Smart home….



  • Getting ready to setup some devices for the beginning of a smart home setup.  What's the best way to do this with pfSense?  I'm going to be using either a homepod or ATV has my hub.  Since I'm new to pfSense, should I keep this separate from the rest of my network?  If someone can provide a somewhat detailed explanation of the best way to set this up, it would be appreciated.

    Thanks.



  • Detailed explanation I have to charge you. :D

    The basics is very simple, follow HA's makers instructions, basically they ask you to "make a hole" in your firewall blah-blah for outside access, and doing this to a flat, single-subnet is pretty straightforward.

    But OK u want to get fancy and isolate, lots of people build VLAN for this purposes, folks here would advice building VLAN through your switches, rather than though pfsense, then you gotta setup rules for whatever inter-VLAN communication u desire.



  • If you haven't your Pfsense box, be sure and chooice one with a processor that supports AES-NI CPU Crypto: YES.

    As SammyWoo hinted, you'll need a manageable switch. What I did here was get two dumb 5-port/1GB switches and connect to a Mikrotik RB450G router and I have a smart powerhouse router, and well-managed switch combined. That's my LAN set up. Be sure to use either Ethernet cable or fiber optics for streaming devices.

    Since you mentioned two Apple devices, I also recommend using Apple Extreme AP for all your Apple wireless devices. That's what I did so that the Apple devices can have synergy (Apple fan). You most likely need some WIFI repeaters.



  • I am a complete noob with pfsense so it may be that mine isn't set up correctly. I have taken the default pfsense install and added openvpn thru expressvpn. All my smart home devices just worked without having to do anything with the firewall. Maybe I am missing something?


  • Rebel Alliance Global Moderator

    Out of box yeah all your smart home stuff will work pretty much out of the box.. If you are having to open inbound to them - your doing it wrong! ;)

    But many people like to isolate their IOT smart home stuff from the rest of their network.. This is where pfsense and smart switch makes it easy…  Since you can create multiple networks/vlans and then firewall between them really easy..

    All of my iot stuff is isolated, smart plugs, lightbulbs, echo's, nest, etc. from my normal network(s) and can not talk to anything directly.  And normally log where they go on the internet even.



  • @Skooby:

    I am a complete noob with pfsense so it may be that mine isn't set up correctly. I have taken the default pfsense install and added openvpn thru expressvpn. All my smart home devices just worked without having to do anything with the firewall. Maybe I am missing something?

    If the smart device initiates the call, then as long as the traffic is not blocked you won't need to open any port forwards.

    @wyzard:

    Getting ready to setup some devices for the beginning of a smart home setup.  What's the best way to do this with pfSense?  I'm going to be using either a homepod or ATV has my hub.  Since I'm new to pfSense, should I keep this separate from the rest of my network?  If someone can provide a somewhat detailed explanation of the best way to set this up, it would be appreciated.

    Thanks.

    Step 1:
    Make sure you understand the implications of having a speaker monitoring your conversations and passing them back to what will become increasingly more sophisticated artificial intelligence.  As much as I would love one of those toys, I think I'll get off my butt and turn on the light or use another device to make a query if I need information. To each his own, but this technology is further enabling a "1984 surveillance state".  The recent Facebook "incident" is just the tip of the iceberg I promise you-we just don't know about it yet.  When stuff goes into the "cloud" unless you encrypt it, you have no idea who will have access - and I don't give a crap about Privacy Policies/ToS, these can change overnight (or the company may lie or get hacked).

    Step 2:
    Don't let any of that crap anywhere near the computers on your network as the security of these small devices is questionable at best.  Many business are learning this the hard way when someone hacks the A/C controller (or other "smart" device) and then uses it to break into other computers on the network.

    The "RIGHT" way to do it is to have a managed switch and VLANs, but if you are a networking noob (as I was when I dived into a cisco SG300 managed switch), you are going to be facing a steep learning curve - know what you are getting into before you start.  I still have lots to learn, but I can improve my network and do a lot more as my skills and time permit.  I don't regret it, but I paid a steep price for some very had earned knowledge.

    The "Easy way" to do this would be to buy a second router/access point to connect all the "crud" to and then connect that to an OPT port of pfSense and route it straight to the Internet.

    Internet of CRUD–-[AP]–|pfSense|---->Internet
    Existing Network---[AP]–|      |   
    [AP]-Home router used as a wireless access point

    Step 3:
    Improve your security by filtering traffic.  After you have your system set up start packet filtering for awhile and use Wireshark (Google is your friend if you aren't familiar with it) to determine who is talking to who (easy but a bit time consuming), make sure you are OK with what is happening and then write rules to pass this traffic and block/log anything else.

    The downside is that things might break if the vendor makes changes, so you'll need to periodically check firewall logs for traffic that is being blocked.

    The upside is if you're homepod is trying to call home to Russia, it is likely something has been hacked - either your device, or the vendor's network and you can take appropriate action.

    If you are unfortunate enough to require incoming connections (port forwarding) - I agree with johnpoz it's a disaster waiting to happen - but you can mitigate that a lot by having very restrictive rules for the traffic attempting to use that port forward.  Not great, but much better than letting anyone who wants have an open door to hack at.

    I don't remember the details, but there was IIRC a smart light that could be made to catch fire by switching it on/off rapidly, so in some cases security faults may be much more than "inconvenient".

    These little devices can also make very nice bot nets for DoS attacks.  Send one command through IRC and 1,000,000 smart lightbulbs start sending SYNs to AMAZON, EBay or some other target.

    Hope that helps either give you a start or else decide to wait for the state of the art to mature.



  • I can't give any better technical over what is applied above but I can give my experiences which, in and of themselves, show why you should do it right.

    I use OpenHab and buy a lot of tat from China via AliExpress, BangGood etc - anyone who will post to the UK :)
    For the most part I try flash my own or other Open Source firmware on it. There is more of a chance of prying eyes then. I have near-full automation from heating to all lights, presence and motion detection, wifi location tracking etc. All these features require one or many little things which I obtained from China / Ebay / AliExpress etc.

    My setup is a VLAN - both on wired and wifi - for IoT stuff. This is blocked to the internet other than specific devices which I allow out. Said devices are the OH controller, Alexa and, urm, nothing else :)
    Inter-VLAN routing is managed by pfSense and only specific clients can route between the two.

    I bought a cheap tablet as a wall-mount-dashboard from China. £50 for a 10.1 inch Android jobbie recently.
    I was looking at the logs a few days ago trying to work something out and noticed a large amount of hits on my deny-all rule. The tablet is constantly trying to phone-home. There are bursts of traffic to an IP in China. The traffic is over https so I cannot - for now - see what it is. I will try using ssl-strip one of these days when I get some time.
    A few of the LED controllers also call home constantly.

    • All in all, you need to separate everything off from your main network.

    • Use a propper controller such as OpenHAB, HomeAssisant, Domotix etc to controll the smart home. Do not rely on each item because you cannot truly own them

    • Try, where possible, to use items which you can flash your own firmware on. Often this adds a large feature set and is maintained.

    • Do think Security-First

    Of course, none of the above is as bad as having a Samsung Android table - they're the worse culprits :(