My IoT network has grown and I know nothing about Network Architecture, Security and Subnetting

Hey everyone,

It’s been 4 years since i jumped on the home automation train and since then i have invested a lot of time and effort in it.
As a consequence, i went from having an AP to connect my phone and laptop, to a huge home network with ~100 wireless and ~20 wired devices. (Not counting zigbee stuff)

I invested on a couple of Unifi APs a while back and just recently i upgraded my provider-supplied router to a USG. It took me a couple of days to figure it out (and i still need to figure out how to get telephony working) but im getting there.

Through this process i started reading about new stuff like subnetting and vlans which have never bothered me before as right now all my devices are in the same subnet 10.0.0.x.

I was thinking of splitting up my network to blocks as follows:

• Primary User Devices (PC, Laptops, Mobile phones, Tablets etc)
• Secondary Devices (Echo devices, smart Tvs, NAS, etc)
• Cameras (~10 wireless and a couple of wired ones)
• IoT devices, HA machines, switches, sensors, esphomes etc.
• Guest network

Now excuse me for my basic questions but here they come:

1. Is it something I need or should i just leave things as they are?
2. What should i use vlans or different subnets, what’s the difference here?
3. Does the grouping i mention above sound right? or do i have it completely wrong. Devices will be visible through groups right? (excluding the guest network i guess)
4. Will i see an increase in browsing speed and camera stream responsiveness?
5. Where should i place the HA machine that runs the adGuard DNS server?
6. What are the security benefits?
7. Is it perhaps a big leap for me? Should i hire a professional to set it up? (Someone on Fiver perhaps to do the initial steps?)
8. Could you please point me to some basic-level reading material to understand what is up and how to set all these things up?

Thank you in advance for all your valuable input.

Hey,
So I also have a USG and by now quite some experience with network setups maybe I can help you a little.

up to you, I personal decided against splitting up my network into something like an IoT and a normal network, but many people are doing it and like it.

Well a vlan typically uses a specific subnet. To have two distinct vlans, you need to define two subnets in the USG. Imagine vlans like having multiple LAN cables around your house, except, these lan kabels are virtual. Then to achieve some sort of separation between your vlans, you want these vlans to have different ip arddresses. The USG is making this automatically for you if you create new networks. Just start doing it and you will see how it works.

Depends on the amount of devices you have, but maybe start of simpler, by only having an IoT subnet and a primary devices sub-net. Once this is working check if you want more separation, or if this is enough for you. If you allow for it, devices will be able to see each other on different subnets, but that is to some extend configurable.

No most likely not. Except your network is currently broken, like I have at some point introduced UDP flooding to my network and took down all WIFI clients for a week or so until I figured out what was wrong. Network separation could have prevented this for me.

It basically doesn’t matter. As you can make all kind of configurations work. However the complexity might be different for each version. I personally have my HA server bridged into several subnets. Meaning it is part of multiple subnets.

Okay, this can become a religious question, but my personal opinion is. Almost none, as NAT is not a security feature. However many many people will disagree with me here. For me the reason to have multiple subnets is management and control. As you will have to allow traffic from IoT to other devices security benefits are minimal to none. A skilled attacker will find a way.

Well you can, but whats the fun? Whats the learn? Also what do you do if things break? IMO just get started and have fun learning. You will understand very little in the beginning, but it gets better with time and eventually you become a master. Its like learning an instrument.

If you look for specific USG things I feelt they are very very short on this. On the other hand the new UI does a fantastic job of keeping things simple. About the network stuff, there is so much information on google you will find something that makes sense to you. Just read multiple things on the same topic and you will understand. It takes time, but it is not rocket science.

Hold off for a bit and a subscribe to this YouTube channel. Rob is publishing a series of videos on exactly what you are after:

Thanks, first episode sounds very comprehensive for my level, i will wait for more videos.

Wow thanks for taking the time to write up this, and for offering to help, i might need it
I will go through the details when i get back home and come back with any questions.
Just a quick one now:

Does this need multiple NUCsNICs? or can it be set up programmatically?

Regarding security, VLANs don’t provide any security by themselves. When you setup VLANs on the USG, by default each of the VLANs can talk to each other. Only when you introduce firewall rules you’ll get security.

In my setup I have the following VLANs

• LAN (default Unifi network for all the Unifi gear and my network Pi with pi-hole and Unifi Controller)
• Private (Laptops, Phones, Tablets etc.)
• Server (Proxmox Server management)
• IoT (Smart Home Devices that need access to the Internet, for me it’s only the Home Assistant VM)
• NoT (Smart Home Devices for which I don’t allow access to the Internet, so that they don’t phone home to China, like iRobot vacuum cleaner)
• IP Cams
• Guest

Whitout any firewall rules, each of these networks could talk to each other (except for the Guest network, which by default in USG can’t talk to any other network).

