How am I supposed to access IOT devices on a separate network or VLAN?
-
Hello pfSense forum peeps, I'm excited to join you. One of the main reasons I wanted to dive into pfSense was to better secure my network and mainly that means breaking my network into 2, one for my PC's and one for my less secure IOT devices, like my Hikvision cameras. But this is where I'm a bit confused about how my network would work.
My setup:
- PFSense router, PC with 8Gb or RAM and an Intel 350 4 port NIC
- Centurylink Internet.
- Several PC's and Macs.
- Two Hikvision cameras
- A FreeNAS server that hosts my network drive content and also hosts my camera recorder drives
- A set of other IOT gadgets like Hue lights and Tuya devices.
My questions are pretty basic at this point. Can someone explain this to me. If I put my IOT devices on a separate network from say my PC, then how can I access them? In my case I have my Hikvision cameras. How am I supposed to access them if they're not on the same network as my PC? Second question; how can I configure my FreeNAS server to be accessible to both my cameras (to record on) and my PC's to get access to my network drives? Is that even possible? My server only has one NIC.
-
The way I do it (in a home network) is I let my trusted vlan (the one with my PCs & servers) route into the IoT vlan without any restrictions. So your PC will be able to connect into anything on the IoT vlan. Of course, you restrict it the other way (i.e. devices on the IoT vlan are blocked from routing into the trusted vlan).
If your IoT things use broadcast or other proprietary discovery methods to configure then you might have to temporarily connect said PC (or a smartphone) to the IoT vlan, but hopefully you don't have to do that.
As for FreeNAS, set up vlans on it just like you will for pfSense. Basically, your FreeNAS will have two IPs: one in each vlan. Configure separate datasets as needed for each vlan. Then when you setup the sharing of those datasets, restrict what can connect to those datasets by network. Datasets for your cameras are restricted to connections only from the IoT vlan and media/etc. shares are restricted to connections only from your trusted vlan.
Setup the rest of of your firewall rules as needed and then rest a little easier knowing those IoT things are less likely to cause a real headache someday! :)
Edit: I kind of just assumed you already have a managed switch to setup the vlans. The port your FreeNAS box connects to must be a trunk port carrying both vlans, then you can create the vlan interfaces in FreeNAS as described. Don't bother starting this exercise without a managed switch. Enjoy!
-
pfSense will route between all locally connected subnets by default. You only need firewall rules to allow it.
Steve
-
With the IP cameras I've worked with, they connected to a recorder. The recorder had 2 ports, one for the cameras and one for connecting to the main network. You'd connect to the recorder to see the cameras.