Splitting smart home devices in separate network

[kirbby]

Hello,

last week I bought a new wifi router, the Asus RT-AC66U (using Asuswrt Merlin).
Now I want to split my home network, one network for my PC, Laptops etc. and one for all the smart home devices. That worked good with a guest network for the smart devices, but now I installed Home Assistant on a Raspberry Pi and I bought a Sonos and a TV, which all 3 will be wired and should also be in the same network as the "guest" wifi devices. I also just bought an 8-port smart switch where I can create VLANs.
The network with the smart home devices should not be able to access the intranet, but obviously see each other.

Now I'm not really sure how to set this up in a good way.
I thought about having 2 different ip ranges for the networks, though I don't know how reliable it is to change ip range on the guest network with scripts/command line.

Additionally if I were to setup a external drive as media server on the routers USB can I access that mediaserver from both networks (or is there a setting for this) or is it only accessible from the "intranet" network.

Also I have my old Asus Wireless Router(RT-N56U) to spare. Though I'd rather use it as last resort, cause the reason I replaced it was wifi reach. I know how to set it up if I put all the smart home wifi devices on one router and the rest of the devices on the other.

any input and help is appreciated

greetings kirbby

 

[CaptainSTX]

Hello,

last week I bought a new wifi router, the Asus RT-AC66U (using Asuswrt Merlin).
Now I want to split my home network, one network for my PC, Laptops etc. and one for all the smart home devices. That worked good with a guest network for the smart devices, but now I installed Home Assistant on a Raspberry Pi and I bought a Sonos and a TV, which all 3 will be wired and should also be in the same network as the "guest" wifi devices. I also just bought an 8-port smart switch where I can create VLANs.
The network with the smart home devices should not be able to access the intranet, but obviously see each other.

Now I'm not really sure how to set this up in a good way.
I thought about having 2 different ip ranges for the networks, though I don't know how reliable it is to change ip range on the guest network with scripts/command line.

Additionally if I were to setup a external drive as media server on the routers USB can I access that mediaserver from both networks (or is there a setting for this) or is it only accessible from the "intranet" network.

Also I have my old Asus Wireless Router(RT-N56U) to spare. Though I'd rather use it as last resort, cause the reason I replaced it was wifi reach. I know how to set it up if I put all the smart home wifi devices on one router and the rest of the devices on the other.

any input and help is appreciated

greetings kirbby

If by using the smart switch you can't configure the VLANs you need then you can consider a double NAT situation. To isolate the IoT and guest from your primary and more secure network you need to set it up as follows:

1. The Internet facing first router is the router/network that you connect IoT and guests to. This router will be in its own subnet.

2. The second router will be in its own subnet, administrative access from the WAN turned off, and it will be connected by a cable from a LAN port on router 1 to the WAN port on this router. You will be able to see and administer devices connected on Router 1 from Router 2 but not visa versa.

You probably can use the N56 as your first router if your Internet speed from your ISP isn't in excess of 300 Mbps and perhaps even if it is greater.

Having a double NAT setup will not impact your speed or increase your latency by any amount that you can measure. It will make certain things more complicated.

 

[kirbby]

If by using the smart switch you can't configure the VLANs

I know how to do this if I use both wifi routers. But as I said the wifi strength of the N56 is not that good on the edges of my house.
If I only use the AC66U I can configure 2 VLANs on the Switch, but then I don't have a connection from the guest wifi from the AC66U and the other VLAN on the switch, correct? This is why I thought about making 2 IP ranges to split it like that, but didn't find if I can reliably give a different range to the "guest" wifi on the AC66U than the range of the main wifi on it.

I hope I could explain my thoughts better.

If I wanted 2 use your approach I probably just make 2 VLANS and connect the AC66U to VLAN1 together with my PC on Lan and then the TV, Sonos, RaspPi and the N56 to the second VLAN and that would be it I think. No need for double NAT.
Or are there other advantages to your approach?

 

[CaptainSTX]

I run in a double NAT setup with my guest and IoT devices on my Internet facing router for security. I also use VLANs to further isolate traffic. For instance the TP-Link switch that feeds the twelve Ethernet jacks located throughout my home is setup so that unused jacks are in a different VLAN than jacks connected to printers, computers, NAS, etc. That way if we have visitors and they should plug their device into an open Ethernet jack they don't have access to my most secure network. I could do the same thing by not feeding those jacks from my wiring panel but VLANs are more conveniet.

Advantages to double NAT:

1. Easier in many cases than trying to set up VLANs
2. Many people already have a second router that can be used for this purpose instead of buying a smart switch.
3. Having additional WiFi aps splits the traffic between upto four radios. If you stream using WiFi then when someone is streaming a 4K HD video from Netflix it isn't hammering you primary network's WiFi.
4. Added security. I have six guest networks running on my guest/IoT router. This allows be to divide my IoT devices into multiple segregated buckets so with Intranet access restricted even if one POS IoT device gets compromised it is much less likely to infect other networked devices. As has been shown on this forum having multiple SSIDs on a router does have a negative impact on WiFi performance, but in my case I have 300/25 Mbps ISP connection so the losses aren't noticeable even on a 4K HD stream.

 

[kirbby]

I won't have guests at all, that plug into LAN. (Still a good tip I could use at some point)

1) This should not be a problem if I get pointed in the right direction
2) I already bought a smart switch
3) That is something to consider for me, although streaming would mostly happen through my TV and PC which are wired. Still also a good point to consider in case my girlfriend will use her laptop over the TV to stream.
4) And I think 1 IoT network should be sufficient for my desires security wise.

