Guest wifi for smart devices

[Renzz]

Hello
I have 11 Smart Bulbs, 3 Wifi Cameras and 3 Alexa Echo devices and I'm using Asus AX86U router.
Is it worth it moving them all to a seperate guest ssid for better "security" or it ain't worth the hassle?

 

[Tech9]

It's up to you. Many folks move whatever IoT allows to isolated Guest Network.

 

[ArchDevil]

I just got any IoT devices thrown on the guest network to isolate. If you don't mind moving them there then i can't see any reason why not.

 

[Renzz]

It's up to you. Many folks move whatever IoT allows to isolated Guest Network.

To this day i have all of them connected to the regular 2.4Ghz network and i really didn't thought about it.
I don't mind resetting them all and move them ro a guest network.
Is 1 separate guest ssid is sufficient for them all?

 

[shubham]

Hello
I have 11 Smart Bulbs, 3 Wifi Cameras and 3 Alexa Echo devices and I'm using Asus AX86U router.
Is it worth it moving them all to a seperate guest ssid for better "security" or it ain't worth the hassle?

Moving your smart home devices to a separate guest SSID for better security can be helpful.
When you set up a separate guest network, you can have better control and security. Smart home devices are vulnerable and can be manipulated by hackers. So, when you separate them onto your guest network, you reduce the risk of stealing your personal information by the hackers.

 

[sfx2000]

I think it's a judgement call - it really depends on the reputation and level of trust on the vendor.

Some shady chinese WiFi camera (Dahua, Hikvision for example) or sketchy Android TV box from Alibaba - yes, I would put them over on a isolated SSID/VLAN... that would go along with no-name light bulbs, etc...

Stuff from known vendors - Nest or Ring for example, or Phillips, Levitron for smart lighting/plug - I don't see any harm - Matter enabled devices have a level of security that the OEM's must meet to be labelled as such - for example, my TPLink Tapo plugs are Matter (P125M), and I don't worry about my TP-Link Kasa gear - there were some issues in the past, but TPLink worked to close them. I would say the same for Arlo (netgear), LG/Samsung TV's, Samsung's smartthings, the list goes on - basically if you walk into a big-box like BestBuy, and it's on the shelf, it's probably safe....

The mainline vendors - the reputation risk is high if they get compromised (which can happen) or deploy less than secure gear, but the trend is slowly turning in the right direction - industry standards like Matter, HomeKit, "Works with Google" go a long way towards improving the ecosystem.

 

[rborth]

My Azus RT-AX Routers allow for 3 x 2.4Gig Guest Networks so why not allow for a dedicated iOT network for added security? Selecting Guest Network-1 and disabling Intranet access, this gives it it’s own IP address range also. I don’t trust Chinese or Amazon products to necessarily “behave” themselves.

 

[drinkingbird]

My Azus RT-AX Routers allow for 3 x 2.4Gig Guest Networks so why not allow for a dedicated iOT network for added security? Selecting Guest Network-1 and disabling Intranet access, this gives it it’s own IP address range also. I don’t trust Chinese or Amazon products to necessarily “behave” themselves.

It is also a good way to cut down on a lot of the "chatter" that some of these devices put out (and ironically, often have trouble dealing with/processing from other devices on the LAN).

From what I've seen, Guest 1 does provide a bit better isolation (two layers of firewalls instead of just 1, and that second firewall blocks UDP communication, which the first doesn't). It is also needed if you are using aimesh and want to propagate your guest network. But the isolation on Guest 2 and 3 is fine and blocks pretty much anything that could be malicious. Not much you could do via UDP other than DOS attack. It is the model that was used for all 3 guest networks up until the 386 code base. But IOT devices do tend to use UDP a lot so using GW1 for those probably makes sense for total isolation (unless you want them to be discoverable by a hub or something on the main LAN, but that would be somewhat pointless as after being discovered, it would need TCP to do much of anything). Blocking UDP also blocks some of that chatter (MDNS) that these devices seem to have trouble with.

