Securing your smarthome devices – using VLANs to secure your home network
Usually any smarthome or IoT device you put on your own network has full access to everything else. Fortunately VLANs are a great way of mitigating this potential security and privacy risk. Creating separate networks for your different devices is a great idea and surprisingly easy using professional network equipment like Ubiquit Unifi devices. Here is how it can be done.
Why?
In this post I described the hardware setup I have migrated to to keep my network very stable and secure. Not only for my usual devices like my computer and my smartphone but especially also for my smarthome and IoT devices. Running (wireless) smarthome devices in an unreliable or overwhelmed network can be a really annoying experience. Using dedicated hardware for the different tasks (router, switch, access point and more) and more professional software to control it all was huge improvement for me.
If you are looking to buy your own new network gear consider doing it via these affiliate links to support this blog. The prices will stay the same for you.
Unifi USG Security Gateway which is running the firewall used here
Unifi US-8-60W Switch with POE on 4 ports, works with VLANs
Unifi AP AC Lite can be powered via POE
Unifi Lite 6 the newer model, also with POE
Unifi dream machine to combine all of this into one device
Unifi cloud key gen 2 if you do not want to host the controller yourself
Now stability was not the only reason for me to decide to move to a more advanced network platform. The other other reason is security and privacy. All these smarthome or IoT network devices can be of great use but if they have their own connection to the Internet they are always a potential risk. Attackers (or even the company behind the devices) might use them to intrude into your network.
Even if they are not used for an active attack, they can still extract a lot of information about your network. For example your SSID and wifi password might be send to some external party. After-all by default any part of your network is open to any device on the same network. Nothing stops your new smart outlet from scanning the rest of your network.
There is no such thing as perfect security in software (or even hardware) but it is never a bad idea to make it as hard as possible for attackers and intruders. In case of my networks this means separating devices by trust level (my own devices vs IoT mostly) into separate networks and controlling them traffic between those.
This can be done by using virtual networks, VLANs, which means using one set of networking hardware to create multiple networks and separate devices into one (or multiple) of them. A firewall can then be used to very precisely control which kind of traffic between them is allowed. This can significantly lower the impact of security or privacy issues as they will mostly affect only this one part of your network.
Creating multiple (virtual) networks
To separate my devices I started by creating multiple networks. The amount and names of those will totally depend on your requirements. In my case I decided to start simple and keep my default network for my trusted devices. That would be mostly my computer, my phone, my smarthome server and similar devices.
My smarthome and IoT related devices like the Sonoff relays, WLED devices and Amazon Echos are far less trustworthy. The Sonoff devices are all flashed with Tasmota but still there is some risk. The Echos are more of privacy concern for me as I can not really control what they are actually doing in my network (beside the obvious part of listening, but hey there is no great local alternative yet). Putting all of them into a separate networks put me at ease.
All of this can be done via the Unifi controller software. If you do not have something like a cloudkey running you can simply install it on any devices that can run Java. I installed it on my smarthome server running on a Raspberry Pi. Open the software, go to the settings and select networks to start creating new (virtual) networks. The WAN network (for outbound traffic) and the default LAN networks already existed.
First I updated the subnet/DHCP settings for my existing LAN network. This will tell your Unifi controller which IP addresses it should give new devices joining your network. This so called CIDR notation uses the /24 to show how many bits will stay the same. In this case only the numbers after the the third dot will change – resulting in 254 possible addresses withing the range. If you want to reserve a couple of addresses for devices with static IPs you can also do that a bit via the “DHCP Range” setting a bit further down. I left this network in its default “untagged” state, meaning it has no VLAN id (it uses default VLAN 1 I think).
After updating these settings you might have to restart devices in your network to pick up these new settings. Devices that are configured with a static IP will not change, you should consider updating them manually.
Now that the existing network is updated it is time to create a new one for the IoT and smarthome devices. Click “Create new network” and select “Corporate” as type. I also gave it a new IP range (192.168.3.1/24 this time) and a VLAN ID to mark is as a separate network. I chose VLAN id 3 here to fit with the IP range. I also disablde IGMP snooping for all networks for reasons I will explain in more detail later. If you are using a custom DNS server, like I do for blocking ads, you can add the server IP as “DHCP Name Server”. The rest of the settings I left in their default state.
If you are looking to create more networks you can always do that in the same way. Just use a new IP range and VLAN id for each. Now the Unifi controller software knows about these two different networks but our work is not done. Now we need to actually move devices to their respective networks.
