Isolating IoT devices on separate subnet

apt-itude · April 1, 2020, 2:36am

Hello,
I am trying to isolate all of my IoT/SmartHome devices onto a separate network from all of my personal devices for the sake of security, while ideally still maintaining the ability to access Home Assistant from my personal devices (phones, laptops, etc) for the sake of management. I.e. I would like all IoT devices on subnet A, all personal devices on subnet B, and allow subnet B to connect to subnet A, but not vice-versa.

For the most part, I have achieved this by cascading two routers. I have an old WiFi router with DD-WRT installed (let’s call this router A) that I placed between my existing WiFi router (let’s call this router B) and my modem. To clarify what I mean by cascaded, the WAN interface on router A is connected to the modem, and the WAN interface on router B is connected to an ethernet port on router A. Both routers are serving DHCP within their respective subnets. All IoT devices, including my Home Assistant, are connected to an SSID on router A, which uses subnet 192.168.1.0/24. All personal devices are connected to an SSID and router B, which uses subnet 192.168.0.0/24.

As a result, I have achieved the isolation portion of my goal because nothing on subnet A can access anything on subnet B. The reason I say I have achieved my goals “for the most part” is that a device on subnet B can successfully ping every device on subnet A except for my HomeAssistant, and that’s the only one I care about accessing in that manner.

To be clear, a device connected to subnet A can successfully ping, ssh to, and access the web interface of my HomeAssistant, just not when connected to subnet B, and I really don’t want to switch back and forth between two WiFi connections just to use the HomeAssistant app.

I have this issue regardless of whether I configure the Home Assistant to have a static IP or use DHCP, and regardless of whether it is connected to router A via ethernet or WiFi.

Since it’s the only device on subnet A for which I have this problem, it seems unlikely to be an issue with either router, and I assumed it might be related to firewall settings on the Home Assistant. However, iptables output shows no rules in the INPUT chain, so I don’t think it’s dropping connections that way.

Does anyone have any ideas about how I can debug this? Is there some Hass.io configuration that might prevent access from other subnets? Is there a way for me to install tcpdump or something?

I know cascading routers is probably not the most optimal solution either, so if anyone has other ideas, I’d welcome that too. Router A (the one with DD-WRT) appears to support VLAN tagging, so maybe that’s an avenue I should explore?

Any help would be appreciated!

reflext · May 9, 2020, 7:39pm

I’m not sure why you can’t ping your HASS, probably it’s limited to local subnet or something.
But I would suggest you to rethink your “isolation” idea. It should be done by separate VLAN’s and limit access by rules. Your old router has dd-wrt, it should support VLAN’s, or try flashing OpenWRT.
Main problem I see with your setup is that all IoT devices in network A can scan packets going from network B to modem trough network A. At least I would not like such “isolation”

apt-itude · May 9, 2020, 10:34pm

Thanks for the response! I never did figure out why I couldn’t ping the home assistant across subnets in that setup, but like you are suggesting, I actually did install OpenWRT on my primary router and configure proper vlans and firewall rules, so my problem is solved.

For the record, with my cascaded setup, all the IoT devices were connected to the second router in the daisy chain, so they would not have been able to scan packets from my personal devices, but it no longer matters!

wuench · May 9, 2020, 11:16pm

With setups like this you have to keep in mind return traffic. A device on subnet B may be able to send traffic to subnet A, but a device on subnet A has no idea about subnet B so can’t reply. By default it is only going to know about it’s own subnet and send everything else to it’s default gateway which is your internet router.

To solve this you have to add a route to your B subnet on your Home Assistant server with a destination of your B router.

Zizmo · March 4, 2021, 11:17pm

Hi Alex, can you share some information or resources on how you configured your vlan, rules, home assistant? I just started to dig into the topic but don’t really know where to start.
I have a Linksys that support vlans or where I can load openwrt and are looking to do exactly what you did in your network with your smart devices.
Thanks!