Wanting to seperate IoT devices
-
I would like to start separating IoT devices from the rest of the lan, but I'm not sure about the best way. I have read on how you can go the VLAN route with a managed switch or go the peripheral route by having all the IoT connecting to it's own interface on my pfs box.
Is there any advantage one way has over the other? To me it feels easier to simply have a WAP/switch for all my IoT devices to be connected to, and that to be connected to its own rj45 on the pfs box, and then apply specific rules to that interface.
-
Both ways work the same from a security perspective , as pfSense just "sees devices on an interface".
But the Vlan way would provide for a much more flexible setup.
1:
You don't need a physical pfSense IF for each new lan segment you want , you just create another vlan.2:
Your "house" cabling would be much simpler , as you can have switches around , that have physical interfaces in different vlans. Making a physical connection from a "Garage" IOT easy , as you just create the IOT-Vlan on the "Garage switch" , and maps a physical port on "Garage switch" in the IOT-Vlan.
If you had the pfSense interface , you'd have to pull a dedicated cable from the "Garage IOT" to the pfSense IF (or switch). With Vlans you'd only need one cable to the Garage.I'we been using the D-Link DGS-1100-08V2 switches with success , for small "sattelites"
https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-08V2/dp/B08P2C2GXF/And the DGS-1210-28 , as "Backbone/Core Switch"
https://www.amazon.com/D-Link-Systems-28-Port-including-DGS-1210-28/dp/B00AI9H628/There are several other switch vendors that makes nice switches , just stay clear of TP-Link
D-Link seems cheaper in EU , than US , so i might be biased.
But for "small sattelites" i think the DGS-1100-08V2 is competitive in the US too./Bingo
-
Actually, wiring would not be bad of an option for me at the moment. My new pfSense box has not even been deployed, yet. It is my first one ever! I have been wanting to do one for a very long time, and I finally got around to doing so. It is an quad core i5 with 8gb of ram and plenty of room to grow. But before I have it ready for the entire house, I have been experimenting with it, and I still have it open on my workbench. I can easily add another intel nic to it (currently has 2 intel nics for wan and lan). I only have 1 wired IoT device which already has its own cable going to my network cabinet while all our IoTs are wireless. Now is the perfect time to decide which way of doing it since I am in my infancy stage of organizing it all.
So I had been considering of simply: Add another intel nic-->unmanaged 4 or 8 port switch-->WAP and wired IoT.
I'll be honest and mention I am scared of VLANS since I have never experimented with it. If you would have mentioned it is the safer/secured way, I would have been more than willing to read up on it and learn. But if both can be the same security wise, I may do the extra intel nic way.
-
If you aren't ready for Vlans , then by all means don't do it.
But do you self a favor and get Vlan ready switches it's not much more money.
Then you can switch to Vlans at a later point if desired.I'd add a 4-port Intel netcard , as two ports are a bit "poor" for a firewall , especially if you have IOT also.
Ps: I have 14-vlans defined @home
Not all in use , but ready to use.
I think i have 8 Vlans active./Bingo
-
With bingo here.. By all means you can just go physical isolation which is drop dead easy and pretty impossible to mess up.. The dumb access point and switch only connected physically to network X.. Any devices connected to them are on network X..
But if your in the market for switch anyway - I would really look to getting vlan capable one, even if you just use it as dumb.. This gives you flexibility down the road - maybe in 6 months oh man which I could use this port and connect to my lan vs network X..
Same goes for whatever your using for AP.. Even if just going to use it as dumb - unless you plan on just leveraging some old wifi router you have about as your AP.. I would atleast shop around for something in your budget that "can" do vlans if you want to 6 months from now for example..
Never hurts to have the flexibility, even if you don't leverage it - vs 6 months from now.. Shit I can't do that because I saved $5 on the switch I bought ;)
In this day and age - I just don't understand why anyone would buy a "dumb" switch.. I get not getting a $200 fully featured switch with 24 ports when you only need a couple of ports, etc. But entry level 5 port and 8 port smart switches are a few bucks more than their dumb counterparts.. And even if don't use vlans on them - there is some info you can get that could be useful.. How much traffic is passing through specific interface, any errors on the interface. What specific rate it came up at without looking at the lights - can rate limit a port. Can span a port for sniffing. Looking up what mac is connected to which port if to know what device is connected to what port if your cables are not easy to trace or not labeled, etc. etc.. All well worth the few extra bucks even if not going to vlan anything.
Now if you already have the hardware laying about, and all your looking to do is isolate some devices - then yeah just adding nic to pfsense is cheap easy way to do that.. Never have too many interfaces in your router if you ask me.. I have 6 in my sg4860.. And using all of them.. If had a couple of more I could use those as well..
-
My wifi router that I am currently using to test as an AP DOES have the ability to be a managed switch. I've read someone has it as a level 2 or level 3, which I don't even know what that is in VLAN terms lol. But I won't ask for details about that for now. Small managed switches are very cheap now considering when I last looked at them maybe over a decade ago. I will most certainly buy a managed switch depending on where I end up putting my AP. I'd like to put my AP in the middle of the house, but I may not be able to do that at this time. And a few days ago I discovered some VERY nice APs at ui.com, and now I am considering one of those. It just never ends does it?
