Novice question about adding VLAN | IOT

[aps]

I’m after some advice on the best approach to adding a separate LAN to our home network as part of a move to adding a suite of IOT devices. The current set-up involves NBN Modem -> ASUS RT-AC86U (running ASUS firmware) with a separate ASUS unit used for AI-MESH. The complication is that it doesn’t seem possible, or at least simple, to set-up a VLAN within the RT-AC86U so the options look to be

1. put all the IOT devices onto a guest network
2. place a VLAN capable switch before the ASUS RT-AC86U
3. upgrade ASUS RT-86U to a new ASUS router that has GUI for VLAN (doesn’t seem to exist)
4. purchase a VLAN cable router placed ahead of the ASUS keeping that for Wi-Fi | AiMesh

My rudimentary understanding from reading the various articles here is that (1) is not best practice, (2) is problematic due to DHCP issues, and (3) doesn’t exist. Is this the correct assessment? It’d be great to get advice on how to proceed.

 

[CaptainSTX]

1. put all the IOT devices onto a guest network
2. place a VLAN capable switch before the ASUS RT-AC86U

You put all the wireless IoT devices on a guest network.

You put a smart switch which will let you do VLANs placed after the router connected to a LAN port and set up however many VLANs you need to seperate IoT devices.

I have a VLAN for wired IoT devices, another for video devices, and then a VLAN for my more secure PCs, NAS, etc.

Otherwise you are going to have to search the site for tips on how to write scripts on your router. Some people have had success and it isn't simple.

 

[aps]

You put all the wireless IoT devices on a guest network.

You put a smart switch which will let you do VLANs placed after the router connected to a LAN port and set up however many VLANs you need to seperate IoT devices.

I have a VLAN for wired IoT devices, another for video devices, and then a VLAN for my more secure PCs, NAS, etc.

Otherwise you are going to have to search the site for tips on how to write scripts on your router. Some people have had success and it isn't simple.

Thanks. So, to be clear, would I be able to use any of the LAN ports on the wireless router or do all the Ethernet devices have to tie back to a port / VLaN on the switch? And can the devices on the normal WiFI be able to connect to Ethernet devices?

 

[CaptainSTX]

Thanks. So, to be clear, would I be able to use any of the LAN ports on the wireless router or do all the Ethernet devices have to tie back to a port / VLaN on the switch? And can the devices on the normal WiFI be able to connect to Ethernet devices?

The LAN ports on the router still work and while they could not be assigned to a specific VLAN they would be part of a default VLAN and might not be fully isolated from devices on other VLANs. Some of the isolation will depend on the switch and how you set it up.

 

[aps]

The LAN ports on the router still work and while they could not be assigned to a specific VLAN they would be part of a default VLAN and might not be fully isolated from devices on other VLANs. Some of the isolation will depend on the switch and how you set it up.

The picture below shows my understanding of the network design. Is this correct?

1. I understand that devices on the Guest network won't have access to devices on the Main Wi-Fi. How, though, do I allow devices on the Main Wi-Fi to access these Wi-Fi IOT devices; e.g., use smartphone to control the Wi-Fi IOT device?
2. How, in this design, do I ensure that the devices on the Main WiFi (e.g., laptop, smartphone) and trusted Ethernet devices on VLAN 1 can communicate; e.g., able to access the NAS via the laptop or have a smartphone act as a client for A/V component connected via Ethernet?

 

[aps]

You put all the wireless IoT devices on a guest network.

You put a smart switch which will let you do VLANs placed after the router connected to a LAN port and set up however many VLANs you need to seperate IoT devices.

I have a VLAN for wired IoT devices, another for video devices, and then a VLAN for my more secure PCs, NAS, etc.

Otherwise you are going to have to search the site for tips on how to write scripts on your router. Some people have had success and it isn't simple.

How is wireless managed in your set-up? Are there access points off the various VLAN? Or are you using the router Wi-Fi (ahead of the switch) and if so then can wi-fi devices connect to the devices on the various VLAN?

