I have a Unifi setup with a separate vlan for IoT devices and a separate WiFi network for IoT devices. If you are considering the Unifi Dream Machine Pro, I would hold off as they have just announced an SE version which has a 8 port PoE switch built in and a 128gb ssd

2 Likes

Hmm, I don’t think anyone is suggesting a guest
network implies any level of security. it will simply
provide isolation to the “home” network.

BUT, we both know that if you have any sort of
capable firewall that can easily be circumvented.

CLI rules!

That’s the case indeed, I usually sniff traffic from devices for a while and then blacklist those ip ranges on the router + pi-hole.

It’s not a 100% watertight fix, but for cheaper 3rd party hardware it’s usually enough.

I agree with a lot of what you’re saying in this topic, but I have to push back a little here. DNS is used extensively by many classes of malware, so extensively that it’s one of the best types of IOC we have. Unfortunately, lots of malware also doesn’t make use of it.

1 Like

This is near and dear to my heart, as I co-presented on the topic of the role of DNS in security with CIRA (Canadian Internet Registration Authority) at a conference. They assert that over 90% of malware makes use of DNS and have been strong proponents of using it as a means of detection and prevention :slight_smile:

It’s DNS, it’s always DNS :slight_smile:

1 Like