What's new

Do i need an IoT VLAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

My pfSense system has 4x 2.5gbps ports.
1 for WAN and 2 ports for the 2 nic LAG to the switch.
1 have only one unused port left.

I like to learn networking best practices and to prevent, mitigate vulnerabilities that comes with the territory.

"Not flying is always safer then flying."

 
Last edited:
VLAN for security is useless. Have you heard about Hopping? Physical Network Separation is needed.
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
 
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
Yes. Unless your IoT devices don't effect anything on your network. Sometimes IoT devices broadcast horrible packets to everywhere. It occurs network issues.
 
Last edited:
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
It can be as simple as you using a second network non-VLAN by using a second LAN port in Pfsense if you have an extra port in your NIC in your Pfsense router.

But the other thing is if you use a VLAN with its own network it can be just as safe as a separate network. You just need to add a blocking ACL, maybe a couple, on a Cisco switch. This may not be true on other L3 switches as I have not used them, so I don't know. I am not sure a L2 switch will be as safe. I can think of ways a L2 switch would not be as safe.
 
Last edited:
Is it safe to allow IoT devices to access the internet?
I've always wondered about that. I tend to block internet to all my IoT devices as I think it's more secure.

Is there a real security risk to allow Iot devices to have access to the internet even if they are on a separate network and isolated?
 
Is it safe to allow IoT devices to access the internet?
I've always wondered about that. I tend to block internet to all my IoT devices as I think it's more secure.

Is there a real security risk to allow Iot devices to have access to the internet even if they are on a separate network and isolated?

Well, AFAIK IoT devices need the internet to connect to their respective servers to be able to be controlled by an app. The point is to ensure they cannot access anything else on your LAN. Therefore, putting on a separate VLAN to isolate them is what you would want to achieve.
 
AFAIK IoT devices need the internet to connect to their respective servers to be able to be controlled by an app
I have seen that some iot devices are able to be controlled by an app when internet is blocked, but they need to be connected to the main network. If they are on a vlan, for example, they do not work when blocking internet access. Why would that be?

why can internet be blocked when connected to main network and they continue to work fine, but if they are on a vlan, internet access is a must?
 
Why would that be?

You have to provide LAN or WAN access to the control device - app, hub, whatever it is. If you cut WAN and move the IoT devices to isolated VLAN obviously they will stop doing whatever they are doing. No access to Internet, no local access to the controller - like they are not connected at all. You have two possible options - 1) allow WAN access and the devices will communicate with the controller over Internet; 2) move the controller on the same VLAN so the IoT devices can see it.
 
Sorry, I am still a little confused...how come those iot devices work fine with the internet blocked when they are connected to the main wifi network?

But, when they are connected to a wifi network that is on a different subnet (using vlan), they do not work if internet access is disabled.
I would think if they need internet access to work, they would not work when internet is disabled regardless of what network they are connected to...this is why I am confused.
 
how come those iot devices work fine with the internet blocked when they are connected to the main wifi network?

Because your controller is perhaps on the same main network and they have access to it.

But, when they are connected to a wifi network that is on a different subnet (using vlan), they do not work if internet access is disabled.

Because they don't see the controller over Internet (blocked) and can't see it over LAN (isolated VLAN). They may be connected to this VLAN, but can't do anything. It depends on what IoT devices as well. Some may continue doing whatever they are doing, some need access to the controller to work.
 
Most are dumb and rely on some software running somewhere else to tell them what to do. All common light bulbs, switches, power plugs, etc. wait for remote commands. They call them "smart", but the actual "brain" is somewhere else and it needs access to the devices, WAN or LAN.
 
Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top