Alternatives to Guest Network for iot devices

[Moabdave]

First: My apologies if this has already been discussed. I honestly searched the threads.

Like many, I created a guest network for all of my iot devices, with the access intranet disabled. However, I'm wondering if this is more trouble than it's worth. Several of my iot devices need to communicate with a mobile phone for configuration changes. Some require a mobile phone for firmware upgrades, etc. My biggest headache is I have 2 related home automation devices, that shouldn't need to communicate with each other under normal circumstances. For whatever reason, one of them will crash and burn if it can't phone home to the other device from time to time.

I've lived with these headaches for a while. Now I ask a bigger question. Is there a better way to secure iot devices? In addition to the above, I have Ethernet connected devices that I'd ideally like to restrict too. I'm aware of VLAN's. Due to the way the wires are routed through my house, I'm not sure I could retrofit my home network with VLAN's, at least not without spending $$$ on new hardware or completely re-wiring it. (I have dumb switches in the backhaul between main router and AIMesh nodes and Ethernet iot devices in multiple locations along that chain). In an ideal world, what I'd like to do is have one network for everybody. However, I can go to the router's webui and on a device-by-device level block intranet access, or restrict intranet access to the one mobile phone with the configuration app, etc. Any ideas how I close I can get to this level of functionality with my existing hardware? Thanks in advance.

 

[TheLostSwede]

Get a separate router and double NAT them? It's usually something you wouldn't want to do, but in this case, it might make sense.

 

[eibgrad]

@TheLostSwede is on the right track, but the choice of router is important. At the very least, you need something that can be configured to block access to the immediate upstream, private network(s) over the secondary router's WAN.

Get yourself an older inexpensive router that supports FreshTomato. You may even have one already. Unlike ASUS OEM or even Merlin's firmware, FreshTomato natively supports VLANs, tagging, VAP (virtual APs), bridges, etc. All the tools you need to create your additional networks. Then daisy-chain that router behind your primary router, WAN to LAN respectively. Finally, create firewall rules to prevent those networks from gaining access to resources on the primary router. All they are allowed is access to the internet through the primary router's WAN.

The guest network situation on ASUS has been such a mess for so long given all the changes w/ AiMesh, I prefer using this solution for them as well. None of this nonsense of having to keep guests on the private network either.

This completely isolates any additional networks from your primary network, and requires ZERO changes to it. As such, it will work with *any* primary router (which is why I didn't ask what you're currently using for your primary router; it doesn't matter). You could literally unplug the secondary router (AC or ethernet) and disable all access from it. And it's relatively cheap to implement if you find the right router (e.g., an ASUS RT-AC68U would probably work quite well).

In my own case, I'm using FreshTomato as my primary router, so it isn't really necessary that I use a second router. But I'm assuming you'd like to keep whatever you currently have and just supplement it w/ these additional capabilities.

The beauty of this solution is that you don't have to mess w/ your current hardware. No reconfigurations. No hacking. You simply configure the secondary router appropriately and hang it off your existing router. And the additional cost is reasonable (as I said, it's possible some ppl already have a FreshTomato compatible router and don't even know it).

This approach avoids all the headaches of having to reconfigure existing systems and getting complaints from the rest of the family about why dad has had the network up and down all weekend, as you make one mistake after another. Instead, all your changes remain confined to the secondary router, and you only introduce it when it's working. And if you like it well enough, you might eventually choose to make it your *primary* router!

 

[Moabdave]

Get yourself an older inexpensive router that supports FreshTomato. You may even have one already. Unlike ASUS OEM or even Merlin's firmware, FreshTomato natively supports VLANs, tagging, VAP (virtual APs), bridges, etc. All the tools you need to create your additional networks.

Thanks for the tip. I had considered switching to Tomato. None of the routers in my current arsenal support FreshTomato. However, to your point, a lot of those on the supported list are readily available used. Including I had one on that list that I gave away when I decided I liked AiMesh and wanted to go that route . Sigh, oh well.

 

[CaptainSTX]

Look at replacing your switches with smart switches. Small smart switches such as the TP Link SG108E in addition to supporting port based VLANs support using the GUI using 802.1Q VLANs. Using 802.1Q VLANS makes it possible to run multiple multiple VLANs over a single Ethernet cable as long as you have a smart switch at both ends of the Ethernet drop.

As previously stated Fresh Tomato can work very well in that is supports both VLANs and Virtual APs making it possible to have both your wired and wireless IoT devices on the same subnet. What it can't do is allow you to share a cable using multiple VLANs.