Topic: Discussion - Putting devices on separate Guest WiFi or VLAN

[galfert]

I'd like to open the conversation to discuss this trend that I sometimes read that people do, where they put their IoT devices on a separate VLAN or separate Guest WiFi. I feel it is a misguided or misinformed approach. But I'd like to bring the topic up and I'm willing to hear other's opinions on the matter.

Just what problem do you think you are solving by putting IoT devices on a separate Guest WiFi? They will still phone home. I think you are just causing issues by removing yourself form directly accessing them from your LAN....meaning you'd have to join that Guest WiFi to control them....and then when you join the Guest WiFi well then there you are...why not have left it all in one network to begin with. If you think you are solving some protection from these devices then why not look at the hardening and security of all your devices so that it isn't a concern. Meaning that your computers are up to date and that you have their software firewalls enabled. No other device on your network can spy on other devices today because most of every communication is done with encryption https and TTL and so on....and you can even do DoH (DNS over HTTPS) for even more privacy. If you want to prevent some devices from phoning home and reporting on telemetric data then a Pi-hole can help your entire network do that. If the premise to separate the IoT device is to enable more WiFi bandwidth to more important devices then you should set up an extra access point (on the same network) using a different WiFi channel and then you'll have an SSID for important devices with separate bandwidth allocation. Bottom line is that I see no point in putting IoT devices on a separate LAN....you are just complicating your life and gaining nothing from it. But I'd be willing to hear what others have to say.

My bottom line is that I have no problems going to a hotel WiFi or other public WiFi and using their free WiFi. If I'm able to do that then what is the difference in my own private home network? Why shouldn't I be safe in my own home network from my own devices? Then again I know some of you will probably answer that you don't trust a public WiFi and that you'd use a VPN in that case. To which I say that I feel that there are situations where a VPN is warranted but I don't think it is really necessary for most people.

I hope that we can discus this potentially controversial subject in an open and respectful manner. Nobody is an idiot. That I why I used the terms misguided or uninformed. And we can always just agree to disagree.

[galfert]

Glossary:
IoT - Internet of Things. This is a reference to all the Internet connected devices of today. Originally the Internet was just for computers. Today we have smart TVs, bathroom scales with WiFi, irrigation controllers, smart phone automation, weather stations, web cams, smart speakers, doorbells, sensors, appliances, just about anything.

VLAN - Virtual LAN. A way to separate network traffic by creating different internal network routing paths on a local network.

Guest WiFi - Some WiFi routers have the ability to create a Guest WiFi network. Just because you set up a Guest WiFi though doesn't necessarily mean that the traffic between it and your local network is separated. This depends on the implementation and settings that are available in each equipment. 

[vreihen]

I have six different VLANs and four wifi SSIDs on my home network.  There are firewall rules both in/outbound, as well as between IP subnets.

Keeping the IP security cameras and NVR on their own isolated subnet and broadcast domain is a no-brainer, both so that they never "phone home" and also because of the huge traffic they generate en-masse.

My WeatherFlow Hubs and WeeWX hardware has its own SSID and VLAN, since it uses UDP broadcasts and I don't want to miss any packets due to collisions/traffic on the segment.

I have a whole /24 VLAN for Docker containers, because my chosen Docker host randomly assigns IP addresses to containers instead of honoring DHCP.

I have a VLAN and SSID just for my wife's work-from-home computer.  I trained at least three of that company's IT/networking staff, and let's just say that I wouldn't let one of their computers on my home network even if I had to.  It has zero access to anything, except the Internet.

No guest wifi at my house.  Oh yes, get off my lawn, kid! 

Seriously though, I've been doing this stuff to earn a pay check for 35 years.  The network gear that I have all has the enterprise features, so I figure why not use them?????

[Bushman]

"My bottom line is that I have no problems going to a hotel WiFi or other public WiFi and using their free WiFi."  Yikes.  I hope you are not doing anything important on the "free" wifi.

[davidmc36]

I don't know if I need to do any separating of devices or not. I am interested to follow the discussion.

[galfert]

vreihen,
I totally understand what you have created and I don't see that your use of VLAN and separate SSID really touches on the IoT device talk. You are using these networking methods for measures that I feel are worthy and I too have these measures in for the same reasons; security camera VLAN and separate SSID traffic with other access point devices to manage WiFi bandwidth usage. And Although I don't have a situation where a stranger could remote into my network like your wife's IT people, I can certainly commend you for having isolated that system. I too manage VMs and Docker and I get that. I also have VLANs for testing network equipment. The bottom line is that this is not the target of my discussion. I'm just concerned about people that isolate themselves from the devices in their life that they purchased to make thing better but then they isolate them so that they can't adequately perform their functions.

Bushman,
I do a lot of important stuff on free WiFi. I trust my firewall and I trust SSL/TLS certificates and encryption for any resource that I need to get to. Everyone has these measures without really needing to think about it. But I do turn on the VPN every now and then if I feel it is warranted. Depends on the place. A computer convention in Las Vegas.....uh yeah, my Panera down the street in my quaint small town...nah...not to check my email and do some online shopping (which nobody can see). I don't worry because I know how encryption and security work. I too can sniff packets on a free WiFi and I know I'm not going to be able to extract anything from any of the WiFi traffic.