Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi IOT Device Network Setup Question

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Forced2b
      last edited by

      Hey Guys, Newbie Here.

      Let me tell you what I have, then I will get to my questions.

      Home Network Equipment

      1. Cable Modem
      2. PFSense Router - Two 10GB Ports and Two 1GB Ports.
      3. Two Wireless Access Points with two unique SIDS
      4. 10GB Layer 2 Smart Switch
      5. 1GB Layer 3 Smart Switch

      IOT Devices that need internet:
      Apple TV
      TV's
      Nintendo Switch
      Phones
      A/C Receivers
      PS3-PS4
      Sprinkler System
      IP Phones
      Ipads
      Amazon Alexa
      Wireless Printers
      IP Cameras - The NVR needs to be able to update firmware
      Thermostats
      Wink Hub - Needs to be able to update itself, it controlls devices below.

      IOT Devices that do not need internet but can be all ran by apps on my iphone:
      Doorbell
      Wireless Light Switches
      Garage Door
      Door Locks
      Alarm System
      Approximately 35 Total IOT Devices between both lists.

      Questions:

      1. Should I put ALL IOT devices in both lists on one wireless AP?
      2. Should I segegrate and put the first list on one wireless AP and the second list on the second wireless AP?
      3. My phones and tablets all access critical information on network, banking, credit cards etc. Should those be segragated even more from the first IOT list (so basically split that list). That would make for 3 wireless APs.
      4. So lets assume you all recommend one of my options or something completely different. How do we stop hackers from hacking one IOT device and then accessing them all? I do not want my sprinkler system hacked and then they can access my entire security camera system?

      My thoughts:

      One AP for phones, tablets and laptops
      One AP for non-internet accessing IOT devices
      One AP for internet accessing IOT devices
      Plug ALL three AP's into their own network access cards on the pfsense router in three seperate vlans.
      However, do i want 3 wireless AP's in the same house? Wouldnt that cause massive interference? Now you can see why I need help. I do not know the best way to set all of this up.

      Can you guys tell me the best way to set all of this up please?

      1 Reply Last reply Reply Quote 0
      • F
        Forced2b
        last edited by

        Seriously? Anybody have a comment?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "How do we stop hackers from hacking one IOT device and then accessing them all?"

          You do so with isolation.. Put your different IOT type devices on their own segments.. This could be done with different AP, or AP that support vlans.  If the iot devices support wpa-enterprise you could assign dynamic vlans based upon auth.  If your iot devices do not support that then you could assign them via MAB to dynamic vlans.

          If your iot devices on the same segment do not even need to talk to each other then put them on a private vlan, ie devices can not talk to each other.  This is sometimes called isolation on APs, etc.

          As to controlling internet - you could do that on pfsense no matter how you have them setup be all in one vlan or not..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            Your listing of IoT devices that need internet is misleading. I wouldn't call those IoT but simple CE devices, consoles, etc:
            Apple TV, TVs, Nintendo Switch, Phones, A/C Receivers [meant to be A/V Receivers?], PS3-PS4, Ipads, Wireless Printers

            This is VoIP and can/should be separated (not so much for security but for QoS at least):
            IP Phones

            These are IoT devices:
            Amazon Alexa
            Sprinkler System
            IP Cameras
            Thermostats
            Wink Hub

            Do you have 2 unique SSIDs per AP or could you make them transmit multiple SSIDs?
            IoT devices, especially when battery-powered, use low-energy modes and often have (very) limited WiFi range. Be conservative with your WLAN planning and better add an additional AP.

            Your shopping list above makes for three (or more) separated networks. And I wouldn't put PCs/Laptops and A/V devices / consoles on the same subnet. That makes it 4 distinctive subnets.

            1 Reply Last reply Reply Quote 0
            • V
              Velcro
              last edited by

              Interesting discussion…and scary! Your sprinkler needs Internet access? I get it...but wow!

              How about this for an approach:

              I would look at grouping devices by trust and damage that can be done if they are hacked. i.e. if your sprinkler is hacked you get a wet lawn vs your cameras hacked and they can look inside your house and put your family online!

              Maybe put your cameras on their own VLAN with very restrictive rules, specific alias IPs, limited ports, snort IPS, etc...

              Sprinkler, thermostat, TVs, A/C Reciever, wireless printer(No internet access), wireless light switches on thier own.

              I have a printer which I don't trust as far as I can spit...so I don't give it any internet access. I group it in my IOT VLAN and access it thru polcy rules from other VLANs,

              Email/banking devices give their own VLAN.

              Alexa maybe its own VLAN...thats another scary device.

              I think the balance you will need to look at is manageability, security, usability and privacy. Keep it simple...

              Follow up questions would be:
              Do you have cable running thru the house or is wireless your only option? That would drive the number of SSID vs using a switch and hardwire.
              How big is your house i.e. do you need a big range?
              Do some of these devices need to be on the same segment to control?

              Open to feedback...

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.