Internet of things and isolation techniques
-
I've been using pfSense for my main router for about a year and am happy with it.
I'm putting in a new furnace and the installer asked my if I wanted a smart thermostat. I said 'no' because I was afraid of vulnerabilities. A remote server sat in between the thermostat and any attempt to access it. My home network would be no more secure than the manufacturer's remote servers.
Later, I reflected about VLANS and smart switches and decided that I need to get up to speed on them since the internet of things is not going away and this approach would be the best way to isolate these items from places I don't want them to get to.
I plan to spend some time figuring it all out on my own. YouTube appears to have a lot of videos on the subject. They should ground me in the basics.
What I'm not sure about at this time is adding interfaces to pfSense off the LAN interface for separate subnets. I saw some videos on it and they were unclear about if or how I would need to link them to a smart switch.
If someone could offer a few sentences on what I need to research about pfSense and this form of network isolation, I would be appreciative. I want to figure it out for myself. I'm just not clear on this detail and how it interacts with the system.
Thank you.
-
"I said 'no' because I was afraid of vulnerabilities"
Someone tin foil hat is pretty freaking tight ;) ehehehe
There are couple of different ways to go about isolation. You can for sure go the vlan route.. Do you have a smart/managed switch? Does your wireless AP support vlans? Most of these IoT devices are wifi.. So you really need a real AP that support multiple SSID and vlans.
Or as I started to say you can just use physical separation where you use actual physical nics in your pfsense to isolate your different network segments.
While joking about the tin foil hat, I also have my IoT devices isolated from my normal network.. I have a nest thermostat and protect, my directv dvr, a harmony hub for remotes.. Lots of stuff that likes internet and phoning home, etc. etc. Its a good idea for sure to monitor their traffic and isolate it from your normal network. While I think turning down a smart thermo because your worried about being on the network seems a bit much.. Just isolate the traffic as your wanting to do.
Be aware that many of those youtube video's are just pure freaking junk and quite old, etc.. Anyone that thinks they have clue one to how to network can throw up a video..
To setup a vlan in pfsense is quite simple. Have you looked at https://doc.pfsense.org/index.php/VLAN_Trunking
So it is you just do not understand what a vlan is? Or what a smart switch is?
-
"I said 'no' because I was afraid of vulnerabilities"
Someone tin foil hat is pretty freaking tight ;) ehehehe
There are couple of different ways to go about isolation. You can for sure go the vlan route.. Do you have a smart/managed switch? Does your wireless AP support vlans? Most of these IoT devices are wifi.. So you really need a real AP that support multiple SSID and vlans.
Or as I started to say you can just use physical separation where you use actual physical nics in your pfsense to isolate your different network segments.
While joking about the tin foil hat, I also have my IoT devices isolated from my normal network.. I have a nest thermostat and protect, my directv dvr, a harmony hub for remotes.. Lots of stuff that likes internet and phoning home, etc. etc. Its a good idea for sure to monitor their traffic and isolate it from your normal network. While I think turning down a smart thermo because your worried about being on the network seems a bit much.. Just isolate the traffic as your wanting to do.
Be aware that many of those youtube video's are just pure freaking junk and quite old, etc.. Anyone that thinks they have clue one to how to network can throw up a video..
To setup a vlan in pfsense is quite simple. Have you looked at https://doc.pfsense.org/index.php/VLAN_Trunking
So it is you just do not understand what a vlan is? Or what a smart switch is?
I have a smart switch but use it as a normal switch. I bought this model because I knew I would want to use isolation some day. I understand what VLANS are but have never set one up because I never needed to before now.
Edit: I just looked at the linked post. How does it relate to using the gui to create VLANS off the LAN interface. How does the gui get tied into a smart switch, or do I just need to give a device an address on the subnet I created on it to make it work?
For example, would I use the gui to create a VLAN off the LAN interface and associate it with a new subnet, set up DHCP for that new subnet, then put a wireless router on my network and associate it with that subnet as an access point? Would that work? This is unclear and I need to learn VLAN fundamentals before even trying.
I have a couple of other devices on my network I never associated with IoT. Thanks for the heads up re your directv dvrs. I have tivo and slingbox. Now I have more reasons to look into it.
-
"I said 'no' because I was afraid of vulnerabilities"
Someone tin foil hat is pretty freaking tight ;) ehehehe
There have already been reports of IoT devices that leak wifi passwords. I'm not sure how they can be so horribly designed as to do that, but they bring a whole new class of "lowest bidder" quality implementations.
-
Agreed IoT can be concern for security.. Which is why they are on their own SSID with their own psk and isolated to their own network segment.
As to creation of vlan.. If you only have 1 physical lan interface on pfsense that is connected to your switch.. Yes you would create a new vlan, and add it to your physical interface.
So for example here is my wlan_psk, this is where I put my nest and harmony for example.
You can see its on em2.. This is a trunk port my switch that carries all the vlans that are on that physical nic.What specific switch do you have and can go over how you would setup the port that connects to a nic with vlans on it.. And then how you would setup your other ports on the switch to be in a specific vlan.
So you can see the ports on my sg300 switch, The ports that are trunk, ge3 is connected to pfsense em2 that sits on my esxi host, ge4 is uplink to another smart switch in my living room av cab. While ge9 is uplink to a AP. Depending on your switch it might use the trunk term differently than cisco does. But in general your going to have ports that have tagged traffic that need to carry more than 1 vlan, and then your going to have ports that only have 1 vlan on them..
Trunks that carry more than 1 vlan are connected to nics that have vlans on them like pfsense, switches that will have more than 1 vlan on that switch, and then to other devices that will also carry traffic this is on different vlans like access points that have different vlans assign to different ssids
edit: And before anyone mentions it, yes my default vlan is 1.. And while that is normally frowned upon - this is HOME network.. I think I am quite capable of knowing what I plug in and what it will have access to and what vlan the port is on, etc. vlan 1 is no different than any other vlan.. Its just not common practice in the enterprise to use leave anything in the default vlan is all.