And, in this model, all I need is a layer 2 smart switch? Are there specific switches for which it would be simpler to set-up such that the devices on the router and default VLAN on the switch can see each other?

 

[CaptainSTX]

How is wireless managed in your set-up? Are there access points off the various VLAN?

I use a double NAT setup. All my IoT devices both wired and wireless are on the Internet facing router. All the wireless IoT devices connect to guest networks on this routers and where it works they go through a VPN.

Behind my second router I run a smart switch running three 802.1Q VLANS to separate devices into three divisions of trust worthiness/ security. Some of the these devices run through a VPN tunnel. Overkill yes but this is what this forum is about we do it because we can. To the world it might appear my devices connect from four public IPs in four geographic locations.

 

[aps]

I use a double NAT setup. All my IoT devices both wired and wireless are on the Internet facing router. All the wireless IoT devices connect to guest networks on this routers and where it works they go through a VPN.

Behind my second router I run a smart switch running three 802.1Q VLANS to separate devices into three divisions of trust worthiness/ security. Some of the these devices run through a VPN tunnel. Overkill yes but this is what this forum is about we do it because we can. To the world it might appear my devices connect from four public IPs in four geographic locations.

I (definitely) misnamed this thread as it should have been something like "a novice going down a rabbit-hole on networking" as, since the first post, I've moved to Asus Merlin f/w, learnt about Putty then added Diversion + YazFi, and enabled a Client VPN! Thanks to all those who (in this thread and elsewhere) have contributed. I do though have some questions:

1. Are you using consumer routers in both locations? The reason for the question is that (if I do pursue this model) then I'm wondering about using Untangle (or some other open-source firewall s/w) on a Protectli device. This approach would seem to go the next step in security (e.g. IDS features) and the raw h/w is not too expensive.
2. A lot of threads mention OpenVPN on the router which I understand allows a secure connection from outside the (home) LAN. I use this arrangement for work but struggle to see uses for home - especially now that streaming services provide access to music, etc. What is the killer use cases for motivating access to the home from remote sites? Is it access to IP security cameras recording etc?

 

[cptnoblivious]

@aps I'm going to answer a small part of your query "Why might I use a VPN?".

Many (most?) users are utilizing it for either getting around geo-fenced applications (ex. watch Netflix from another country) or so that they appear to access the internet from an address not their own. Some for P2P downloads, others ... who knows. There are certainly numerous other usecases, but if you get right down to it I would bet dollars-to-donuts that the majority fall into one or both of those camps.

Now to accomplish that, I don't have to run VPN on the router, but it's easier, say I run netflix on a Roku or Playstation or smartTV, those endpoints may not be easily configured for VPN (if at all), so doing it at the router level makes a lot more sense.

Note that VPN in away is a misnomer, you're not on a private network unless you are creating the tunnel between to endpoints you own / control.

Personally, I find that the performance of most routers is so slow when using OVPN that I just don't.

YMMV

 

[cooloutac]

Most users are using vpn's because they consider even their home network actually public and unsafe. They are so popular nowadays they have become part of software security suites. Same reasons posters in the thread have separate VLANS. IMO its best to use the vpn from the end point and not on the router when possible. When using a home server vpn yes its most likely to connect securely to your home network to view lan cameras or whatever servers you got on it, alot of people even use it to browse the web but as above poster said it will be alot slower then just using the client app and is also another vector that could go wrong imo. Trusting the vpn service is is like trusting anything else your connecting to, like all the trackers in your browser lol. Its better then trusting the isp who is now obligated by law to track your browsing history violating our 4th amendment constitutional right. This doesn't mean your a criminal it means you learned what the Germans went through with the Gestapo and realize anything can be construed against you no matter how minor. And imo even better then trusting your home router lol. Just research a good service.

Plus even when not using online credentials, which most people still do with a vpn because its more about security then it is privacy, (unless using tor) we should get paid by the big data brokers. We all should be getting checks in the mail as a right of citizenship whether we subscribe to broadband or not.