I then have a firewall rule for each VLAN, that blocks traffic to all other VLANs. Then one rule to block internet access for the NoT and IP Cams VLANs. Then on top of that I have some rules that allow certain connections from one VLAN to the others.
E.g. the NoT VLAN is allowed to connect to the HA server on port 1883 for MQTT or allow all VLANs to connect to the DNS server (pi-hole in my case) on port 53.

Depends on what you run on the NUC. If you run Proxmox, you can create virtual bridges for the different subnets and the assign the specific bridge as the network interface for the different VLANs.

The one crucial bit of info here and was only slightly touched upon by burningstone is that unless you have IoT devices that need access to the internet to function (and if you do you should work towards the goal of not having those types of devices) then not splitting up your network really isn’t much of a security concern.

If you have no IoT devices that “phone home” then there is no way for those to be hacked (likely) any easier than for any other device in your network that has regular internet access (laptop, phone, etc).

the only real benefit I see to splitting up your network is if you are concerned about the people on your own internal network doing shady stuff on your network. But then you likely have other issues more pressing than setting up more vlans.

And if you are worried that you don’t really know if any of your stuff “phones home” then it’s way easier to set up a firewall rule in the USG to block any suspect devices from internet access than it is to jump into setting up vlans. I do that for my security cameras - just in case…

Having a minimal number of open ports on your router is a big thing to help with your security. I have one manually open port for my vpn. and it is set up to need a security key/password on any device connected to it.

But that said HA and other apps do open their own ports when you set them up. most are using decent security but I guess any of those could be breached. And so can your laptops, phones, etc that connect to the internet all day long. Windows is constantly fixing security flaws.

It’s really based on your level of exposure to risk, your comfort level and abilities.

at least that’s my opinion.

Sorry I meant NICs in the post above.
Will my HA instance be able to access devices over several vlans if their access is restricted? Or does it an need an extra network card?

And I assumed it’s a NUC with a single NIC that’s what I have. My HA instance sits inside a VM on the proxmox host in the VLAN for IoT and can talk to devices in other VLANs based on the firewall rules.

My first thought is some Tapo cameras I have that do not support audio through onvif. So I have to connect to the app to get sound.
(at least until this is fixed)

Other than that I believe most of the devices can be restricted to local only.

The setup you outlined in your OP is probably a little over-engineered. But network separation can still be beneficial when done on a somewhat more basic level.

The idea is to have a main subnet for your general internet use. This would also contain any IoT device that needs access to the cloud, which as @finity said, you should try to minimize or even eliminate if possible. You would use your firewall to keep devices in check as much as possible on this subnet. Second a separated IoT intranet that has no direct internet access at all. This could also include things like a NAS, an NVR, etc.

I personally do it by using two physically separated networks. Physical in the sense that they are using separate ethernet cabling (colored differently) with separate routers and even separate wifi network (2.4 GHz network for internal IoT net with MAC whitelist, 5 GHz network for normal internet). These two networks only touch each other on two distinct devices: my PC and the HA RPi. Both have dual NICs, one for each subnet. There is no forwarding between both subnets. It’s impossible for any device on the intranet to access the internet or vice-versa, even if it had a hypothetical ‘evil firmware’ that ignores vlan frame tags for example. HA acts as a proxy between both subnets.

This also takes care of a special class of IoT devices, which I’d call ‘potentially evil devices’. Devices that work without cloud access, but that could still phone home or have built in backdoors for ‘other’, possibly nefarious purposes. I’d put any network connected device from a Chinese manufacturer in this category. I have lots of Hikvision cameras. Technically they are excellent, but my trust in them from a cybersecurity point of view is a flat zero.

There’s some good and bad advice thus far, but a very relevant set of questions to probably many people. So let me offer one more perspective, from a networking professional point of view.

First, your thought process in terms of the questions is correct. You just have to approach this from the perspective of the likely threats.

First, an attempted simple explanation of VLAN vs subnets (happy to get deeper if you have questions) and why you care: A VLAN, or broadcast domain, is a set of devices that can communicate without crossing a boundary (they don’t even have to use IP, and all you need is a switch). A subnet is a range of IPs. To communicate across subnets you have to cross a boundary, provided by a router.

A firewall (like your USG) is just a router with a more comprehensive set of security features available at subnet boundaries. You will typically have one subnet mapped to each VLAN. Most consumer routers have a switch built in (those “LAN” ports - you dont cross the routing engine moving packets between them as they are in the same VLAN. You do cross a subnet boundary when talking between the LAN and WAN ports. More advanced devices let you define multiple VLANs and assign ports to them, allowing you to force traffic between distinct VLANs to cross a subnet boundary where you can enforce security rules.

More advanced devices like Ubiquity can carry multiple VLANs on a single NIC in the form of sub-interfaces. This is called a trunk. The trunk can go to a switch that then breaks out individual ports into individual VLANs for individual devices.

