Best way to isolate IoT?

[elmedico27]

Hi all,

Been lurking for a while and finally created an account to ask this question, which has probably been asked and answered but I haven't really found anything specific to my situation while searching around.

In a general sense, I'm wondering what is the best way to isolate all my IoT devices from my trusted PCs/phones/etc. I have both wireless and wired clients in both the trusted group and the IoT group (e.g. wired SmartThings hub, wireless thermostats). I've come up with several ideas using the equipment I have, but I'm fairly new to VLANs and subnets and all that, so forgive me if my questions relay a misunderstanding.

I'm running an ASUS RT-AC1900P (rebadged 68U) as my main router on the stock firmware; I've run Merlin before and can put it back on the router as needed (only got rid of it to do AiMesh, which I've since abandoned). I also have a TP-Link TL-SG108e switch that will do VLAN and other basic managed tasks. In addition, I have another 68U plus various other older Linksys routers, and an unmanaged switch I can use for this.

Idea #1: run two VLANs on the switch, and somehow attach one to a guest wireless network (IoT) and the other to a non-guest wireless network (trusted) on the ASUS. If I did this--let's say switch ports 1-4 are VLAN 2 and switch ports 5-8 are VLAN 3--would I need to run two cables from the switch to the router? Like, VLAN 2 into port 1 on the router and VLAN 3 into port 4, which is itself attached to the guest network (as in this thread)?

In my head, this looks like:

ISP <---> router normal SSID <--(port 1)--> switch (VLAN 2, ports 1-4) <---> trusted wired clients
          router guest SSID  <--(port 4)--> switch (VLAN 3, ports 5-8) <---> IoT wired clients

Idea #2: run two VLANs on the switch, both going untagged up a single cable to the ASUS router for internet, but throw an old wireless router into one of the IoT VLAN's ports as an AP and have all the IoT wireless devices connect to that rather than a guest network on the ASUS. This seems simpler to configure but I'm running extra equipment. See the example 1 picture here but imagine an AP hanging off the side of group B.

In my head, this looks like:

ISP <---> router <---> switch (VLAN 2, ports 1-4) <---> trusted wired clients
                              (VLAN 3, ports 5-7) <---> IoT wired clients
                              (VLAN 3, port 8) <------> old router as AP for IoT wireless

Idea #3: go with a Double NAT config and place one router behind the other, with IoT stuff on the internet facing router and trusted clients on the other, and any switches can sit there dumb and unmanaged on their respective routers without any VLAN trickery.

In my head, this looks like:

ISP <---> RT-AC1900P <-------> RT-AC68U
             \                    \
              \___IoT              \___trusted

Idea #4: ??? Other suggestions?

Given the choice between ease of configuration/setup and reducing clutter of network equipment, I'm leaning towards the easy setup (#2?) but a good balance would be appreciated too. Is #1 possible and easier than I think? Would #3 destroy my bandwidth? Thoughts? Snarky criticisms? I'll take it all! Thank you!

 

[PolarBear]

Idea #3: go with a Double NAT config and place one router behind the other, with IoT stuff on the internet facing router and trusted clients on the other, and any switches can sit there dumb and unmanaged on their respective routers without any VLAN trickery.

In my head, this looks like:

ISP <---> RT-AC1900P <-------> RT-AC68U
             \                     \
               \___IoT                 \___trusted

If you chose Item #3 (double NAT) it will complicate matters if you have a NAS on your trusted betwork and plan to use a VPN server installed on your downstream router (=RT-AC68P) to access your NAS while travelling.

Firstly, the DDNS feature on your downstream router (=RT-AC68U) may notify the WAN address of your downstream router (=RT-AC68U) to your chosen DDNS service. This will be a local address given out by your upstream router RT-1900P, not your public IP address. So your DDNS service would store an address which cannot be used. I guess you could find a way to report the correct public IP address to your DDNS service, but this would involve extra complication.

Secondly, you would have to configure your upstream router RT-AC1900P to pass through to the downstream router (RT-AC68U) any packets it receives from your travelling laptop accessing with VPN. This is not impossible but introduces complication.

There may be other problems introduced with a double NAT set up but I can't think of any right now.

 

[elmedico27]

Ah, good to know, I wouldn't have considered the NAS. I do have one on my network. It's accessed only by trusted devices on the LAN, with a bit of outbound WAN traffic (backup to Amazon Glacier) that is handled by the NAS itself.

I am not currently running a VPN; while I've considered it, I'm rarely on public WiFi, so I haven't taken the effort to learn what I'd need to do to set that up.

 

[Grisu]

Firstly, the DDNS feature on your downstream router (=RT-AC68U) may notify the WAN address of your downstream router (=RT-AC68U) to your chosen DDNS service. This will be a local address given out by your upstream router RT-1900P, not your public IP address. So your DDNS service would store an address which cannot be used. I guess you could find a way to report the correct public IP address to your DDNS service, but this would involve extra complication.

The first router could do DDNS updates, so its not a problem at all, and Merlin will now update DDNS in double-NAT too (set to "external").

 

[CaptainSTX]

The double NAT setup will not destroy your bandwidth or increase latency. In fact based on a test I ran recently, and have posted previously you won't see any impact on connection speed unless you a very fast connection. The other potential issues mentioned above regarding double NATing are valid if they apply in your situation particularly if you want to access devices including a NAS from outside your home.

The double NAT setup is pehaps the simplest to setup as you setup each router as an independent device and no scripts or modifications required. I use an AC1900P as my web facing router and I like the fact that I can use all six guest networks to connect IoT devices which helps isolate them from each other along with running several VPN clients to further isolate the IoT devices. While this does require some additional router resources IoT devices for the most part use minimal bandwidth and on a 300/25 Mbps connection there is plenty of headroom.

VLANs have there uses and I have implemented them using a TP-Link lightly managed switch. With stock or Merlin firmware you can not implement VLANs on your router using the GUI. It is possible with scripting. Tomato run on the same routers will let you implement VLANs using the GUI.

Your choice will be driven by what hardware you have on hand, how your network is layed out, and your ability to write/ implement scripts on your router(s).