IoT devices network security

Hi, I would like to increase the security of my setup but I’m not sure which path to follow. So I could use some advice.

Current setup: HA running in Docker on a Raspberry Pi. I also have a few ESP8266 that communicate via MQTT with the Pi (which is the MQTT broker) and a Reolink E1 Pro. Caddy runs in Docker too to access HA from outside the home network. All the devices are on the same network, which is the main home network. I have a Vodafone Station 6 as my only router.

Objective: I would like to make things safer by putting all the IoT devices and security cams on a separate network and prevent all of them to be accessed from the outside. As for the cams I want to avoid that they ‘call home’ and I would like to access the stream only via HA.

I have made some research and it seems that the best way to accomplish the above would be to use a Unifi router. However, I would like to keep things simple and avoid buying new hardware.

Is there any other solutions? I’ve read somewhere that I could create a VPN for the IoT devices with Wireguard for example but I am not sure if it would work.

Sorry for any silly considerations /questions but I’m quite a noob.


If you want to split the network up, then you need extra physical devices, like routers, switches and access points or your current devices will need the ability to use VLANs, which will make the physical devices virtual instead.
The typical issue with VLANs is to get an access point that support multiple SSIDs, so you can get your WiFi connected units on the correct network.

1 Like

Hi and thanks for the reply. I’m not sure I fully understood it (which reflects the little knowledge I have on networks).

My router already has the capability to create a guest network, which has a different subnet. However, I connected the cam to the guest network but could not ping it from the Pi which is on the main network. Should it be feasible? Would I accomplish what I want?

It sounds possible then, but you need to open up ports in the firewall to allow the traffic that must work.

Ping is based on the ICMP protocol and you pretty much need the entire protocol, so you need to open up for all ICMP traffic going both ways.

Other connection is based mostly on either TCP or UDP traffic and that comes with port definition also.
Here you need to learn the way those connection works.
The thing you need to know is what direction is the connection made, ie. what device sends the first data.
From what port/ports does it happen and to what port/ports.
Is the connection a helper connection, ie. is the connection only happening in relation to another “mother” connection.

Your firewall should have a log that can help you a lot with this information, if you set it up to catch everything.

Thanks a lot. As far as I remember, the ISP does not allow to change the firewall rules (I can just set the firewall as active or not). I’ll try again but I fear I have to buy a new router and replace the one I have. If this is the case, do you have any suggestion for my needs (it should be simple and easy to configure)?


I use an EdgeRouter 4 from Ubitique, but it does not have an access point build in, so you might need such one too.
I like the benefit of being able to place the access point in another place than where the router is and I like I can update the access point or router separately.
I use a Cisco Airo2802 as access point, but they can be quiet expensive and Cisco is stupid with their firmware, so you actually need a paid account to be able to download firmwares.

Hi, sorry for getting back to this topic after a long time…but sometimes life gets in the middle :sweat_smile:

I was wondering if using my Raspberry Pi 4 as a wireless access point to create a secondary network would work.

Just a quick recap: the Pi is connected to the ISP model router via the Ethernet cable and HA runs in Docker. My idea is to create a secondary network for IoT devices and security cameras which is fully local.

Now, according to the official guide, by setting the Pi as AP, it * will run and manage a standalone wireless network. It will also route between the wireless and Ethernet networks, providing internet access to wireless clients. If you prefer, you can choose to skip the routing by skipping the section “Enable routing and IP masquerading” below, and run the wireless network in complete isolation*.

So my understanding is that if I connect all the IoT devices and security cameras to this secondary network and don’t enable routing and IP masquerading, they won’t be able to access (or to be ‘contacted’ by) the Internet but HA would be able to interact with them.

Is my understanding correct or do I have to give up and buy Ubiquiti router + AP as suggested?

Thanks a lot for the patience.


It is hard to say if it will work as you expect, because that depends on your entire network setup and configuration.
Make a test run. :slight_smile:


I managed to take some time to try out the solution I thought about and it seems to work :upside_down_face: Last night I integrated a Reolink camera into HA and it seems it cannot reach the internet. It needs some additional tests but it should work as intended.

Thanks again for the help.