Hi all,
I'm relatively new the the forum, but from everything I've picked up about this place over the last year or more of running into it, this is the place to be if you have questions with ASUS routers. What I'm looking for is a few different ideas of how you would implement the below mentioned hardware to achieve the target goal. There's a handful of ways to do this, and I know I am not thinking of all possible solutions myself, so I'd like to hear how some of you might approach this
Hardware:
Spectrum cable modem - 200/10mbps
ASUS RT-AX3000 (AX58U) - ASUSMerlin v386.2
2x ASUS RT-AC68U - ASUSMerlin v386.2
An butt load of devices (roughly 30-40 wifi, 10 wired)
5 Amazon echo devices, 2 google home hubs, home assistant server on wired LAN (also hosts zigbee controller for my zigbee devices, no longer using my echo plus for zigbee).
Current configuration:
ASUS AX-3000 router sits on the modem's WAN port. Several hardware devices are connected throughout my condo via ethernet, mostly in my loft, running through an 8-port tplink dumb gigabit switch. Attached to that switch is one of the RT-AC68U's, with the other in the living room downstairs.
The AC68U's are configured as a mesh network in access point mode, with LAN backhaul over my internal LAN, each attached on different LAN ports of the AX3000. The AX3000 is utilizing both 2.4ghz and 5ghz wifi networks, configured with ax/mu-mimo and is used by household personal devices such as laptops, tablets, phones, gaming devices (oculus), printers, google hub, and amazon echo devices. Currently handles 5-10 wifi devices (mix of 5ghz and 2.4ghz) as well as the wireless devices from the AIMesh network and all my wired devices. Approximately 35-45 devices communicate through this router at any given time, whether internally or to the internet.
The AIMesh network (unique SSIDs) also provide a 2.4ghz and 5ghz wifi network, targeting my smart home devices, such as my smart bulbs, ring doorbell, smart outlets, the dozen or so ESP8266 devices I've created myself (most running ESPHome), indoor garden, motion sensors, etc. Currently handles about 15-20 device connections, almost all of them on 2.4ghz.
The goal:
I would like to isolate my IOT network. I understand that merlin and ASUS firmware in general will not handle VLANs properly. I considered DD-WRT on the AC68U's for VLAN tagging, but that would mean losing AIMesh, and the lack of support for VLAN on the AX3000, making things much more complex than necessary. The IOT network does need access to the internet as some of my smart devices are cloud connected (until I can get local-tuya working reliably). I would likely also move my echo and google home hub devices onto the IOT network, where they will need internet access. Home Assistant will likely need an interface on both networks (can simply put a wireless interface on the IOT network, leave wired on the internal LAN, and put them in a bridge.. which, off the top of my head, should be safe if hairpinning is not enabled). My home media devices, computers, laptops, tablets, phones, etc will remain on the internal mixed network handled directly by the AX3000 LAN and Wifi ports.
Solutions considered:
The first solution I've considered is flipping one of the AC68U's to router mode, and then adding the other to it via mesh. It's questionable how much I'd be compromising security by continuing to use the AX3000 LAN as a backhaul. The only other viable solution would then be wireless backhaul. I would create a route on the AX3000 to point to the IOT segment IPs via the AC68U's WAN interface. Of course, unsolicited inbound traffic would be blocked. I could disable the firewall though, and use only NAT, which would allow me in to any device. The main requirement I guess would be writing an iptables rule on the AX3000 that drops any traffic originating from the AC68U WAN IP destined for my internal LAN subnet. But that has caveats to it. My smart devices should still be able to report their status to my phones or other LAN devices by first routing through their cloud home. I am assuming there won't be any issues controlling my echo devices from my LAN to the IOT network. In the long run, I'm also considering how much security I'm actually gaining by configuring my network this way. A compromised device could still gain access to my LAN if the LAN device initiates the connection, for example. Unless I leave the firewall on, and force any communication from the LAN devices to the IOT devices be done either by controlling through Home Assistant, or over the WAN port via either their own clouds or the Echo/Google Hub clouds. Note that the google hubs are used maybe once a month by voice... 99% of my voice control happens on the echo devices (though I just set up my first Mycroft device and am working on running my own back end, so that I can voice control my entire home without internet).
