Hi,
I'm a long-time OPNsense user and am contemplating the best way to set up a separate IOT LAN.
My OPNsense PC has a dual-NIC motherboard. I'd like to add a PCIe NIC and have all my IOT devices sit on this NIC/LAN.
I think I'll set up a separate class C address space for this LAN. I think I should be able to create rules to allow devices on the normal LAN to be able to reach the IOT LAN, but not the other way around. Does that sound doable?
I'd appreciate hearing any thoughts or advice you might have.
Thanks,
John
I have just done a similar thing, separating all my devices onto VLANs. I would recommend the same approach otherwise you are going to need multiple wifi access points for user and IoT devices.
Using something like the TP-Link EA225 you can have a single access point with multiple SSIDs on independent VLANs. You do not need to connect them to a managed switch as they have trunk access built in.
Due to the construction of my house I had to use three APs, I could probably have gotten away with two but whatever. I used budget managed DLink 1100 series switches for the rest of the network and it's working perfectly. Here's a basic diagram of my network using VLANs, I've not included all of the IoT or user devices, just the various breakouts.
(https://ibb.co/2nWS8sG%5Dhttps://i.ibb.co/1v7MsdF/Network-Diagram-1.png)
(https://i.ibb.co/1v7MsdF/Network-Diagram-1.png)
I really like your network design. The diagram you built is well done. I will build a similar diagram as I do my design.
I like your use of VLANs. I thought a while ago that VLANs would be the perfect solution, but the price of the gear made me think it wasn't viable.
There are a variety of concerns with IOT devices. Many of them are built poorly so they can be backed. They often rely on P2P networks to get through firewalls. Many are made by Chinese companies with strong ties to the Chinese Government.
I have tried to stay away from TP Link because it's a Chinese company. Giving the Chinese Government nearly direct access to a router on my network seems like a bad idea. Do you consider any other companies that offer a similar wireless access point that supports VLAN?
Thanks,
John
Hi John, the Ubiquiti AP's support four VLAN's. Bit more pricey though. https://www.ui.com/products/#unifi
Bart...
Good point about the tplink WAPS, but as there is Opnsense between them and the WAN, and their management LAN/VLAN does not have WAN access I'm not too worried. The Omada software ( running on my QNAP ) that controls them is pretty good, giving me loads of info on how much data each device is using.
I honestly do not see the issue, OPNsense is perfect for what you want to achieve.
Just do like you said: add a NIC and connect a cheap WAP to a dedicated subnet. With FW rules you will only allow the connections that you know are legit. Also configure IPS
I would stay away from trunks and VLANs if not needed, the simpler the better
Happy New Year!
I have my IOT LAN up and running. I'm gradually moving IOT devices (Wyze cameras, Nest thermostat, etc) off my normal LAN to the IOT LAN.
Currently I'm able to connect to devices on the IOT LAN from the normal LAN and vice versa. I know I can disable to firewall rules that allow this.
I was wondering about creating a firewall rule that allows establishing a TCP connection from the normal LAN to the IOT, but would not allow an IOT LAN device to establish a TCP connection to the normal LAN.
Do you think this would compromise the security of my network? I was thinking it could be handy to be able to connect to the IOT devices from the PC on my normal LAN.
Thanks,
John
That's what I have. Devices on IOT can connect to the WAN but not other VLANs and my primary and secondary VLANs can connect to devices on the IOT VLAN.
Perfect! That's what I'd like to do. Can you give me some guidance on creating the firewall rules to set it up this way?
Thank you!
Add a rule for each VLAN you wish to block access to on the rules for your IOT VLAN.
I have two rules, one for each of the primary and secondary VLANs. Here's the settings for one of them. On the primary and secondary VLANs there are no restrictions.
(https://i.ibb.co/6P23YG9/Capture.png)
I personally like more the reverse approach, enabling rules for all public ip (if possible restrict the ip using FQDN in aliases, when you know the destination) or at least limit the ports, when possible.
You can do it creating an alias for the private networks, and the flag the "reverse" option
So if nothing match you allow rule, the default deny apply
i have basicly the same setup
vlan 12 is my normal LAN
vlan 13 is my guest network
vlan 14 is for my voip phones
vlan 15 is for my IOT devices
i have a rule which allows my xiaomi vaccum cleaner to access severl /16 networks in china on a certain port.
but i don't like that. i feal like there is room for improvment.
i would love to have a rule to only allow access to domains with *.xiaomi.com
does anyone has an idea how to do that.
Either i need to redicret every port to the sqiud proxy and samehow set up a proxy rule or via DNS for just the IP of the vacuum cleaner.
Quote from: ascii on March 03, 2020, 09:44:42 AM
i have a rule which allows my xiaomi vaccum cleaner to access severl /16 networks in china on a certain port.
but i don't like that. i feal like there is room for improvment.
i would love to have a rule to only allow access to domains with *.xiaomi.com
does anyone has an idea how to do that.
Either i need to redicret every port to the sqiud proxy and samehow set up a proxy rule or via DNS for just the IP of the vacuum cleaner.
Point your vacuum to a local DNS server configured for conditional forwarding to xiaomi.com. and all other domains forwarded to a non-existent DNS.
Bart...
i that possible in unbound?
currently i have unbound running for all vlans with a forward to dns-crypt for DNSBL
@ascii: The better solution for you is to look at https://dontvacuum.me/robotinfo/ and https://valetudo.cloud/.
This solves your issues directly. Running this for years (gen1)
Quote from: siga75 on January 01, 2020, 06:42:40 PM
I personally like more the reverse approach, enabling rules for all public ip (if possible restrict the ip using FQDN in aliases, when you know the destination) or at least limit the ports, when possible.
You can do it creating an alias for the private networks, and the flag the "reverse" option
So if nothing match you allow rule, the default deny apply
I would like to add two things to the overall setup you are using. I have a DNS hairpin rule set, so that those IoT devices that do not comply with standard DNS definitions via DHCP are forced to my PI-Hole and then out. How would I add a rule to do that? Do I just let Pi-Hole IP inbound to the IoT vlan?
Hello could the OP and responders post their firewall rules.
I too have an IOT VLAN set up but currently only have firestick on there and not any home automation devices on there due to the need to switch between regular LAN and IOT network to control these devices.
Would be nice to be able to send commands from my phone on LAN and control a device (e.g light switch) connected to IOT network.
Thanks!