Multi IOT Device Network Setup Question

Forced2b

Hey Guys, Newbie Here.

Let me tell you what I have, then I will get to my questions.

Home Network Equipment

1. Cable Modem
2. PFSense Router - Two 10GB Ports and Two 1GB Ports.
3. Two Wireless Access Points with two unique SIDS
4. 10GB Layer 2 Smart Switch
5. 1GB Layer 3 Smart Switch

IOT Devices that need internet:
Apple TV
TV's
Nintendo Switch
Phones
A/C Receivers
PS3-PS4
Sprinkler System
IP Phones
Ipads
Amazon Alexa
Wireless Printers
IP Cameras - The NVR needs to be able to update firmware
Thermostats
Wink Hub - Needs to be able to update itself, it controlls devices below.

IOT Devices that do not need internet but can be all ran by apps on my iphone:
Doorbell
Wireless Light Switches
Garage Door
Door Locks
Alarm System
Approximately 35 Total IOT Devices between both lists.

Questions:

1. Should I put ALL IOT devices in both lists on one wireless AP?
2. Should I segegrate and put the first list on one wireless AP and the second list on the second wireless AP?
3. My phones and tablets all access critical information on network, banking, credit cards etc. Should those be segragated even more from the first IOT list (so basically split that list). That would make for 3 wireless APs.
4. So lets assume you all recommend one of my options or something completely different. How do we stop hackers from hacking one IOT device and then accessing them all? I do not want my sprinkler system hacked and then they can access my entire security camera system?

My thoughts:

One AP for phones, tablets and laptops
One AP for non-internet accessing IOT devices
One AP for internet accessing IOT devices
Plug ALL three AP's into their own network access cards on the pfsense router in three seperate vlans.
However, do i want 3 wireless AP's in the same house? Wouldnt that cause massive interference? Now you can see why I need help. I do not know the best way to set all of this up.

Can you guys tell me the best way to set all of this up please?

Forced2b

Seriously? Anybody have a comment?

johnpoz

"How do we stop hackers from hacking one IOT device and then accessing them all?"

You do so with isolation.. Put your different IOT type devices on their own segments.. This could be done with different AP, or AP that support vlans.  If the iot devices support wpa-enterprise you could assign dynamic vlans based upon auth.  If your iot devices do not support that then you could assign them via MAB to dynamic vlans.

If your iot devices on the same segment do not even need to talk to each other then put them on a private vlan, ie devices can not talk to each other.  This is sometimes called isolation on APs, etc.

As to controlling internet - you could do that on pfsense no matter how you have them setup be all in one vlan or not..

jahonix

Your listing of IoT devices that need internet is misleading. I wouldn't call those IoT but simple CE devices, consoles, etc:
Apple TV, TVs, Nintendo Switch, Phones, A/C Receivers [meant to be A/V Receivers?], PS3-PS4, Ipads, Wireless Printers

This is VoIP and can/should be separated (not so much for security but for QoS at least):
IP Phones

These are IoT devices:
Amazon Alexa
Sprinkler System
IP Cameras
Thermostats
Wink Hub

Do you have 2 unique SSIDs per AP or could you make them transmit multiple SSIDs?
IoT devices, especially when battery-powered, use low-energy modes and often have (very) limited WiFi range. Be conservative with your WLAN planning and better add an additional AP.

Your shopping list above makes for three (or more) separated networks. And I wouldn't put PCs/Laptops and A/V devices / consoles on the same subnet. That makes it 4 distinctive subnets.

Velcro

Interesting discussion…and scary! Your sprinkler needs Internet access? I get it...but wow!

How about this for an approach:

I would look at grouping devices by trust and damage that can be done if they are hacked. i.e. if your sprinkler is hacked you get a wet lawn vs your cameras hacked and they can look inside your house and put your family online!

Maybe put your cameras on their own VLAN with very restrictive rules, specific alias IPs, limited ports, snort IPS, etc...

Sprinkler, thermostat, TVs, A/C Reciever, wireless printer(No internet access), wireless light switches on thier own.

I have a printer which I don't trust as far as I can spit...so I don't give it any internet access. I group it in my IOT VLAN and access it thru polcy rules from other VLANs,

Email/banking devices give their own VLAN.

Alexa maybe its own VLAN...thats another scary device.

I think the balance you will need to look at is manageability, security, usability and privacy. Keep it simple...

Follow up questions would be:
Do you have cable running thru the house or is wireless your only option? That would drive the number of SSID vs using a switch and hardwire.
How big is your house i.e. do you need a big range?
Do some of these devices need to be on the same segment to control?

Open to feedback...