If anything here doesn't make sense or I overlooked something, feel free to point it out or ask. I'd really like to hear a mix of opinions of how you guys would go about doing such an implementation, but just as importantly, I'd love to hear why you would go with your choice. I've worked in infosec/it/netsec long enough to know that everyone has their own preference, and it's almost guaranteed that whomever your coworkers are, you will not be fortunate enough to have any that would do it the same way you would, because that would be too easy. Thanks in advance guys, I appreciate and welcome any input.
tech
I'm relatively new the the forum, but from everything I've picked up about this place over the last year or more of running into it, this is the place to be if you have questions with ASUS routers. What I'm looking for is a few different ideas of how you would implement the below mentioned hardware to achieve the target goal. There's a handful of ways to do this, and I know I am not thinking of all possible solutions myself, so I'd like to hear how some of you might approach this
Hardware:
Spectrum cable modem - 200/10mbps
ASUS RT-AX3000 (AX58U) - ASUSMerlin v386.2
2x ASUS RT-AC68U - ASUSMerlin v386.2
An butt load of devices (roughly 30-40 wifi, 10 wired)
5 Amazon echo devices, 2 google home hubs, home assistant server on wired LAN (also hosts zigbee controller for my zigbee devices, no longer using my echo plus for zigbee).
Current configuration:
ASUS AX-3000 router sits on the modem's WAN port. Several hardware devices are connected throughout my condo via ethernet, mostly in my loft, running through an 8-port tplink dumb gigabit switch. Attached to that switch is one of the RT-AC68U's, with the other in the living room downstairs.
The AC68U's are configured as a mesh network in access point mode, with LAN backhaul over my internal LAN, each attached on different LAN ports of the AX3000. The AX3000 is utilizing both 2.4ghz and 5ghz wifi networks, configured with ax/mu-mimo and is used by household personal devices such as laptops, tablets, phones, gaming devices (oculus), printers, google hub, and amazon echo devices. Currently handles 5-10 wifi devices (mix of 5ghz and 2.4ghz) as well as the wireless devices from the AIMesh network and all my wired devices. Approximately 35-45 devices communicate through this router at any given time, whether internally or to the internet.
The AIMesh network (unique SSIDs) also provide a 2.4ghz and 5ghz wifi network, targeting my smart home devices, such as my smart bulbs, ring doorbell, smart outlets, the dozen or so ESP8266 devices I've created myself (most running ESPHome), indoor garden, motion sensors, etc. Currently handles about 15-20 device connections, almost all of them on 2.4ghz.
The goal:
I would like to isolate my IOT network. I understand that merlin and ASUS firmware in general will not handle VLANs properly. I considered DD-WRT on the AC68U's for VLAN tagging, but that would mean losing AIMesh, and the lack of support for VLAN on the AX3000, making things much more complex than necessary. The IOT network does need access to the internet as some of my smart devices are cloud connected (until I can get local-tuya working reliably). I would likely also move my echo and google home hub devices onto the IOT network, where they will need internet access. Home Assistant will likely need an interface on both networks (can simply put a wireless interface on the IOT network, leave wired on the internal LAN, and put them in a bridge.. which, off the top of my head, should be safe if hairpinning is not enabled). My home media devices, computers, laptops, tablets, phones, etc will remain on the internal mixed network handled directly by the AX3000 LAN and Wifi ports.
Solutions considered:
The first solution I've considered is flipping one of the AC68U's to router mode, and then adding the other to it via mesh. It's questionable how much I'd be compromising security by continuing to use the AX3000 LAN as a backhaul. The only other viable solution would then be wireless backhaul. I would create a route on the AX3000 to point to the IOT segment IPs via the AC68U's WAN interface. Of course, unsolicited inbound traffic would be blocked. I could disable the firewall though, and use only NAT, which would allow me in to any device. The main requirement I guess would be writing an iptables rule on the AX3000 that drops any traffic originating from the AC68U WAN IP destined for my internal LAN subnet. But that has caveats to it. My smart devices should still be able to report their status to my phones or other LAN devices by first routing through their cloud home. I am assuming there won't be any issues controlling my echo devices from my LAN to the IOT network. In the long run, I'm also considering how much security I'm actually gaining by configuring my network this way. A compromised device could still gain access to my LAN if the LAN device initiates the connection, for example. Unless I leave the firewall on, and force any communication from the LAN devices to the IOT devices be done either by controlling through Home Assistant, or over the WAN port via either their own clouds or the Echo/Google Hub clouds. Note that the google hubs are used maybe once a month by voice... 99% of my voice control happens on the echo devices (though I just set up my first Mycroft device and am working on running my own back end, so that I can voice control my entire home without internet).
If anything here doesn't make sense or I overlooked something, feel free to point it out or ask. I'd really like to hear a mix of opinions of how you guys would go about doing such an implementation, but just as importantly, I'd love to hear why you would go with your choice. I've worked in infosec/it/netsec long enough to know that everyone has their own preference, and it's almost guaranteed that whomever your coworkers are, you will not be fortunate enough to have any that would do it the same way you would, because that would be too easy. Thanks in advance guys, I appreciate and welcome any input.
tech
