Question Segmenting IOT / LAN

[tstill.1988]

Hey all

Ive decided its time to start locking down my network. I have a custom pfsense router (5 ports) and a cisco 3750g 24poe. 2.4ghz wifi runs on my draytek ap and 5ghz on a cisco 2702 ap.

I have already setup some vlans and new ssids, everything is working fine. However im not sure where to put all my devices now i have segmented the network.

192.168.50.0/24 Vlan 50 is for IOT - internet only
+92.168.75.0/24 Vlan 75 is fo Guest - internet only
At the moment everything else is just native vlan 1. 192.168.0.0/24

On the main network i have laptops, pc's QNAP NAS and 5ghz cisco ap. If i put my tv and other iot devices on vlan 50, unless i open holes it cant see the nas for example other than externally. Multicast dns seems to take care of discovery as my firestick can be controlled from the guest network with my adroid app.

The nas has 4 NIC's so maybe i can do something there but curious how others would set this up?

 

[bill001g]

From what I read you have this pretty much figured out so what is your question.

This is a fairly standard design when you want to have segregation between devices. Your pfsense box is the control between zones/vlans. As it seems you have figured out it can get complex to get rules that make all this work but that is the penalty you pay when you need/want security.
You could dual home the NAS to mulitple vlans but it is little different than putting in a rules that allows the traffic to cross.

I see nothing wrong with the design it should perform well and has little security exposure.

 

[tstill.1988]

Well im glad i sound like i know what im talking about for a start

My question really is best practices on rules between those networks, as they are all interacting in someway.

The guest VLAN will be totally shut off, no problem.

IOT Devices:

• Smart TV
• Alexa
• Fire TV
• Hue
• Nest
• Harmony
• Smart Lighting (ESP8266)

LAN Devices

• QNAP NAS
• Plex Server
• Mobile Devices
• Laptops / Desktop

Not sure where best to put the printer, i guess that should be on the LAN for ease of access but the Plex Server for example...i can access that remotely but for obvious reason that doesn't make sense to stream content out and back in. My Smart TV , Fire TV and Alexa all need to communicate with Plex as they can play the music / video.

Another example, Hue - If the bridge is now on the IOT network and my phone on LAN then its going to show a cloud connection not local which could effect some of the automation.

So should i be looking to create specific rules to allow traffic between those devices only?

 

[bill001g]

The most secure rules only allow access that is needed. You could for example list the devices that need access to the Plex server from the IOT.

Not sure what you mean out and back in. The traffic between the 2 vlans is not a big deal performance wise. It would only pass the firewall filters between the vlans in the pfsense box. This put little load on the cpu. If you actually went out to the internet then that would be different because the traffic must be NAT which takes much more cpu.

Some apps are really stupid and there is little you can do about that. As long as you can put in IP addresses to get access and it works you will be fine. This is sorta like mircosoft file shares that will send out broadcasts and find all the devices so you do not have to know the IP but it only works on the same subnet. But if you know the IP you can share from any subenet. The problem would be a device that only works with things on the same subnet. I know some whole house DVR boxes/apps you can not put in ip addresses and must rely on their stupid app to find devices.

 

[tstill.1988]

Cool, thats kind of what i wanted to hear. I think just some assurances that im not taking an odd approach to this or missing something.

With regards to in and out i mean for example, if i put the Hue Bridge on IOT and my phone is on the LAN the Hue app shows "Cloud connection" as its actually connecting to the bridge via the WAN (i guess as you say above, some stuff only works on the same subnet). Allowing any traffic between the vlans would defeat the point i guess.

 

[bill001g]

It depends what you mean "any". To make it work at all you need to allow traffic between the phone and the hue. You could allow only certain ports but that gets to be painful to keep working so you pretty much allow "any" traffic between the two ip.

The traffic that is causing the problem does not cross over even if there were no rules. It tends to be some form of broadcast traffic. The exact nature depends on the application. This is one of those fundemental things on how networks work that broadcast traffic is not allowed to leave the subnet. This is partially the reason for subnets since years ago the machines would get overwhelmed by interrupts from broadcast traffic from simple things like arp and dhcp.