[unsure if best posted here, or better in Share your Projects! or Configuration; effectively a follow-up from an earlier post of mine].
I have something that looks as follows: [diagrams later]
CAVEAT: IP’s/subnets/ranges changed to protect the innocent.
- a trusted zone - let’s call it LAN (192.168.0.0/24)
- I have a VM’d Supervisor on my LAN as my ‘master’ controller (192.168.0.13 aka 192x13 aka LAN-Super)
- a separate DMZ network for IoT (172.16.0.0/16)
- using an OpenWRT AP (172.16.0.254 aka 172x254 aka DMZ-AP) to serve that network running through a dedicated port on my pfSense primary gateway.
- RPi running Core (172.16.0.13 aka 172x13 aka DMZ-Core), wired into the WRT.
.
- By default IoT nodes are all running in isolated mode and cannot talk TO anything - not each other, not DMZ-Core, not LAN-Super, and no internet unless explicitly ‘blessed’ (using Aliasing/groups set up on pf).
- DMZ-AP & DMZ-Core can talk TO DMZ IoT nodes, LAN-Super, each other & internet.
- LAN-Super has universal access to DMZ’d IoT nodes (including DMZ-Core & DMZ-AP), who in turn cannot talk to LAN except some key comms, such as MQTT & logging to some LAN hosts.
- IPv6 is universally blocked/disabled - don’t need the double-handling right now.
My reasoning is that I can only trust my principal pf gateway & LAN-Super.
Everything else in my DMZ is considered ‘compromised’, including my DMZ-AP & DMZ-Core. I making regular backups/snapshots & looking at something like Ansible reprovisioning them periodically, using immutable imaging & configs pulled from local repo.
If something wants access to any resources, it should “ask”, and even then I want it sanitised & served by my HA.
I’ve already enjoyed some success with, trying to gain access to a pretty suss chinese black-box doorcam, able to intercept & inject packets via pcap on the DMZ-AP.
It turns out I know a lot less thank I thought about IGMP, SNMP, UPnP, Avahi/Zeroconf, as I’ve had no cause until now to turn attention to it, but it’s pretty ubiquitous for IoT automagic discovery & config.
I effectively > /dev/null
anything I don’t explicitly use.
I’ve yet to figure out some other… stuff, mostly gaps in my knowledge.
eg. using my LAN-Super/DMZ-Core more effectively as a filtering relay/gateway, IGMP proxy and realtime MitM IoT’s to use/investigate them without needlessly exposing myself, identifying & mitigating risks - both known & unknown.