New Network

[Sammy 735]

I want to secure my IoT devices from external threats but have them talk to other devices on my LAN such as my Emby Server, BlueIris on another PC (to be migrated to the same PC that Emby is on soon) and my VeraPlus Home Automation Controller.

[maegibbons 1267]

I want to secure my IoT devices from external threats but have them talk to other devices on my LAN such as my Emby Server, BlueIris on another PC (to be migrated to the same PC that Emby is on soon) and my VeraPlus Home Automation Controller.

Presumably your internal LAN is behind a NAT router?

 

Do you have any forwarding to your iot devices - usually not.

 

Therefore the only attack vector is through the services that your iot devices connect to rather than directly.

 

If you are worried about that then they should be on a seperate VLAN at least or a completely seperate network.

 

Most people assume that these services are secure in terms of NOT getting to probe internal networks remotely.

 

So generally speaking if you have a NAT router properly firewalled to external administration without port forwarding you should be secure as long as you trust the iot service providers that you use.

 

Krs

 

Mark

 

Sent from my SM-N976B using Tapatalk

[Sammy 735]

The USG is a NAT Router I believe.

 

I do forward some of my IoT devices, namely Pool Control which is an Autelis Controller that connects to VeraPlus via HTTP commands. In order for The Jandy Pool Control Plugin in VeraPlus to talk to the Autelis it needs to communicate via a local LAN port. The rest of my devices talk to my VeraPlus either via logging into my account automatically on the VeraPlus or via an API key. My Security Cams connect via BlueIris on my PC via IP Address and Port, so they have port forwarding too.

[mastrmind11 717]

Ok, so set up a new network (or VLAN) for all your IoT stuff, then in your firewall settings, add a rule "Deny new traffic" "all" and assign it to your IoT network.  THis will block any inbound traffic that _originates_ from one of your devices, which wouldn't happen unless the device were under someone else's control.  Just open up your subnet a bit more.  THe nice thing about VLANs is they're open already, you just have to assign which VLAN can do what at the switch level (and block whatever else).  THere's a good article I followed that was pretty much a step by step VLAN/FIrewall IoT guide, I'll see if I can find it.

Edited February 11, 2020 by mastrmind11

[Guest asrequested]

Pretty much a FAIL on their part. They won't even say if it might be in a future f/w update?!

 

BTW, I got my Harmony Hub, Pool Control and Samsung PowerBot vacuum hooked into my network by placing them in a separate 2g_IoT network that only uses the 2.4GHz radio. Even though I assigned this network an IP such as 10.0.100.1/24 these devices still use the LAN 10.0.0.1/24's DHCP Range Addresses, the same ones they had already from previously being seen on that network and having their IP addresses set to static. I can connect to them from my VeraPlus Controller which is on the LAN Network. I have set no special firewall rules on PieHole (which is???) on this network.

You want to apply a VLAN to your WLAN and maybe have a user group. That's what I've done with one of mine. Edited February 11, 2020 by Doofus

[mastrmind11 717]

here's a more recent version of what I was referring to.  https://vninja.net/2019/08/12/unifi-iot-networks/

[Guest asrequested]