Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking IoT and other devices on my network

    Firewalling
    7
    11
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MikeHalsey
      last edited by MikeHalsey

      Hi, I'm new to all this and have just purchased a Netgate 2100 box. To paint a picture for you this sits between my Starlink box and a Netgear Mesh Wi-Fi system, which I need as my Internet connection services both my house and an outhouse.

      I have set the Mesh box to AP mode as has been suggested to me so that the Netgate provides routing functions. I also have a guest network configured in the mesh box as I want to separate all the IoT devices, such as Alexa speakers, from my main network which contains a NAS and my PCs.

      I've hit a snag though as in AP mode the mesh box doesn't, for some bizarre reason, allow you to hide networked devices from the guest network, meaning any device or person connected to it will be able to see my PCs and the NAS.

      I very much doubt I'd get Netgear to submit a rush firmware fix for this, so I figured a solution can probably be found on the 2100, and likely in the firewall, though please admins move this post if it's in the wrong place. I want to be able to do two things...

      1. Specify that certain devices can only access the Internet and nothing on the network
      2. Block all newly connected devices (to the guest network if possible) from accessing local devices and resources, I will need to be able to change this on a device by device basis later as and when I need to

      This is, of course, unless a plug-in like pfBlockerNG can do this for me ๐Ÿ™‚

      Does anybody have any suggestions please?

      Many thanks ๐Ÿ™‚

      S johnpozJ A 3 Replies Last reply Reply Quote 0
      • D
        darcey
        last edited by

        I am guessing your wifi clients are accessing the alternate networks directly via the netgear AP's own routing and therefore before the traffic reaches pfsense.
        When I changed my existing wifi router over to AP mode (after moving to pfsense), I needed to use a third party firmware (supporting VLANs) in order to achieve proper SSID/network isolation.

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @MikeHalsey
          last edited by

          @mikehalsey When eero finally added guest to bridge mode they did make it isolate guests, I was pleased to find. Unless the guest devices get a different IP range (carrying through to the router) then I don't think there is a way to isolate them yourself, since LAN packets do not go through the router. As noted VLAN is a way to do this. Otherwise possibly a separate AP since on the 2100 ports can be isolated.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @MikeHalsey
            last edited by

            @mikehalsey said in Blocking IoT and other devices on my network:

            Netgear Mesh Wi-Fi system

            None of those soho mesh systems are going to be able to give you the isolation you want I am afraid.

            You need wifi that can do vlans - and I am not aware of really any soho or mesh wifi systems that supports it. Now if you could be say dd-wrt or openwrt on your equipment - more than likely you could do actual vlans.

            Is it too late to return that system and or sell it and get say something like some unifi AP.. They can do wireless uplink between the AP if you don't have the ability to run wires. They fully support vlans, with vlans its piece of cake to isolate devices onto their own networks and firewall between them with pfsense.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              darcey
              last edited by darcey

              One other thing, if you do decide to isolate your various wifi networks using VLANs, you will need a managed switch OR connect the access point directly to the netgate box.

              I used my old Asus RT-N66U, which I'd been using as combined gateway router and access point, and installed freshtomato on it. This then allowed multiple wifi SSIDs each tied to a separate bridges and VLAN. These are then all trunked via one network port on the Asus RT-N66U with the remaining ports acting as regular access ports on one specific VLAN. That was IIRC a limitation of the SOC & hardware switch built in to the ASUS. It has been working well in this role since I moved to pfsense.Screenshot 2023-02-03 at 13-56-35 Advanced VLAN.png

              1 Reply Last reply Reply Quote 0
              • D
                darcey
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • S
                  slimypizza
                  last edited by

                  I have run pfSense on my home network for several years now. Great software! I also have a Netgear ORBI mesh wifi system - RBK853. I put my IoT devices on the ORBI guest network and it very effectively separates them from the rest of my system. Devices on the guest network are put on a separate LAN (eg, 192.168.2.x as opposed to my regular network of 192.168.1.x). The ORBI handles the isolation and I confirm that those devices are not in contact with my NAS, PCs, etc. For example if I connect to my guest wifi with a laptop then I cannot access any of my NAS drives or any other devices on the regular network. I canโ€™t even ping them.

                  D johnpozJ 2 Replies Last reply Reply Quote 0
                  • D
                    darcey @slimypizza
                    last edited by

                    @slimypizza I am not familiar with the ORBI or how it does virtual wireless. My ideal AP setup is what Openwrt refer to as dumb access point. That's If openwrt is perfomant on the hardware at hand, which it is not on RT-N66U due to the Broadcom SoC. So I went with FreshTomato. VLANs seem to be the preferred way to achieve isolation and push all the firewalling/routing control back to pfsense.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @slimypizza
                      last edited by

                      @slimypizza said in Blocking IoT and other devices on my network:

                      very effectively separates them from the rest of my system

                      Where exactly does it do that? Other devices connected to ORBI? How exactly does orbi keep devices on its wifi network from talking to devices on orbi wan? Which normally would be your pfsense network(s)..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • C
                        capitainbu
                        last edited by capitainbu

                        Hey there, @MikeHalsey and check it!

                        It's great to see you diving into the intricacies of your setup with the Netgate 2100, Starlink, and Netgear Mesh Wi-Fi. Kudos for the proactive approach in setting up a guest network to isolate your IoT devices from your main network.

                        Now, onto your snafu with the Mesh box in AP mode. It's quite the pickle, I must say. While Netgear may not be rushing to your aid with a firmware fix, you've hit the right note with the Netgate 2100. Here's a way forward:

                        1. Access Control Lists (ACLs): Dive into the Netgate's firewall settings. You can create specific ACL rules to allow certain devices to only access the Internet, effectively blocking them from your local network. This is your first line of defense.

                        2. Device-Specific Rules: For your second requirement, you'll want to configure device-specific rules. You can do this in the firewall settings as well. Assign devices to different zones or VLANs and set up rules to control their access to local resources. This allows you to fine-tune your network security.

                        Now, for a sprinkle of personal experience: When I had a similar issue, I found that third-party firmware with VLAN support was a game-changer. It allowed me to achieve the desired isolation and control. So, if your situation persists, consider exploring that avenue.

                        And who knows, pfBlockerNG might just be your knight in shining armor...

                        1 Reply Last reply Reply Quote 0
                        • A
                          ASGR71 @MikeHalsey
                          last edited by

                          @MikeHalsey Hey Mike...

                          I've had this problem... isolating subnets etc...
                          This is a common issue with firewalls and you can find out how to do this in the documentation...
                          Just substitute OPT with WLAN or IOT. Should be all the same.
                          https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html

                          If you want to isolate individual clients, it has to be done at the switch level.
                          You'll have to find a managed switch that suppoers this feature.

                          ;-)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.