Back

@davemark

Whoa. Please, everyone, put all of your IoT devices on a separate network than your secured devices. All IoT devices need to be considered as unsecured backdoors into your network.

@ashhobbit @davemark yup. Came here to talk about this.

It’s sad that the default way common things are sold today (like TVs) require fairly sophisticated knowledge of networking. My family wouldn’t figure out the solution nor the preventative measures in a million years. They would just give up.

@tomk @linux_mclinuxface @davemark

It depends on the device. Some devices can be controlled from a different network (my TP-Link smart switches and outlets can do this). Other devices can only be controlled from the same network (my soundbar is this way).

If you have to connect to an IoT device on the same network, switch your controlling device over to the IoT network and switch back to your secured network when you're done.

@ashhobbit @tomk @davemark the way I did this on my UniFi setup was far too complicated for the normals. I’m able pass in particular traffic from one VLAN to another, but only just enough to accomplish what I need. I’ve been doing this stuff for decades now and I found it challenging.

@linux_mclinuxface @tomk @davemark

Yeah, I think separate networks are the way to go for most inexperienced users. It's not convenient for some devices, but convenience is the enemy of security.

A separate IoT or guest network can be enabled on many modern routers. If it's not available on your router, get a new router that has it available.

Otherwise, if you have extra routers available, you can use the "3 dumb routers" method, but you'll be maintaining 3 routers. I've been using 3 dumb routers for probably 8 years now, and I almost never take a secure device over to the IoT network.

(Edited to add that a guest network could be used, if your router doesn't have an IoT network option.)

@ashhobbit @linux_mclinuxface @davemark Interesting! I have a provider-supplied modem/router with WiFi disabled, an AirPort Extreme that bridges that router, and an AirPort Express with the version that has AirPlay 2. Could probably use that one for the IoT thingies? How do my secure devices find the IOT devices? Any network setting I should keep in mind?

@tomk @linux_mclinuxface @davemark

I'm not familiar with the AirPorts, but yes, you can do this with 3 routers, with your ISP modem/router as the base router with wifi turned off. Plug your other two routers into the base router. One router would be for your secure network - for your computers, phones, and tablets (any device that gets regular security updates). The other is for IoT devices - your TVs, smart plugs, streaming devices, light bulbs.

The two networks need to be named differently. Make sure all routers have up-to-date firmware.

If you can't control an IoT device from a separate network, do you have an old phone or tablet that you can leave connected to the IoT network, just for controlling the IoT devices? As an alternate, you could also switch your phone over to the IoT network when you need to control an IoT device, then switch back to the secure network when you're done.

If you have a lot of devices, it could be a real pain to set everything up right.

@kbob @ashhobbit @tomk @davemark different subnets. Is it not doing what you want?

@linux_mclinuxface @ashhobbit @tomk @davemark I don't have enough info to give a good bug report at this time; just vague recollections that things can't connect.

@kbob @linux_mclinuxface @ashhobbit @tomk @davemark Different subnets with firewall rules that allow only the devices and the ports that are at least 200% () required for the whole stuff to work! Takes some trial-and-error to make sure that everything works correctly, though (ask me for my GDO setup)