In fact if you want to be able to do DHCP reservations for guest devices, you have to use guest 2 or 3 (or create a script) as you cannot reserve IPs in the special Guest 1 subnets in the GUI. So there are considerations as to which one(s) you use.

My main guest network is GW1 as I like having the different IP ranges. Work laptop is on that, along with anyone that visits, neighbors who want to jump on it (they pass through an AP that has a firewall in it too so they can't reach anything else on guest, plus only 2.4ghz is allowed there when work laptop and "real" guests are on 5, and those are isolated from each other with the same 2 firewall layers on guest 1). Then my few IOT devices (Fire Stick, TV, BluRay player, and an old phone I use for random stuff) are on GW2 which is my "IOT" network. I'm not too worried about any of those devices being malicious, if I was I'd update my firewall script to block UDP except DHCP and DNS, which I'll probably do anyway, just haven't had a chance or much motivation to do it.

 

[drinkingbird]

To this day i have all of them connected to the regular 2.4Ghz network and i really didn't thought about it.
I don't mind resetting them all and move them ro a guest network.
Is 1 separate guest ssid is sufficient for them all?

You have to factor in what devices need to talk directly to each other. Any that do, putting them on a guest network will cause problems as they won't be able to see each other. Most stuff goes via the "cloud" these days so not an issue but there are still ones that need to be able to communicate to each other over wifi.

 

[sfx2000]

It is also a good way to cut down on a lot of the "chatter" that some of these devices put out (and ironically, often have trouble dealing with/processing from other devices on the LAN).

The "chatter" still happens on the Guest SSID as it's a shared radio with the Primary SSID...

The VLAN might cut down IP traffic, but not really, as it's still going across the same Radio to Switch connection...

VLAN doesn't change things there, just moves the traffic around...

 

[rborth]

drinkingbird: You clearly have done homework. Me, I'm still learning. My ioT guest network seems fine SANS the 2015 SONY blue ray, no longer supported as in EOL and streaming services suspended, and connected to a guest network. I also have two no Intranet guest networks. I had to connect the Sony on the 2.4Gig guest so the only remaining working Ap, Netflix works. But I must say the Amazon Echo devices have a problem with reliability and I don't think it's the network. Can I say POS devices here? Not Point of Sale, use your imagination.

People that I allow on the guest networks are semi trusted friend & family. Should one of those need access to local network resources and I really trust them, they get access to the primary WiFi.

I also came from the time when WiFi was new and toped out at 11 Mbps when wired was 10 AND before. We had RJ45 ports everywhere that eventually became 1 Gig ports due to forward thinking on the wire selected. The mantra then was to secure the attached devices on the wire. This I do today as another layer of protection. Call me old but despite the claims I still think wire is the way to go if you can pull it off and keep most of the critical traffic there.

Sorry for the edit, math is my first language not English. ;>)

 

[rborth]

The "chatter" still happens on the Guest SSID as it's a shared radio with the Primary SSID...

The VLAN might cut down IP traffic, but not really, as it's still going across the same Radio to Switch connection...

VLAN doesn't change things there, just moves the traffic around...

IMO, Agreed the chatter to the WAN does not decrease. The goal is to decrease the chatter between the IoT devices via the WAN and the unnecessary chatter to other "real" locally connected clients visa the LAN. Then the discussion about how much we want our AI iot devices "phoneing home". For example, my robot vacuums keep my wife happy but they have a very good floor plan of all of my house. And Alex hears pretty much what ever we say when it's not locked up. Perhaps a topic for another post?

 

[sfx2000]

Reducing "chatter" with a second guest SSID is absolutely an invalid statement.

The guest SSID creates a new VIF, with the associated AID management structure, which consumes overhead for each and every SSID that is assigned to the same PHY layer.

Guest SSID does not magically double the number of frames over time - that is constant, so you have to shove everything into the same PHY for Tx/Rx between the AP and the client stations.

