Multi IOT Device Network Setup Question

  • Hey Guys, Newbie Here.

    Let me tell you what I have, then I will get to my questions.

    Home Network Equipment

    1. Cable Modem
    2. PFSense Router - Two 10GB Ports and Two 1GB Ports.
    3. Two Wireless Access Points with two unique SIDS
    4. 10GB Layer 2 Smart Switch
    5. 1GB Layer 3 Smart Switch

    IOT Devices that need internet:
    Apple TV
    Nintendo Switch
    A/C Receivers
    Sprinkler System
    IP Phones
    Amazon Alexa
    Wireless Printers
    IP Cameras - The NVR needs to be able to update firmware
    Wink Hub - Needs to be able to update itself, it controlls devices below.

    IOT Devices that do not need internet but can be all ran by apps on my iphone:
    Wireless Light Switches
    Garage Door
    Door Locks
    Alarm System
    Approximately 35 Total IOT Devices between both lists.


    1. Should I put ALL IOT devices in both lists on one wireless AP?
    2. Should I segegrate and put the first list on one wireless AP and the second list on the second wireless AP?
    3. My phones and tablets all access critical information on network, banking, credit cards etc. Should those be segragated even more from the first IOT list (so basically split that list). That would make for 3 wireless APs.
    4. So lets assume you all recommend one of my options or something completely different. How do we stop hackers from hacking one IOT device and then accessing them all? I do not want my sprinkler system hacked and then they can access my entire security camera system?

    My thoughts:

    One AP for phones, tablets and laptops
    One AP for non-internet accessing IOT devices
    One AP for internet accessing IOT devices
    Plug ALL three AP's into their own network access cards on the pfsense router in three seperate vlans.
    However, do i want 3 wireless AP's in the same house? Wouldnt that cause massive interference? Now you can see why I need help. I do not know the best way to set all of this up.

    Can you guys tell me the best way to set all of this up please?

  • Seriously? Anybody have a comment?

  • LAYER 8 Global Moderator

    "How do we stop hackers from hacking one IOT device and then accessing them all?"

    You do so with isolation.. Put your different IOT type devices on their own segments.. This could be done with different AP, or AP that support vlans.  If the iot devices support wpa-enterprise you could assign dynamic vlans based upon auth.  If your iot devices do not support that then you could assign them via MAB to dynamic vlans.

    If your iot devices on the same segment do not even need to talk to each other then put them on a private vlan, ie devices can not talk to each other.  This is sometimes called isolation on APs, etc.

    As to controlling internet - you could do that on pfsense no matter how you have them setup be all in one vlan or not..

  • Your listing of IoT devices that need internet is misleading. I wouldn't call those IoT but simple CE devices, consoles, etc:
    Apple TV, TVs, Nintendo Switch, Phones, A/C Receivers [meant to be A/V Receivers?], PS3-PS4, Ipads, Wireless Printers

    This is VoIP and can/should be separated (not so much for security but for QoS at least):
    IP Phones

    These are IoT devices:
    Amazon Alexa
    Sprinkler System
    IP Cameras
    Wink Hub

    Do you have 2 unique SSIDs per AP or could you make them transmit multiple SSIDs?
    IoT devices, especially when battery-powered, use low-energy modes and often have (very) limited WiFi range. Be conservative with your WLAN planning and better add an additional AP.

    Your shopping list above makes for three (or more) separated networks. And I wouldn't put PCs/Laptops and A/V devices / consoles on the same subnet. That makes it 4 distinctive subnets.

  • Interesting discussion…and scary! Your sprinkler needs Internet access? I get it...but wow!

    How about this for an approach:

    I would look at grouping devices by trust and damage that can be done if they are hacked. i.e. if your sprinkler is hacked you get a wet lawn vs your cameras hacked and they can look inside your house and put your family online!

    Maybe put your cameras on their own VLAN with very restrictive rules, specific alias IPs, limited ports, snort IPS, etc...

    Sprinkler, thermostat, TVs, A/C Reciever, wireless printer(No internet access), wireless light switches on thier own.

    I have a printer which I don't trust as far as I can I don't give it any internet access. I group it in my IOT VLAN and access it thru polcy rules from other VLANs,

    Email/banking devices give their own VLAN.

    Alexa maybe its own VLAN...thats another scary device.

    I think the balance you will need to look at is manageability, security, usability and privacy. Keep it simple...

    Follow up questions would be:
    Do you have cable running thru the house or is wireless your only option? That would drive the number of SSID vs using a switch and hardwire.
    How big is your house i.e. do you need a big range?
    Do some of these devices need to be on the same segment to control?

    Open to feedback...

Log in to reply