Even with a 30MBs openvpn client connection on an ac66u_b1 I have no problem connecting like 20 iot devices that are all echos, blink and ring cameras. the live 1080p videos only need like 2MBs at a time. Most of their activity is already encrypted but you never know.

Watching netflix from another country is probably the least likely reason someone is using a vpn. If you took a poll on this forum you will find most people policy route their tv's to the wan to avoid issues with them being blocked. The only time i put my tv behind a vpn now is when my isp's connection is being throttled, probably from cyber attacks, or when the routing is temporarily screwed due to a down server in the area. Sometimes changing public DNS helps, but putting it behind a vpn does the trick more often then that.

 

[L&LD]

I would venture to say that most users are using VPN's because of the scare tactics used in their marketing. Even an ISP issued router makes their home network not 'public and unsafe'.

I have parents asking me about VPN's because their kid's friends have one. Hardly a reason the parents think they are needed (they just want the whining to stop). And when I asked a couple of the friends why they have one? Because they want to 'game' freely on the internet. Lol...

Of all the customers I've helped over the years I've been doing this, not one of them uses a VPN unless they are connecting to their work when they're not there.

 

[cooloutac]

I would venture to say that most users are using VPN's because of the scare tactics used in their marketing. Even an ISP issued router makes their home network not 'public and unsafe'.

I have parents asking me about VPN's because their kid's friends have one. Hardly a reason the parents think they are needed (they just want the whining to stop). And when I asked a couple of the friends why they have one? Because they want to 'game' freely on the internet. Lol...

Of all the customers I've helped over the years I've been doing this, not one of them uses a VPN unless they are connecting to their work when they're not there.

Disinformation is disinformation. How do we now you are not the same?

Operating systems and software firewalls still ask if your connected network is home or public. To me that is outdated and shouldn't even be a question. Assume everything is public, again thats the whole reason people want to use VLANS in the first place. Same reasons for using a vpn.

I would love if what you said about routers was true, but it isn't. Thats why you constantly tout amtm and skynet and who knows what else and give suggestions on how to make routers more secure. Just like the trend micro feature itself does. Because I would agree with you they are absolutely not secure out of the box. For some its about usability vs security. But in this day an age with newer technology, in most cases most users would not notice the difference in settings. Of course not the case with using a vpn though that could bring lots of headaches lol.

And Of course your customers don't use a vpn. You don't use one yourself even though you have an ac86u, which causes massive mysterious problems with that router, and i'm sure you talk them out of using one too lol.

 

[L&LD]

I don't talk anybody out of anything. I give them the information they need to decide on their own.

I also haven't had an RT-AC86U for over a year now. But misinformation is disinformation, right.

When I did have it, I used it many times over an OpenVPN connection without issues. As I still do with the current routers use.

Connected to home or public is a vast difference to secure and not secure. Yes, you're not secure when you connect to a public network. But you still can be when you need to be connected to your home network (to access a NAS, printers, scanners, Media, etc.).

Out of the box, they are secure (well, except for WPS being enabled). But all the scripts we have available make them more so.

A paid-for VPN is a false sense of security. Period.

 

[cooloutac]

I don't talk anybody out of anything. I give them the information they need to decide on their own.

I also haven't had an RT-AC86U for over a year now. But misinformation is disinformation, right.

When I did have it, I used it many times over an OpenVPN connection without issues. As I still do with the current routers use.

Connected to home or public is a vast difference to secure and not secure. Yes, you're not secure when you connect to a public network. But you still can be when you need to be connected to your home network (to access a NAS, printers, scanners, Media, etc.).

Out of the box, they are secure (well, except for WPS being enabled). But all the scripts we have available make them more so.

A paid-for VPN is a false sense of security. Period.

You and Ozark both own them and don't use vpns on them. as you have repeatedly said on these forums. Most people with them that do, have to disable trend micro, qos or traffic analyzer to avoid issues. Even merlin himself says DCD crashes on that model router all the time. To me its suspicious.