It's well known that additional SSID's create and consume management airtime that is not available for client data traffic, and those management frames are transmitted at the lowest available data rates (1Mbps for legacy DSSS (802.11b mode) and 6Mbps for OFDM which is G/N/AC/AX..

Go back and review 802.11-2016, which is current up to 11ac (which is good enough for our discussion here).

I've been developing 802.11 equipment for over 20 years now, and to be completely honest, I find the whole concept of "reducing chatter" boneheaded logic...

@drinkingbird and @rborth - you both should know better here..

 

[tgl]

It's well known that additional SSID's create and consume management airtime that is not available for client data traffic,

Check.

and those management frames are transmitted at the lowest available data rates (1Mbps for legacy DSSS (802.11b mode) and 6Mbps for OFDM which is G/N/AC/AX.

Actually, on WAPs with decent firmware you can choose the beacon frame transmission rate. Setting it to the max your clients will tolerate saves airtime and helps keep obsolete riffraff off your network

Fully agreed though that adding SSIDs adds overhead without adding performance. Use as few as you can given whatever your security concerns are.

 

[drinkingbird]

Reducing "chatter" with a second guest SSID is absolutely an invalid statement.

The guest SSID creates a new VIF, with the associated AID management structure, which consumes overhead for each and every SSID that is assigned to the same PHY layer.

Guest SSID does not magically double the number of frames over time - that is constant, so you have to shove everything into the same PHY for Tx/Rx between the AP and the client stations.

It's well known that additional SSID's create and consume management airtime that is not available for client data traffic, and those management frames are transmitted at the lowest available data rates (1Mbps for legacy DSSS (802.11b mode) and 6Mbps for OFDM which is G/N/AC/AX..

Go back and review 802.11-2016, which is current up to 11ac (which is good enough for our discussion here).

I've been developing 802.11 equipment for over 20 years now, and to be completely honest, I find the whole concept of "reducing chatter" boneheaded logic...

@drinkingbird and @rborth - you both should know better here..

I'm referring to IP broadcast (including MDNS) traffic, which is completely blocked in both directions when access intranet is disabled. That is what these cheap wifi chipsets seem to have trouble with, accepting, processing, and responding to the constant probing within a broadcast domain. Technically GW2 and 3 are part of the same broadcast domain as each other and the LAN but it is filtered out using AP Isolation and firewall rules. GW1 ends up being basically the same except even without any firewall, the broadcasts wouldn't make it to the BR1 and 2 interfaces.

In theory an access point with multiple SSIDs should be able to direct frames for each only to the clients connected to each, rather than sending everything out both, but I'm not aware if any do that, never given it any thought. The only promiscuous wifi card I have is an 802.11b PCMCIA one with windows XP drivers so can't check, but my guess would be the asus is sending all frames out all SSIDs/virtual interfaces. But any chipset that can't manage to ignore those frames shouldn't even be in a $5 smart bulb. The real issue comes from when it has to use its puny CPU to actually process stuff.

Yes, there is additional management overhead with an additional SSID, but the benefits of breaking up a broadcast domain can far outweigh the disadvantages of that, if you have a lot of devices or even just a few that do a lot of MDNS or other probing. I try to mitigate the impact of the management frames by setting my 5ghz beacons to 12M and 2.4 to 11M, but can't do that on the Asus, only my Ubiquiti. The Asus broadcasts 6 and 5.5 since I have B disabled. At one point I started researching how to disable some MCS rates and set the basic rates on the Asus, but didn't get anywhere, and there wasn't any issue I was trying to solve so forgot about it. It should be doable since they let you limit the upper end.

I'm running 3 SSIDs off the Asus and get perfectly good performance. If I disable both guests, I get the exact same throughput and latency both to WAN and LAN.

If you weren't sure what I meant by "chatter" all you have to do is ask, don't need to resort to attacks based on assumption because of what you're most familiar with.