New wireless networks
To move wireless devices to a VLAN the simplest solution is creating a new wireless network (basically a new SSID from your access points). In your Unifi controller settings go to “Wireless networks” and create a new one. I selected WPA personal for the security.
You can select any name or SSID here, I decided to use my standard Wifi name plus “_iot” for the new wireless network. Finally under network select the IOT network created above to assign all devices connected to this SSID to the IOT VLAN. Afterwards it is just a matter of moving each IoT device to this new network.
Moving wired devices
Of course you might also have wired devices that you want to move to a certain VLAN. If you want to do that you need a smart switch that supports VLAN tagging. I use the 8 port POE enabled Unifi switch for that. As it can also be configured via the same Unifi controller you can just go that device and select the port which your IoT network device is connected to.
In the port settings you will see a “Switch Port Profile” option. Here you can select your IOT network created earlier to assign this port to that network. Just make sure to check that your other ports are not also changed. It is also a good idea to make sure the uplink port (the one connected to your router or USG in my case) has this profile set to “All”. Otherwise the switch will not be able to forward all the other networks to the router. You might also need to restart your device afterwards to pick up the new network settings.
Creating firewall rules
Now the hard part is done: all devices are in their respective separate networks. Now the last step is to actually separate those networks and control the information flow between them. By default the Unifi controller does not separate networks but fortunately that is easy to do via firewall rules.
All the firewall rules can be found under the “Rounting & Firewall” section. I use the LAN IN part for my rules. This basically check all traffic coming into the USG from the LAN. By default everything is allowed. Incoming connections are matched against this set of rules, where the first matching one is getting executed.
To properly separate IoT and LAN networks we can first create a rule to drop all traffic going from the IoT network to the LAN. Simply create a new rule and “action” drop everything from “network” IOT to “network” LAN.
Now this would fully separate IoT devices from everything else. To function properly we do need a couple of exceptions to this rule though. First we want to allow all established and related sessions. This means if we establish a connection to an IoT device from outside their network (e.g. by connecting to it from the LAN) it should be able to answer. Create a new rule like shown below by selecting the right “states” and again the two networks. This and all following rules need to be prioritized higher than the drop all rule (otherwise only that would be used).
Next there is another important exception: NTP requests. If devices are unable to request the time via network they might react in a strange way. If that NTP server is outside of their network this request will get blocked so we need to create this exception rules. To make this simpler I created two groups. “All local addresses” contains all my IP ranges (remember to update this if you create new networks):
192.168.2.0/24
192.168.3.0/24and the NTP port group contains just port 123 as the standard NTP port.
Finally in my case I also want the IoT devices to be able to talk (back) to my smarthome server. This server is in my trusted network so we need another rule here. To make this rule easier to read I created another group called “Smarthome Server” wich contains just the IP address of said server. Then that group can be used for quite a simple rule:
That is the basic setup. By default my IoT devices can not access anything in my network with the exception of NTP and my smarthome server as well as established sessions from outside. Optionally, if you only have devices that work locally, you can also restrict the Internet access from that network. Just create another rule, this time in the “WAN OUT” section. In that rule drop everything from the IoT network.
How to get my Echos working
This setup worked for most of my devices without a flaw. The only time I ran into some problems was when I tried to use emulated hue from Home Assistant to connect it to Alexa. At first my Echo devices, which are all in the IoT network, were unable to find these emulated devices.
Fortunately with the help of this is great video by the Hook Up here I was able to figure out the problem and a solution. Basically the Echo devices are searching via multicasts which do not work across networks usually. With a couple of settings I got this to work though.
First go to “Services” and enable the MDNS reflector to repeat mDNS traffic across all networks.
Afterwards I also needed to disable IGMP snooping for all networks, which can be found in the details of the networks we created earlier. This snooping does only work while there is at least one device of the same type in your network. In my case all the Echos are in another one though.
Finally I enabled IGMPv2 for all my Wifi networks. This setting can be found in the same screen that was used to create the new Wifi network(s).
After adding these settings my Alexa / Echo devices were finally able to detect the fake Hue devices emulated by my Home Assistant instance.
I have been running this setup for a couple of months now and have not noticed any errors. All devices are working well and are not properly separated from each other. In the future I will keep experimenting with this setup though. I am thinking about moving the IoT devices which need an Internet connection to yet another network and shut down Internet access to the remaining smarthome devices.