And bingo, I'm not ready to understand the reason to why you have 14 vlans
So for now I will go the hardware route with managed switches, and I will experiment with vlans later. Thank you both!
-
@flybye said in Wanting to seperate IoT devices:
I'm not ready to understand the reason to why you have 14 vlans
While 14 does seem like a lot ;) just off the cuff - without the details of his network and what trying to accomplish its hard to say. Maybe he is on the low side and should really have like 29 ;) All depends on what he is looking to isolate or control.. Maybe putting specific brand of iot in their own vlan.. Or each PC on their own? If his switching doesn't allow for private vlans - or just wants easier to control firewall between all of his devices.
I could see for sure breaking up my iot vlans more.. Putting all the lightbulbs in their own, or even breaking them up by maker/brand of lightbulb - that would be like 3 more for sure.. Gets a bit tricky with wifi doing that.. You sure don't want to have too many ssids.. So way to do that would be with say mab or vlan id assigned via mac address..
Unifi does make some decent AP, many a pfsense user using them for sure. I have 3 myself. Very happy with them. Can get a bit pricey depending on what model and how many you want/need.. I would like to have say the AC SHD models - but at $500 each that gets a bit pricey for home. But love to play with the airview and airtime features along with the wips, etc. Which is a bit overkill for a home setup sure.. But be fun to play with - so if your more into lab aspect vs just wanting it to work.. For sure could see atleast 1 of those on the network.. And they are also 4x4 vs 3x3, etc. So not like they overly expensive for the hardware - just prob not going to be in your typical home budget for some AP ;)
-
Well i do like to separate things (work hazard)
And with Vlans it's easy & costless
Well why not go all in .../Bingo
-
I'm here like a simpleton wanting to start out with simple separation of devices on my home lan, and you guys start describing setups that make me wonder if I should get a new degree to be able to follow.
Definitely some good reading, though. -
@flybye to start with just create 2 vlans.. This gets the ball rolling. Put stuff like all your IOT into 1 and all your other stuff in the other.
Or put stuff you don't want talking to other stuff all in one - there really isn't any hard rules on what you put in 1 vlan, what you put in another. It comes down to what you want to isolate from other stuff or your different control points you want to have.
In an office you might find vlans broken up by floors, or departments or very common one users vs servers. Infrastructure is almost always on some sort of management vlan that is isolated from users - since you normally don't want users to be able to get to your infrastructures management interfaces be it web gui or ssh, etc.
As this gets broken up more you might find managers in different vlan then worker users. If you were in a DC for sure you would see different customers isolated from each other by vlans.
I have for example all my rokus in 1 vlan, then I have what I call my psk vlan where all my iot stuff is. I called this vlan psk, because my trusted vlan for wireless was using eap-tls for auth vs just psk. But then my work locked down my work phone and can no longer install the certs needed for eap-tls, so I had to change that to just psk auth as well.. But I call this vlan trust because only my devices are in this network. Our phones, our personal laptops, our tablets - which is isolated from all other wireless type devices like my lightbulbs and alexas, etc.
So where you start is up to you - where you finish is also up to you. You might start with only 2 but as you get more comfortable with it, you might end up with more than Bingo ;)
-
Yeah I'll be honest...I keep considering VLANs since my setup is still very unripe. I looked through my AP (Neatgear R7000). Unfortunately, the VLAN option is grayed out with the wireless router in AP Mode with the oem firmware. I read I can DD-WRT it to be able to unlock VLAN while in AP mode, but that might prove to be slightly problematic. I read my device doesn't support VLANs very well to begin with, and I prefer not to waste too much time on it if this is the case. But how would I know? I don't even know what great or bad VLAN support even looks like lol.
And the deeper I read about setting up VLANs, the more I realize it will require a lot more time in tinkering. For now I may still just go the extra intel nic route with a managed switch just for the IOTs until I have the time to sit down and really explore VLANs.
I do have a quick question:
Do you need to have a VLAN capable AP if you have a smart switch?As far as I understand it, VLAN capabilities at the switch/AP is where the division and tagging takes place. And then pfsense uses those tags for specific rules.
-
@flybye said in Wanting to seperate IoT devices:
the more I realize it will require a lot more time in tinkering
Not once you actually understand them.. I can setup a vlan in 2.3 seconds.. only .3 seconds longer than a native interface ;) hehehe
To be honest there is nothing extra to do in pfsense other than set a tag, and use the vlan interface in the gui to create it.
I think the thing that confuses most users is what a tag is, when its set and when its not set.. Once you understand that - setting a vlan is really no different than setting up any network interface in pfsense.
If your pfsense has no switch ports on it like the 2100, 3100 etc. Then all vlans will be tagged on whatever physical interface you assign the vlan too. When doing vlans most of the work is on the switch..
Other issue for new users to vlans or even any segmented network is what to put on what network.. Since all they are use to is their network, and the internet..
-
@flybye
I made a brief mini pfSense Vlan how2 here , and a few posts forward.
https://forum.netgate.com/post/944381/Bingo