But you can claim you do or don't and call it disinformation, but it should be obvious and common sense to all due to how you berate its use in this very thread. One could only ponder why...

 

[L&LD]

So, now you know what I'm using better than I. Foul mood again? Goodbye.

 

[cptnoblivious]

I would venture to say that most users are using VPN's because of the scare tactics used in their marketing. Even an ISP issued router makes their home network not 'public and unsafe'.

I have parents asking me about VPN's because their kid's friends have one. Hardly a reason the parents think they are needed (they just want the whining to stop). And when I asked a couple of the friends why they have one? Because they want to 'game' freely on the internet. Lol...

Of all the customers I've helped over the years I've been doing this, not one of them uses a VPN unless they are connecting to their work when they're not there.

That's a good point and I didn't include it in my earlier response. But much of the advertising for VPN's is misleading. The whole 'you're on a VPN now, now you're safe' is nothing more than preying on the uneducated and generally incorrect.

There are numerous valid usecases for VPN's from home. Many more so for using a VPN on public / uncontrolled WIFI. Certainly not a 'cure-all' though

 

[cooloutac]

@L&LD I mean no disrespect, but did you read post #14?

 

[cooloutac]

That's a good point and I didn't include it in my earlier response. But much of the advertising for VPN's is misleading. The whole 'you're on a VPN now, now you're safe' is nothing more than preying on the uneducated and generally incorrect.

There are numerous valid usecases for VPN's from home. Many more so for using a VPN on public / uncontrolled WIFI. Certainly not a 'cure-all' though

The whole point though is your last statement is outdated. There is no such thing as public vs home wifi anymore. Its all the same and thats what you're not understanding. Society is coming to grips with this and It is that same reasoning that prompts users to use a vpn in the first place and just like why they want to use a VLAN. You are not realizing that you are simply proving the argument for using a vpn in your argument against it. Think about it. ALot of people who will read this will wonder to the motives why you do so because of such.

A better argument regarding your last statement would be to use the vpn at the end point instead of on the network router when possible.

 

[cptnoblivious]

The whole point though is your last statement is outdated. There is no such thing as public vs home wifi anymore. Its all the same and thats what you're not understanding. Society is coming to grips with this and It is that same reasoning that prompts users to use a vpn in the first place and just like why they want to use a VLAN. You are not realizing that you are simply proving the argument for using a vpn in your argument against it. Think about it. ALot of people who will read this will wonder to the motives why you do so because of such.

A better argument regarding your last statement would be to use the vpn at the end point instead of on the network router when possible.

You're changing the endpoint only. To really have a privacy and security discussion should revolve around fingerprinting, tracking technologies in general, browser security and data leakage, certificates and trusted CAs.

Bit much to take on.

One comment: Mostly you seem agree and disagreeable and not really interested in discussion as much as correcting people to tell them their wrong. Not sure that's very productive.

 

[cooloutac]

You're changing the endpoint only. To really have a privacy and security discussion should revolve around fingerprinting, tracking technologies in general, browser security and data leakage, certificates and trusted CAs.

Bit much to take on.

One comment: Mostly you seem agree and disagreeable and not really interested in discussion as much as correcting people to tell them their wrong. Not sure that's very productive.

Privacy and Security are two different things. Its pretty hard to have total privacy, if even possible in today's world, but I agree using tor and tor browser really helps. You would literally have to live like a monk digitally off the grid in a sense. That is where tor and operating systems on disposable disks like tails come in.

But people using VPNs are doing it more for security reasons. An example is they are still using personally identifiable online credentials, not trying to hide their whereabouts, but they want to protect those online credentials or other sensitive information along the route in between. HTTPS alone can be compromised as current events have shown us. Even using Tor with a vpn is better then without in certain circumstances.

You can think what you want, but look in the mirror and say that about yourself. Because I love the discussion, you seem to be the one thats trying to stop it, not me. I think this is great and needs to be discussed.