WiFi Traffic segregation - Security

Wolf666

Hi All,

I have a home setup, with some WiFi clients and I wanted to segregate the traffic, keeping my current Netgear R7000 in AP mode (it does not support VLAN tag) since its performances are pretty fine.
The idea was to separate Management WiFi devices (my iPhone, Laptop and iPad) from:

1 - Trusted WiFi (lights, thermo control, smart scale, kindles…other known devices needing only Internet)
2 - Guest WiFi (tens of temporary mobiles, iPads etc etc).

I did this:
1 - Attach the R7000 to my Cisco SG350 (L2 Mode) to a port configured as General (allows to set several untagged VLANS)
2 - Set Port as Member of PVID 200
3 - Set Port as untagged member of VLAN 100 and 1
4 - Assign MACs of Trusted to VLAN 100
5 - Assign MACs of Management to VLAN 1 
6 - Create a second SSID (the main one use band steering) to be used by Guest and assigned to default PVID 200

SG350 (L2 Mode) is trunked to pfSense and all the traffic is routed there and I successfully segregated the traffic with proper subnets/routing and firewall policy.

Now, I know that from a professional point of view my solution is weak so I ask to you savvy if I can implement something more strict (just for educational, since my house is visited by low level IT understanding).

Thank you for any hint.

johnpoz

how is running multiple untagged vlans getting you anything?

If you want to segment your wifi traffic into different vlans then you need a AP that supports vlans - end of story..

Or you would have to use different AP connected to the different vlans..

Wolf666

Thank you johnpoz to jump in.

Next step is exactly to buy a proper AP supporting VLAN…
The game I am playing is just for fun and I assumed that configuration was equivalent or near...but evidently I was wrong.

What I see now is that a Guest device currently does not access other subnets since only Internet access is granted.

NogBadTheBad

@Wolf666:

1 - Trusted WiFi (lights, thermo control, smart scale, kindles…other known devices needing only Internet)

Won't you need to access your lights & thermo control from your mobile devices that also accesses your local LAN or are you going to swap over wireless networks when required ?

Wolf666

@NogBadTheBad:

@Wolf666:

1 - Trusted WiFi (lights, thermo control, smart scale, kindles…other known devices needing only Internet)

Won't you need to access your lights & thermo control from your mobile devices that also accesses your local LAN or are you going to swap over wireless networks when required ?

My iPhone, iPad and Laptop are on Management subnet (192.168.1.0/24) which have access to all subnets. Lights & Thermo (plus other) have static IPs and they stay in VLAN 100 (subnet 192.168.100.0/24), Guest stay in VLAN 200 (192.168.200.0/24) with IP assigned dynamically and lease time reduced.

NogBadTheBad

Your hue will send out SSDP multicast packets that will be contained on the subnet it resides on

19:57:23.440200 IP 172.16.2.70.1900 > 239.255.255.250.1900: UDP, length 308
19:57:23.491753 IP 172.16.2.70.1900 > 239.255.255.250.1900: UDP, length 308
19:57:23.543218 IP 172.16.2.70.1900 > 239.255.255.250.1900: UDP, length 317
19:57:23.594689 IP 172.16.2.70.1900 > 239.255.255.250.1900: UDP, length 317
19:57:23.646128 IP 172.16.2.70.1900 > 239.255.255.250.1900: UDP, length 311
19:57:23.699118 IP 172.16.2.70.1900 > 239.255.255.250.1900: UDP, length 311
19:57:24.145128 IP 172.16.2.70.35559 > 217.114.59.3.123: UDP, length 48
19:57:24.170135 IP 217.114.59.3.123 > 172.16.2.70.35559: UDP, length 48

It's used for hue bridge discovery, I played about for a while with mine and couldn't get the app and homekit to play nice when my AppleTV and the hue were on a different subnet to my iDevice.

https://developers.meethue.com/content/ssdp

johnpoz

I have all my iot devices on their own vlan.  And don't  have any problems controlling things because they do so through the app or alexa through the internet.  You should not have to be on the same L2 to control them..

I have some tp-link smart bulps, some smart power switches, I have a hub for my wall switches that control other lights which is also on that iot vlan.  I don't have any issues controlling anything via app or my phone or my tablet that are on my normal wifi vlan or even just not even home.  While my amazon echo controls them it is on the same iot vlan, but it doesn't do it the local network - its tied to the app which is controlled via the internet connection.

So your saying you can not control HUE if your not home via the internet?  You have be on the same L2 domain??  That is pretty shitty design!!  Don't those use a hub, which the hub controls them which the hub needs access to the internet.. You then control it via the internet not having to be on the same network, etc..

NogBadTheBad

@johnpoz:

So your saying you can not control HUE if your not home via the internet?  You have be on the same L2 domain??  That is pretty shitty design!!  Don't those use a hub, which the hub controls them which the hub needs access to the internet.. You then control it via the internet not having to be on the same network, etc..

I can control them but not via Apple HomeKit while I was at home, maybe I need to have a bit more of a play.

It could be down to trying it when HomeKit was first introduced, it could have been teething problems.

NogBadTheBad

@NogBadTheBad:

It could be down to trying it when HomeKit was first introduced, it could have been teething problems.

Yea its working fine now on different subnets.