 

[drinkingbird]

drinkingbird: You clearly have done homework. Me, I'm still learning. My ioT guest network seems fine SANS the 2015 SONY blue ray, no longer supported as in EOL and streaming services suspended, and connected to a guest network. I also have two no Intranet guest networks. I had to connect the Sony on the 2.4Gig guest so the only remaining working Ap, Netflix works. But I must say the Amazon Echo devices have a problem with reliability and I don't think it's the network. Can I say POS devices here? Not Point of Sale, use your imagination.

People that I allow on the guest networks are semi trusted friend & family. Should one of those need access to local network resources and I really trust them, they get access to the primary WiFi.

I also came from the time when WiFi was new and toped out at 11 Mbps when wired was 10 AND before. We had RJ45 ports everywhere that eventually became 1 Gig ports due to forward thinking on the wire selected. The mantra then was to secure the attached devices on the wire. This I do today as another layer of protection. Call me old but despite the claims I still think wire is the way to go if you can pull it off and keep most of the critical traffic there.

Sorry for the edit, math is my first language not English. ;>)

The people that I know that have Echos they seem to be pretty reliable. But they are some of the ones creating a lot of the chatter with MDNS or whatever proprietary version they're using. Would not surprise me if having several of those along with other IOT stuff could start causing problems. But my mom's house has 5 echo dots (1 gen 2 and 4 gen 3) along with their discontinued landline interface (echo connect) so she can say "call 911" from anywhere in the house (lives alone). Running off a cheap netgear AC router and they've been solid for a few years. She actually uses them for quite a bit now (contrary to what she would have claimed in the beginning).

I started with Intel's first 802.11b and was running off 10M hubs before that as well. The first one I toyed with was apple's network that ran off RJ11 phone cords, then ARCNET that ran off a shared run of BNC with Tees along the way and terminators on each end. We've come a long way from those days.

Though I doubt you were able to upgrade 10M to 1 gig without replacing the wiring. Cat 5e didn't exist when it was 10M only Same keystone jacks could typically be used though, technically not up to spec but they worked. Most offices were typically wired with only 2 pair to each desk too, that was a major undertaking when they wanted to go gig. Many just waited until the inevitable move to a new floor/building to do that.

 

[drinkingbird]

IMO, Agreed the chatter to the WAN does not decrease. The goal is to decrease the chatter between the IoT devices via the WAN and the unnecessary chatter to other "real" locally connected clients visa the LAN. Then the discussion about how much we want our AI iot devices "phoneing home". For example, my robot vacuums keep my wife happy but they have a very good floor plan of all of my house. And Alex hears pretty much what ever we say when it's not locked up. Perhaps a topic for another post?

Along those lines, when Amazon announced they were buying iRobot (whos vacs all include video cameras and microphones now) and their marketing lady was asked if they were going to use images and audio to tailor peoples suggestions etc, she totally dodged the question.

My guess is in a year or so if you buy a Roomba amazon will magically start suggesting rugs that are the exact right size for your room, and knowing exactly when you're almost out of coffee.

 

[drinkingbird]

Check.



Actually, on WAPs with decent firmware you can choose the beacon frame transmission rate. Setting it to the max your clients will tolerate saves airtime and helps keep obsolete riffraff off your network

Fully agreed though that adding SSIDs adds overhead without adding performance. Use as few as you can given whatever your security concerns are.

It can significantly improve performance of devices with weak CPUs, especially these days with all the different types of broadcasts and probing that is constantly going on. Fire up a sniffer, disable promiscuous mode (most wifi cards don't support it anyway but just in case) so you only see what is destined for your PC, then watch it with "access intranet" enabled and disabled. Now imagine your PC is a $5 lightbulb with a 50 cent wifi chip in it.

