IoT Home Network

For security I wanted to split up my IoT network from my home network. Specifically, I wanted to ensure that any network points that were not inside the house did not give access to the internal network, and also that any WiFi connections used by equipment that was not inside the house was also on a separate WiFi network with different credentials. The idea here being that if someone gained access to the outside of the property that they could not access the internal network from what they do or see.

To implement this, I created two new networks on my Ubiquiti UniFi system – one for WiFi and one for the LAN. The first thing I did was set up a separate VLAN with DHCP server for IoT Applications.

The IoT network contained a separate VLAN number. I then created a WiFi network, also called IoT and locked it to that VLAN. Pretty simple really.

Next, I created some firewall rules on LAN IN. They did the following, in order:

  • Accept all Established and Related connections
  • Accept any MQTT service connections FROM IoT to the MQTT Server
  • Accept any Modbus service connections FROM IoT to the Modbus Server
  • Drop any other connections FROM IoT to LAN
  • Drop any other connections FROM IoT to LAN 2

Then I tagged the ports on the switch where IoT devices are connected to the IoT VLAN. If I had any other ports outside I would have assigned them to the VLAN too.

This created a situation where I could connect to anything on the IoT VLAN without issue. Devices on that VLAN could only connect back to the MQTT and Modbus servers on their respective ports. Any devices on the IoT network could connect to the Internet with full access, but are behind a NAT gateway. This means that LAN devices can connect to them, but in general, they cannot connect the other way, except possibly via the Internet. If a device on the IoT LAN is compromised somehow, it mostly has visibility to other devices on the IoT network.

There has also been some talk about Chinese cameras ‘phoning home’. I fixed this issue by writing a rule to drop any connections from the Camera subnet (192.168.1.128/26) to anywhere. Of course, if the camera uses another IP address, all bets are off. But hopefully I would see that.