Isolating IoT via firewall rules



  • I have created a firewall rule that is designed to isolate my Dropcam from the rest of the network (image attached). The camera has set IP via DHCP reservations, the rule blocks any traffic from camera to LAN. The idea (at least in my mind) is quite simple - do not allow IoT to talk to my network at all, only to the outside world. If the camera is somehow breached, the hacker will only compromise that one device and would not be able to see or explore the rest of the network.

    Will this work, or is my rule stupid/ ineffective? Entirely a possibility…

    If this approach works I plan to put all of my IoT devices within a dedicated IP range and apply this rule to that range, so compromised devices are contained.

    ![Screen Shot 2017-02-19 at 11.46.39 AM.png](/public/imported_attachments/1/Screen Shot 2017-02-19 at 11.46.39 AM.png)
    ![Screen Shot 2017-02-19 at 11.46.39 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-19 at 11.46.39 AM.png_thumb)


  • LAYER 8 Global Moderator

    So your cameras are in the same "lan" network - or they are on a different network/vlan?  Devices don't talk to pfsense to talk to devices on the same network as themselves.  Pfsense is the gateway off the network.. Why would 192.168.1.201/24 need to send traffic to pfsense to talk to 192.168.1.202/24??



  • Damn, good point… I did not think of that.... So, no way to stop devices on the same LAN segment from seeing other devices? (other than VLAN).... No way to force even local traffic for select devices to go through pfSense?


  • LAYER 8 Global Moderator

    If your switch supports private vlans.  U should just isolate all your iot to their own vlans.  Real APs and smart switches really work ;) even for the home network and are not all that expensive for even tight budgets



  • Thank you for responding! I hear you - what you described is the right way to go. The only reason I am looking for alternative solutions - existing equipment. I have 2 eero units, in a bridged mode. Eero makes an excellent mesh product, but it does not allow for multiple SSIDs, etc. Now I understand that getting managed switch, doing the VLAN thing and adding VLANs on AP would be the right way to go. Mind you - did not have a clue about all of this a week ago but learned by reading this great forum and asking stupid questions ;-)

    Problem is - Eero does not do any of the VLAN/ multiple SSIDs stuff…. and I am reluctant to chuck Eero away. So, was figuring out if there is any other way to fence off IoT - all of which connect via WiFi. Looks like there is no substitute for proper AP that can do VLANs. But I do not know of a solution that would be great at mesh AND support VLANs.


  • LAYER 8 Netgate

    In order to isolate at layer 2 you need layer 2 gear that supports some form of isolation.

    pfSense (or any layer 3+ firewall/router) cannot help you.


  • LAYER 8 Global Moderator

    All I can suggest is sell that eero crap and get something that does vlans.  That sort of thing might be great for typical home user that just wants all their shit connected and doesn't care about any sort of security.

    That they put out a product at that price point that doesn't support vlans just blows my mind..  The netgear orbi stuff same boat no vlan support.

    If you want to secure your network and isolate different wifi devices like iot and or guest user devices, etc.  Then your going to need vlans.  So your going to want need AP that support vlans.  Or you going to have to do it old school and use different AP for each network. So you could still use your eero for say your devices network.  And then get other AP for your iot/guest users.

    I see a thread from like a year ago with eero asking about vlans.. Last update was they don't talk about future dev, but seemed to hint from year ago that might be something in future version.. I doubt it - or why didn't they put it out from the get go..



  • @forprocessing:

    … and I am reluctant to chuck Eero away.

    Really, why?
    Never heard of them before so I went to their site and saw: "Alexa, manage my WiFi"  :o
    Honestly, it doesn't get much dumber.
    Go to eBay and buy a used Ruckus 7372 or the like. And while you're there, sell this piece of PR madness.


  • LAYER 8 Global Moderator

    What could you do on your wifi via voice?  While I am a fan of alexa and the new voice control stuff generally speaking.  I love controlling my lights with it, and love to have it set timers and search for stuff on the internet.  Love my morning weather and news via simple voice command.  Can even change the temp in the house via voice - at a loss to what I would do with my wifi network??


  • LAYER 8 Netgate

    The irony of an IoT Wi-Fi device not being capable of segmenting IoT Wi-Fi.



  • @johnpoz:

    What could you do on your wifi via voice?

    Give away one more piece of privacy
    No, sorry, the application is that when you buy a new FireTV stick, it is not only pre-registered with your a-z account but with your SSID and password as well. A user shouldn't have to enter that on his own…

    The only use is marketing and the eeror site is full of that.



  • You know what IoT makes me think of.  The Replicators on Stargate SG-1 series.  I know kinda silly isn't it.  But once those IoT things take over the world it might not seem so silly anymore.

    https://en.wikipedia.org/wiki/Replicator_(Stargate)



  • This is an interesting question for my situation too… which is double NAT (since I'm forced to use my ISP's router with DHCP/NAT).

    Now, the Gateway on my pfSense router has the IP of my ISP's router (it was set that way by default).

    Does this mean that, in this case, I'm able to block devices on my second LAN (devices behind pfSense) to block?

    Maybe a stupid question, but just trying to learn.



  • I have had good success with the Ubiquiti Unifi  AC-Pro AP which is reasonably priced and you can setup multiple SSID's/Vlan's. There are also less expensive AP's with less range if you want to go the multiple AP route.  You would still need a managed switch, I would recommend the Cisco SG300 series, again not too pricey and perfect for a home environment.



  • Here is what I cannot figure out about ubiquity. I know APs offer multiple SSIDs, but can you do true mash Wi-Fi with any line of their APs?


  • LAYER 8 Global Moderator

    They do have a new line of mesh stuff..

    https://unifi-mesh.ubnt.com/

    But to be honest, in a home setup why would you really want/need mesh.  I have 3 AP, a Pro, lite and LR models - can do dynamic vlans, can do min rssi, can do band steering.. Has all the features I could possible need in a such a setup for very reasonable cost.  And can do multiple vlans - if using dynamically assigned really almost no limit on the number.  If you doing ssid based vlans then you would have a limit of 4 per band.  I currently run 4 different vlans on my setup.


Log in to reply