IoT - Thermastat communication
Newly installed pfsense and loving it! lots to learn and so little time.... and money :) Instead of calling myself a noob I like to say I'm a hobbyist (a hack some might say) with enough knowledge to be dangerous.
I have read a few websites and watched a few videos on setting up and configuring a vlan for an IoT segment. Got me thinking so I want to ask before I try to set it up on my home network.
Presently I have very simple one segment lan with IoT thermostat getting its IP from pfsense dhcp. I can open up the phone app and communicate with it at home, work or anywhere I can connect to internet.
The question: If I put thermostat on its own vlan and setup FW rules so as not to allow it to communicate on my local lan, will the phone app still allow me to communicate with it if I am at home connected to my wifi or do I have to disable wifi and use carrier data to be able to communicate?
I can open up the phone app and communicate with it at home, work or anywhere I can connect to internet.
Since you say you can connect to it anywhere - most likely your talking to the company site on the internet that your thermostat phones home too.. This is how most of them would work.
So as long as you allow your thermostat to talk outbound to the internet you should be fine. I have a lennox S30, I can access controls from anywhere as well, and the vlan it is on can not talk to my other vlans, etc.
Also keep in mind that if your lan say is allowed to talk to the iot network, you could directly access anything on that vlan - and they could answer you via state that is created when lan is allowed there. But devices on this vlan wouldn't have to be allowed to start conversations with devices on your other network/vlans
Thank you for the quick response! That makes sense in talking to the company website. Also that makes sense regarding the FW rules that if setup correctly would work as you stated. Will go ahead with configuring this and learn some more! Greatly appreciate the answer and in language I can understand as well :)
@digiguy happy to help - if you have more questions.. I have quite a few iot devices, and multiple vlans setup with restrictions, etc. so can use for examples, etc. etc..
If you going to lock down this iot vlan, just make sure it can do dns, it can talk to the internet and should work just fine even when it can not start any conversations to any of your other local networks devices.
@johnpoz Okay more questions it is...
As I said earlier, I have simple one segment lan using unmanaged switch and a tp-link wireless setup as AP plugged into switch. being the cheap poor hobbyist I am I found a linksys WRT54GS at a Goodwill. Was going to use that for an IoT vlan plugged into the switch. I know its not ideal or as secure as using a managed switch but would it still work?
@digiguy well a wrt54gs is quite old - do you iot devices even support G wifi, man that is old.. But sure they prob don't need much bandwidth.
But where you going to run into a problem is your dumb switch.. There is no way to actually isolate that traffic.. While sure you could use physical isolation for this wrt router and your iot devices.. You would need another interface on pfsense to plug into bypass that dumb switch is is your lan switch.
So to isolate this iot network from your lan network you have couple of options.. Use another physical interface to plug this old wrt router into, now you have a physical new network you setup on that pfsense interface.
Or you could get a smart switch and setup a vlan for where your going to plug in this iot wifi router you want to use. And then setup a vlan on pfsense. Where traffic is tagged as that vlan to the interface your connecting from pfsense to this vlan capable switch.
vlan capable switches can be had for like less than $40, 8 port gig that can do vlans..
@johnpoz Kinda what I was thinking in regards to the dumb switch and the age of the wifi. Didn't break the bank ($7) so I could play around with it or just throw it away even. Again I appreciate the advice/suggestions!