Need for isolating IoT devices


  • I've got an Amplifi HD mesh system (with 2 mesh points) and it works fabulously. The system has provided a platform upon which to expand my home automation system considerably, with reliability, but as the number of IoT devices has increased significantly (think Wifi switches all over the house), I have an increasing need to segregate them from the main network. Since the system allows for a Guest network with isolation from the main network, I've configured all of my Belkin Wemo and Leviton Decora Wifi switches to use it - the problem with this is that the switches require a static lease in order to function reliably and reconnect to the network successfully after a power outage or some other reset event. I've created a static lease for all of the switches, but the lease is restricted to the main network subnet (in my case is 10.0.1.x) which the switches are not configured for (Guest network being on 192.168.222.x).

    I'm unsure of how to proceed from here, but if the system had some VLAN capabilities I'm certain I could isolate the IoT devices from the main network. In order to make this work, I'm assuming that I'd have to supplant the Amplifi HD router by placing it in Bridge mode and run another router that supports VLAN configuration. Is that correct?



  • Thanks. That confirms that a router that supports VLAN configuration is required.

    I have a Sonicwall TZ400 device that I acquired after a corporate merger. I have admin credentials for this device, but it seems like it might be total overkill for what I'm trying to do here. I have it on hand, though, so it would save me some money if a new router is in the cards. The other options I looked at include an EdgeRouter since I do also have an EdgeSwitch in my rack and of course, the Unifi Dream Machine and Pro variant of it as well. Any opinions on these options? It's really just a basic home network so don't want a lot of complexity and/or cost to isolate those IoT devices.

    Cheers!


  • @Motozoic said in Need for isolating IoT devices:

    I've got an Amplifi HD mesh system (with 2 mesh points) and it works fabulously. The system has provided a platform upon which to expand my home automation system considerably, with reliability, but as the number of IoT devices has increased significantly (think Wifi switches all over the house), I have an increasing need to segregate them from the main network.

    This won't be of any help, but your quest reminds me of a bank building that my architect son designed. EVERY SINGLE LIGHT FIXTURE, a/c OUTLET, and WALL SWITCH in that entire 3-story building has its own IP address, and almost all the interior partitions are moveable so that the entire interior space can easily (well, I can't really testify as to HOW easily) can be reconfigured.


  • @Motozoic If a new router is needed for a Home Network I personally like the Dream Machine (DM). I set one up for my daughter who has her own home business and it is meeting her needs and mine for support. She previously had a Ubiquiti USG, an 8 port switch (which I use with the DM), and an LR Access Point. She also has several IoT devices on a VLAN that easily migrated to the DM. Here is a link to an article of someone who made a similar switch, https://9to5toys.com/2020/08/14/unifi-dream-machine-review/.

    I went with the DM since I did not want to put a rack in her home and personally don't like devices like the DM Pro sitting on a desk. Since you already have a rack you may want to go with the DM Pro.

    If you need additional ports the Unifi USW Flex Mini (5 ports for $29) is a great option for the DM.

    Personal Opinion:
    Right now I would shy away from the Amplifi Alien because of the myriad of problems being reported. I know that the Dream Machine does not offer WiFi 6 but if you do not currently have or plan to have a lot of WiFi 6 devices within the next 2-3 years, it is not needed. I know there is a lot of hype around WiFi 6 but it currently has limited use for most home users.


  • Any opinions on SonicWall? As I mentioned earlier, I've got a TZ400 sitting here on my desk and the only drawback I see is that configuration appears to be a fair bit more complex.


  • @Motozoic Might also want to check on the support status for that unit. There was a security issue (with an updated firmware available) in March.

    https://www.sonicwall.com/support/product-notification/security-advisory-sonicwall-firewall-management-vulnerabilities/190717234810906/


  • @Matthew-Leeds Good point. I just checked and my SonicWall device is at SonicOS 6.5.1.1. I think, mainly since I have the unit in hand, that this is certainly the most cost effective path forward. Configuration requires a good deal of research, though... but the system does appear to be well documented. My use case is very simple so hopefully it doesn't take me too long to set it up. I believe the major steps include configuring the WAN interface, setting the Amplifi HD into bridge mode and finally, configuring the VLANs. It's probably going to be a lot more challenging than I imagine, though.


  • I managed to update my TZ400 to the latest firmware and was successful in establishing wired connectivity through my EdgeSwitch with it. I set the Amplifi HD into bridge mode and was able to configure another interface on the SonicWall via L2 Bridge Mode, but it all fell apart after that - not successful at establishing the WLAN via the Amplifi mesh. I tried reading up on Virtual Access Points and more, but had to throw in the towel at 2AM. My issue is now obviously user error/lack of knowledge at this point!


  • Update: managed to get it sorted. An issue with the SW device is that VAPs essentially mandate the use of a Dell products, such as a SonicPoint or SonicWave.

    For an Amplifi HD in bridged mode serving essentially guest Wifi, SW needs it to be setup as a unique Public security interface in an untrusted zone. I bound this zone to the specific interface I connected to on the SW (X3 in my case) with the other end of the cable connected to the WAN port on the Amplifi HD router. A couple of DHCP lease scopes defined including a static reservation for the router and each meshpoint and bam, off to the races.

    I'd have to say it was certainly not a brisk walk through the park, but more like lost in the park and forced to spend the night in there, followed by a concerted revisit to the effort upon waking in order to finally find the park boundary!


Log in to reply