Now some common threat vectors:

A - Inbound from the Internet. By default, on residential ipv4 connections (99% of US), by virtue of being behind a NAT, nothing is open. Only outbound connections are allowed. Disable upnp. If you manually open a port, you have now compromised the target device. You now better be sure the service you jsut exposed (SSH, web server, etc) is secure and kept secure. E.g. The service is on something that gets (and you keep up) constant security updates. This applies to something like an active Linux distro, but does NOT apply to anything “IoT” that gets firmware updated roughly never.

B - Lateral movement. If A fails and a device gets compromised (I’ve had my Synology NAS turned into a bitcoin miner when I was sloppy - could have been worse) that attacker now has access to use the device as a jumping off point to compromise anything within the same VLAN/subnet without any further hindrance. So, if you are going to open ports, put the target devices into their own “DMZ” subnet. Let’s call this Zone-DMZ.

C - Cryptolocker / protect the NAS. In my opinion, the worst attack is one that would encrypt, destroy or steal data on my NAS (have backups, but thats a separate discussion). So unless your NAS is solely for junk (movies, other replaceable, non-sensitive media), keep it in your most protected zone. For me, that’s a subset of your Primary Devices + NAS: NAS, PCs, laptops. Lets call this Zone-Internal. Mobile/tables don’t need to be here. They are more vulnerable because installed apps are vulnerable to malware, so keep them away from your PC/NAS.

D - Firmware from China. Another real threat vector is “pre-compromised” firmware on IoT devices. Here it might be a malicious or supply chain compromise, or jsut weak security that can be exploited when the device phones home, either knowingly by those who wrote the firmware, or through trivial redirection of those calls home by an attacker. You do not need to open ports pointed at these devices for them to be compromised. So we’ll put these in Zone-IOT so all they can do is further infect each other, but not DMZ or Internal.

Each “zone” as I have called them is a distinct subnet/VLAN. So for purposes of network segmentation here zone=subnet=VLAN. So an example of how to segment your network and not get too crazy:

Internal: Nothing that gets direct connection from the internet. Must protect these. PCs, laptop, NAS.

DMZ: Anything that you open ports to. Also reasonably trusted “smart” devices: TVs, Roku, Echo. Your tablets and phones go here, and they will have no trouble streaming/casting to your smart TVs and such. Your HA goes here. If you undertand and trust the code on your ESP it goes here, otherwise IOT.

IOT: The untrusted, never updated firmware, garbage goes here. Wifi smartplugs/switches. Wifi sensors. Your guests go here too so don’t call the SSID associated with this zone “garbage” as you’ll have to tell your guests to use it

Cameras: Tough one. The firmware on these is generally garbage. But their content is sensitive so we don’t put them in IOT. So you may want to make this a separate zone but don’t give it more trust than IOT. Can put this in DMZ if you buy decent brands and keep them updated.

You will create rules that, for example:
1 - Allow all traffic to the internet from each zone.
2 - Allow all traffic from Internal to any other zone. NOT the other way around. So from your PC you can access anything.
3 - Allow some limited traffic from DMZ to internal. E.g. if you need to give a Plex instance in DMZ access to movies on your NAS in Internal, allow CIFS/NFS in that direction.
4 - Allow HA in DMZ to hit your wifi switches/sensors in IOT on HTTP/HTTPS.
5 - Deny all other traffic.

Now lets get to you questions:

1. Is it something I need or should i just leave things as they are?

Yes, you should do this. The security landscape is too terrible not too.

2. What should i use vlans or different subnets, what’s the difference here?

Each “zone” is a unique subnet+vlan. Examples of zones above. Within a zone, things aren’t protected from each other. Across zones, you define the firewall rules.

3. Does the grouping i mention above sound right? or do i have it completely wrong. Devices will be visible through groups right? (excluding the guest network i guess)

A bit sub-optimal in my opinion, but discussed above. Create 3 classes basically: Must protect at all cost, everything else, don’t trust at all.

4. Will i see an increase in browsing speed and camera stream responsiveness?

Unlikely to notice. If devices are broadcasting gargage, those packets won’t cross VLANs. But it’s unlikely this is a serious problem on a home network.

5. Where should i place the HA machine that runs the adGuard DNS server?

DMZ is fine. Your router/firewall can communicate with it anywhere, but you may have to write a rule to allow it. It can go in Internal if you are very careful about keeping that HA instance secure.

6. What are the security benefits?

When (not if) one of you devices gets exploited, further damage is contained. You will also prevent likelyhood of exploit by following these guidelines.

7. Is it perhaps a big leap for me? Should i hire a professional to set it up? (Someone on Fiver perhaps to do the initial steps?)

No. This stuff is not rocket science. Your train of thought is correct. Now just execute. One small step at a time.

8. Could you please point me to some basic-level reading material to understand what is up and how to set all these things up?

This would have to be vendor specific to your hardware. But armed with the right concepts/questions your google searches will give you easy answers. Here is a great resource for learning basic networking concepts: http://tcpipguide.com/free/index.htm

Good luck.