Just over a month ago I decided it was time to upgrade my home network and get rid of those troublesome consumer APs and routers that had numerous security flaws on them. I went with Ubiquiti Networks as I liked the price point, and the options I had with the firewall, AP’s, and switches. The switches also gave me the ability to use VLANs without costing a fortune either. I also have a handful of IoT devices that may or may not have exploitable flaws, yet based on past performance of many IoT devices it is safer if you can keep them off your main network for extra security.
I will in a later post go into more detail about my network setup with Unifi, this post will focus mainly on how I went about setting up the VLAN, a separate network, a different SSID, and a firewall to keep the flow of traffic one way on the network.
My current setup is straightforward and works well for our home:
- Unifi Security Gateway 3P
- Unifi Switch 8 POE-60W
- Unifi AP AC-Pro
- IoT – The wireless network for any wireless IoT device, such as doorbells, thermostats, etc.
- LookingGlass – Wireless network for the children. The SSID shuts down at night and cuts them off from the internet.
- root – The main production network
- sudo – The guest network
There are also two networks, the production, and the IoT Network. IoT is configured to be on VLAN 200, as well as the SSID for IoT. All that is needed is to configure a firewall that allows outside Internet access on the IoT network, and allows devices on the production network to talk to them, but not to allow originating traffic to come from IoT to the Production network.
The rule is fairly straight forward. All traffic, and ports coming from IoT to Production, drop it. It’s just about the same as the guest network, however on the guest network the users can not see anything on the production network, or anyone else on the network. Plus they are rate limited so they will not impact the network performance in any way. It works fine if they wish to check emails or Facebook, but not so much if they plan on streaming media.
From what I have been able to tell with testing it works as it should. I can not communicate with anything on the internal network if I connect to the IoT network, and I can still communicate with devices from the inside on the IoT network, such as a wireless printer. I have since then moved the printer onto the wired network as there was no point in having it sit out there over WiFi, it did provide me with an interesting test.
While I do agree that most home users will never go to this level, it is something that I liked doing as, sometimes you just want to see if you can do it. In all the network runs very well. The wireless coverage is great, and we no longer have speed issues with the many devices on the wireless network. Anything that can be plugged into the wired network is.
As I stated in the start of this article I plan on covering more details on the setup, and my thoughts of the entire setup process. In the mean time if you have any questions or comments, feel free to reach out. I would also love to hear how you go about securing your network from potentially insecure IoT devices.