 

[rborth]

The people that I know that have Echos they seem to be pretty reliable. But they are some of the ones creating a lot of the chatter with MDNS or whatever proprietary version they're using. Would not surprise me if having several of those along with other IOT stuff could start causing problems. But my mom's house has 5 echo dots (1 gen 2 and 4 gen 3) along with their discontinued landline interface (echo connect) so she can say "call 911" from anywhere in the house (lives alone). Running off a cheap netgear AC router and they've been solid for a few years. She actually uses them for quite a bit now (contrary to what she would have claimed in the beginning).

I started with Intel's first 802.11b and was running off 10M hubs before that as well. The first one I toyed with was apple's network that ran off RJ11 phone cords, then ARCNET that ran off a shared run of BNC with Tees along the way and terminators on each end. We've come a long way from those days.

Though I doubt you were able to upgrade 10M to 1 gig without replacing the wiring. Cat 5e didn't exist when it was 10M only Same keystone jacks could typically be used though, technically not up to spec but they worked. Most offices were typically wired with only 2 pair to each desk too, that was a major undertaking when they wanted to go gig. Many just waited until the inevitable move to a new floor/building to do that.

Good to look back and refresh those old DRAM brain cells to avoid losing the data.

Our first network was an IBM AS400 running twinax. And like you, thinnet tying select PCs together. Later added 10BT hubs that had provisions for the thinnet "backbone".

We upgraded buildings around 2000 just before the dawn of CAT5e with 100BT Hubs at the time with one switch tying the hubs together. Luckily the CAT5 cable we bought, with the lengths we had and the termination we used worked at 1000BT. I think it was Hitachi cable and obviously slightly ahead of their time in the crosstalk department. Subsequent wiring was done with CAT5e then Cat6 as available.

I was gifted an echo show 8 which I use to check the weather and my flash news briefings in the morning. Some morning it takes it time to respond, some mornings I need to do a reboot, often when this happens the Alex AP on my Android tablet works in the same location. Should be the same signal strength but connected to a different SSID.

Speaking of Chatter, echo show devices, unless this “feature” is disabled, Provide Internet connection to the Public Amazon Sidewalk Bluetooth Low Energy (BLE) Mesh network. I of course immediately disabled this. This Amazon “surprise” was the impetus for me to isolation iOT devices as much as possible.

https://www.inverse.com/input/guides/what-is-amazons-sidewalk-network-how-to-disable-it

 

[drinkingbird]

Good to look back and refresh those old DRAM brain cells to avoid losing the data.

Our first network was an IBM AS400 running twinax. And like you, thinnet tying select PCs together. Later added 10BT hubs that had provisions for the thinnet "backbone".

We upgraded buildings around 2000 just before the dawn of CAT5e with 100BT Hubs at the time with one switch tying the hubs together. Luckily the CAT5 cable we bought, with the lengths we had and the termination we used worked at 1000BT. I think it was Hitachi cable and obviously slightly ahead of their time in the crosstalk department. Subsequent wiring was done with CAT5e then Cat6 as available.

I was gifted an echo show 8 which I use to check the weather and my flash news briefings in the morning. Some morning it takes it time to respond, some mornings I need to do a reboot, often when this happens the Alex AP on my Android tablet works in the same location. Should be the same signal strength but connected to a different SSID.

Speaking of Chatter, echo show devices, unless this “feature” is disabled, Provide Internet connection to the Public Amazon Sidewalk Bluetooth Low Energy (BLE) Mesh network. I of course immediately disabled this. This Amazon “surprise” was the impetus for me to isolation iOT devices as much as possible.

https://www.inverse.com/input/guides/what-is-amazons-sidewalk-network-how-to-disable-it

Yeah sidewalk gets immediately disabled, same with any ISP hotspot (if the person is using ISP supplied router). Screw all that stuff.

I do know a couple people with Echo Shows and they seem fine. Possibly guest network is interfering somehow, they do like to use MDNS for discovery, maybe something freezes up (not sure if you have it on a guest network or not). Or it is just a faulty one that is overheating and freezing up or something.