How to allow broadcast traffic on a specific port to reach isolated devices



  • Summary: Internet-of-Things devices are untrustworthy and should be isolated from the private network. This is not difficult for routed traffic, but some of them utilize discovery via Broadcast, which I'm having trouble figuring out.

    Several types of devices must use WEP rather than WPA, and changing the password regularly isn't possible, so maintaining a unique and isolated WLAN is critical.

    Currently I have private network on VLAN10 and IoT network on VLAN20, allowing them to operate on independent and isolated WLANs. As an example device let's use LFIX bulbs, which are discovered via a broadcast packet on a specific port. Ideally I'd like to be able to allow any devices on the private VLAN to discover the bulbs on the IoT VLAN, but as a fallback to that I'd like to be able to have a specific linux host reach the bulbs via broadcast.  I realize this rather violates the concept of a VLAN, so I'm open to other suggestions about how to achieve the end result.

    I've had trouble finding suggestions for this, but "broadcast repeater" is an idea that I've seen, but not something that seems to be available with PFSense.

    My ultimate fallback is to put a single linux host on both VLANs and let it be the sole controller of the bulbs, which is probably a more "correct" implementation, but it's just not as functional unfortunately.

    If anyone has any suggestions about which direction I can take I'd really appreciate it!


  • Rebel Alliance Developer Netgate

    A dedicated management host is the best way to do that.

    You really don't want to leak traffic to/from those, it defeats the point of isolating them in the first place. Something like Avahi might help, but ultimately it's a bad idea.

    And WTF is still operational that still only uses WEP? That may as well not use any security at all.


  • LAYER 8 Global Moderator

    "Several types of devices must use WEP rather than WPA"

    Yeah which devices - those devices need to be replaced if they only support WEP..


Log in to reply