Securing all devices on a SSID

[cdikland]

My home network is as follows:
Ac66U (AP) and N66U (AP) routers ---->>> Netgear GS108T smart switch ---->>> AC68U. All routers are running Merlins 374.40 FW.

On the N66U router there is a "home automation(HA)" SSID to which a variety of HA wireless devices are connected. The problem with these devices is that they are totally insecure. Anyone at all connected to any SSID (except Guest) can download the appropriate mobile app for these devices, start it up and have total access both locally and remote. To prevent this the easiest method would be to create a guest SSID and force all my wireless clients to use it instead of the other SSIDS currently in place. This is not particularly a desirable route I want to take for a variety of reasons. So.....

My question is: Is there a way I can prevent all wireless clients on non-guests SSID from accessing the devices on this HA SSID?

BTW: Hide SSID option works until a device is disconnected (i.e power failure). Once disconnected it will not reconnect until I disable the Hide SSID option

 

[thelonelycoder]

Any reason you do not use Authentication and Encryption to secure your WLAN?

 

[cdikland]

Any reason you do not use Authentication and Encryption to secure your WLAN?

Oh I do. Didnt mean to give the impression I wasn't

I am looking for a way to restrict authorized users on the wi-fi from accessing these wireless devices.

 

[ColinTaylor]

I'm still not following what you're trying to achieve.

So, your HA devices are connecting via their own SSID to your LAN. What connectivity do you want the HA devices to have?

Do you want them to have internet access?
Are they accessible on your LAN only to wired connections but not wireless?
Do you want to block all access to the HA devices apart from a specific list of IP addresses?

UPDATE: Sorry, just re-read your post:

My question is: Is there a way I can prevent all wireless clients on non-guests SSID from accessing the devices on this HA SSID?

What about wired clients?

 

[cdikland]

I'm still not following what you're trying to achieve.

So, your HA devices are connecting via their own SSID to your LAN. What connectivity do you want the HA devices to have?

Do you want them to have internet access?
Are they accessible on your LAN only to wired connections but not wireless?
Do you want to block all access to the HA devices apart from a specific list of IP addresses?

UPDATE: Sorry, just re-read your post:
What about wired clients?

The wireless devices, specifically Belkin Wemo and Balboa Spa control can only be (practically) accessed wirelessly via iOs or Android app (several cryptic Windows/Linux utilities out there but they are not an issue atm). If you come to my house, connect to my wifi (Guess SSID is an exception) with your android/iphone then download any of these apps, start them up while still connected to my wifi, you will have "permanent" access to all devices even when no longer connected to my wifi. Unlike the Nest Thermostat or all my network cameras, none of these devices have a password protection option. Other than myself, I want no one, family, friends or stranger, having access to these devices. I trust no one 0

 

[ColinTaylor]

Hmm. I'm thinking maybe,

you could use iptables on the N66U to drop all traffic going to eth1 and eth2 unless it's from an allowed IP address. Not sure this would work considering that those interfaces are bridged as br0.

 

[CaptainSTX]

Is there any reason (other than than the cost ) you couldn't add another inexpensive router and double NAT it behind one of your existing routers?

If this additional router was on its own subnet the HA devices could not be accessed from your primary network.

If necessary using port forwarding and dynamic DNS you could still administer the devices, but you would be giving us some security.

 

[sinshiva]

personally, i like the idea of using a cheap router to double nat a private network, but this still wouldn't necessarily be both secure and accessible simultaneously.

when you setup the additional network, you'd still need port forwarding to access the devices and thus anybody could unless you took additional measures, such as using iptables on the second router to only allow a specific MAC addresses (don't think allowing only one MAC is a wise idea tbh) to the network.

for using ONLY the one router, i believe you'd have to filter between the interfaces using EBTABLES rather than iptables. i personally am more proficient with iptables

 

[jlake]

I would also go the cheap, refurb router in a LAN to WAN cascade for the double NAT. I would get something that has AP isolation too for future possibilities.

 

[cdikland]

Thanks everyone for your ideas. Leaning towards using a "cheap" router and double nat. Got a RT-N12 router kicking around. That cheap enough ?

 

[tijaune]

regarding the WeMo, there is a good reading http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/ on how Belkin achieved control outside the router (using VoIp) protocol. I still don't like the idea of device bypassing basic rules for most users of what is behind router stay behind. If at least they provide option to disabled "control anywhere" option...

 

[aircoreboy]

If using your 'Guest' network prevents access to the HA devices, can you not setup your HA SSID as a 'Guest' network, isolating it from the rest of your LAN, or use a guest network for all wireless devices except your own and the HA devices?

 

[migueln]

One question the last merlin firmware is not working well sith voip same configuration as before any ifeas?


Sent from my iPhone using Tapatalk

 

[RMerlin]

One question the last merlin firmware is not working well sith voip same configuration as before any ifeas?


Sent from my iPhone using Tapatalk

My VoIP ATA is working fine here.