Smart home ..... but how to keep it secure .....

louis2

Hello, I am just starting with some smart home devices, however I do not like the cloud and I surely do not want to have IOT-devices on my regular PC-lan / wifi.

So I did create an IOT-vlan and bought a zigbee gateway with an UTP-connection.

On the pfSense side I did allow the IOT-vlan to access the internet, however not to access my local network. The PC-lan is allowed to access the IOT-VLAN.

So that does not work, all kind of unexpected things to be solved:

• the gateway does NOT !!?? get an IP-address at least pfSense is not aware of that (it does not show up in the ARP-table)
• pfSense package capture does not capture the HomePlug messages as send by the zigbee gateway (wireshark running on a pc does)
• the tablet in the PC-lan does not see the zigbee gateway, which is not strange, since the tablet needs to see some kind of multicast to know that there is a gateway and where it is;
• However the gateway does need an IP-address to send that message, and probably an application like avahi is required to allow that message to pass to another vlan (in this case the PC-lan)
• If I temporarily connect the zigbee gateway in the PC-lan my tablet with tuya app installed sees the gateway and the gateways sees the zigbee devices

What ever, does any one have experiences with this, which can help to make this work ?

Louis

johnpoz

@louis2 what rules exactly did you put on this new vlan?

pfSense package capture does not capture the HomePlug messages as send by the zigbee gateway (wireshark running on a pc does)

when you have your zigbee gateway in the new iot vlan? This would point to the zigbee not actually being in the iot vlan but still on the lan?

I have seen some iot devices not like to change to a new network unless you forget the network, or reset it. My thermostat is like that - I had set it up on vlan for testing, and then wanted to move it to different vlan. Wouldn't work until I reset its network stack.

stephenw10

Yeah if the gateway does not pull an IP from pfSense then it's probably a layer 2 issue. Check the VLAN config.

louis2

@stephenw10

I had a few minor problems among them a wrong PIVD setting, which explained the level2 part of the problem.

Other problem was that I hoped that the gateway was under my control and that the tablet I use to control my ^IOT-devices^ was accessing the gateway.

And that things would still work if the internet connection would be down.

But regrettable it works different:

• the gateway does only talk to the Tuya cloud and is not under my control at all (china can turn on and of my equipment, no problem )
• the gateway controls my equipment as commanded by Tuya
• to make this possible the gateway is takes care of a permanent connection to the Tuya cloud
• my tablet is communicating with the Tuya cloud, which translate that into commands towards the gateway.

I could have known this, but it is not what I like and regard as secure. (I would like to have the intelligence at home and under my personal control)

What ever, the only thing I can do to make it a little bit more secure, is placing the gateway in its own IOT-vlan which is not allowed to communicate to any other vlan / equipment I have. So that is what I did.

the other

@louis2 personal advice / opinion:
It is always a good idea to not allow your iot vlan to access any other vlan you have running.
Then: get rid of that tuya bridge and look for alternatives such as home assistant which can integrate many different providers in smart home equipment and is run in your own personal cloud, no internet needed (except updates).
So you have your smart home stuff in a seperated, isolated vlan, can access with mobile and lan devices, can restrict traffic outbound for iot...and no provider cloud somewhere else...