Big thanks for explaining use cases of double NAT to me.

I'm still looking for a possibility to it using 1 wifi router.

 

[CaptainSTX]

Just keep in mind that many SmartTVs have terrible reputations for security. Where possible on my network I try to keep them segregated from my more secure personal devices.

 

[kirbby]

Just keep in mind that many SmartTVs have terrible reputations for security. Where possible on my network I try to keep them segregated from my more secure personal devices.

That's why I want to have my 3 Iot wired devices (TV, Sonos and RaspPi with Home Assistant) in the same network as the rest of the IoT and not in the network of my PC and Laptop.

 

[Martineau]

I won't have guests at all, that plug into LAN. (Still a good tip I could use at some point)

1) This should not be a problem if I get pointed in the right direction
2) I already bought a smart switch
3) That is something to consider for me, although streaming would mostly happen through my TV and PC which are wired. Still also a good point to consider in case my girlfriend will use her laptop over the TV to stream.
4) And I think 1 IoT network should be sufficient for my desires security wise.

Big thanks for explaining use cases of double NAT to me.

I'm still looking for a possibility to it using 1 wifi router.

I currently use several smart switches:

1x Netgear GS108PE, 2 x GS108E and 3 x tp-link TL-SG2008

that are VLAN capable to isolate IoT devices and VPN access.

Setting up the VLANs on the smart switches varies by the vendor GUI but is pretty straight forward.

Then having defined the VLANs, you simply tag the down-stream smart switches to the appropriate port on the router using a script VLANSwitch.sh etc.

How to segment my network (VLANs, UTM, Cascading)

 

[kirbby]

I currently use several smart switches:

1x Netgear GS108PE, 2 x GS108E and 3 x tp-link TL-SG2008

that are VLAN capable to isolate IoT devices and VPN access.

Setting up the VLANs on the smart switches varies by the vendor GUI but is pretty straight forward.

Then having defined the VLANs, you simply tag the down-stream smart switches to the appropriate port on the router using a script VLANSwitch.sh etc.

How to segment my network (VLANs, UTM, Cascading)

I got a TP-Link SG-108E, the part where I'm having trouble is. How can I segment my wireless devices in the guest network from my intranet, but let them reach the wired devices in the other VLAN. My RaspPi with Home Assistant needs to see all the IoT devices to control them obviously.

EDIT: I should have opened and read your link first. That might contain the answers I'm looking for. My apologies.

 

[agilani]

Hello,

last week I bought a new wifi router, the Asus RT-AC66U (using Asuswrt Merlin).
Now I want to split my home network, one network for my PC, Laptops etc. and one for all the smart home devices. That worked good with a guest network for the smart devices, but now I installed Home Assistant on a Raspberry Pi and I bought a Sonos and a TV, which all 3 will be wired and should also be in the same network as the "guest" wifi devices. I also just bought an 8-port smart switch where I can create VLANs.
The network with the smart home devices should not be able to access the intranet, but obviously see each other.

Now I'm not really sure how to set this up in a good way.
I thought about having 2 different ip ranges for the networks, though I don't know how reliable it is to change ip range on the guest network with scripts/command line.

Additionally if I were to setup a external drive as media server on the routers USB can I access that mediaserver from both networks (or is there a setting for this) or is it only accessible from the "intranet" network.

Also I have my old Asus Wireless Router(RT-N56U) to spare. Though I'd rather use it as last resort, cause the reason I replaced it was wifi reach. I know how to set it up if I put all the smart home wifi devices on one router and the rest of the devices on the other.

any input and help is appreciated

greetings kirbby

Create a guest ssid on the main router and setup the 2nd router as a repeater bridge for the guest ssid. Attach all of the devices you want to segregate onto the repeater.

 

[kirbby]

Create a guest ssid on the main router and setup the 2nd router as a repeater bridge for the guest ssid. Attach all of the devices you want to segregate onto the repeater.

That doesn't accomplish connecting the guest network to my switch ports or my router ports at all. The main router has enough wifi range to cover all the devices.

 

[ColinTaylor]

That doesn't accomplish connecting the guest network to my switch ports or my router ports at all. The main router has enough wifi range to cover all the devices.

Actually it might, depending on any restrictions of the physical layout of the devices. The second router is configured as a Media Bridge (not a repeater) and connected to your guest SSID. So now the Ethernet ports of the Media Bridge are part of the parent router's guest network. So you don't need the other switch at all.

 

[kirbby]

Actually it might, depending on any restrictions of the physical layout of the devices. The second router is configured as a Media Bridge (not a repeater) and connected to your guest SSID. So now the Ethernet ports of the Media Bridge are part of the parent router's guest network. So you don't need the other switch at all.

Ah now I understand what agilani meant, thanks for clarifying Colin.
I will try with the VLAN tagging approach first, as this uses only 1 router. This will be my new fallback plan now though, let's me keep my "good" wifi with the AC66U and still get what I want.
Thanks agilani aswell

 

[agilani]

Actually it might, depending on any restrictions of the physical layout of the devices. The second router is configured as a Media Bridge (not a repeater) and connected to your guest SSID. So now the Ethernet ports of the Media Bridge are part of the parent router's guest network. So you don't need the other switch at all.

Media Bridge Mode - Only the lan ports are active and act as a layer 2 bridge of the SSID they use for their backhaul
Repeater Mode - LAN and WIFI are both active and act as a layer 2 bridge for the SSID they use for their backhaul

The only difference being if you need wireless and wired extension of the guest ssid.