Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restricted VLAN for IoT, media devices - best way to whitelist outbound access?

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 956 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mleinart
      last edited by

      I'm creating a VLAN for all the random non-computer, non-phone devices I have on the network. This includes IoT type stuff like my Neato robot vacuum
      and my connected thermostat (Nexia) as well as media devices like my Rokus. Things will end up on this vlan either by port-based VLAN assignment on my switch or via a separate wireless network sitting on this VLAN (via Ubiquiti APs)

      My goal here is to ensure I know exactly what these things are accessing and only allow it on a whitelist-only basis. As a side concern, I'd like them to not be able to see or access my local network (I'll allow local net in, reflect avahi mDNS to LAN, etc).

      So I'm looking for ideas how to best go about this. A default block firewall rule and adds to individual IPs/networks is the most obvious route and may work fine for the IoT type stuff, but I worry this is too limited for media devices. For instance, a device accessing Youtube resolves google IPs which can change on the fly based on their internal dns routing system - in otherwords, there's (i think) no way to whitelist the right IPs in advance.

      Unfortunately these types of devices generally dont support HTTP proxies or I could just do it with squid ACLs.

      I had the thought that I could perhaps get this working by whitelisting domains, e.g. serve NXDOMAIN by default on this subnet except for domains I specify. It doesn't look like Unbound quite supports that, though I can instead hack up a blacklist by serving certain domains locally and resolving to localhost - not too pretty. This is kinda doable with DNSMasq (e.g. http://unix.stackexchange.com/questions/193427/dns-whitelist-domains
      but it seems pretty hacky.

      Are there any other options I should explore? Anyone done something like this and have experiences to report?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        Not sure why you think you need to whitelist domains.

        Why not just protocols just log?  Keep an eye on the traffic.  Once you watch them for a while and where they go, then you can lock down to netblocks if you want, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.