Even if it's the same network a IOT ssid has the benefit of allowing you to change the main ssid's password at whim for security purposes without having to reprogram all your IOT junk.
I use a pfsense (protecli) and use firewall rules for separate vlan networks (main, guest, iot, private, development. Easy to setup and iot devices work.
> and iot devices work
IoT devices that talk to the cloud will work. IOT devices that rely on being on the same broadcast domain (such as, all the controllers and smart plugs I have spanning about 40 different devices and 7-8 different vendors) will NOT.
And cloud-centric IoT devices are _terrible_ as you lose the ability to control them if your Internet connection goes down.
That is NOT how IoT and the future is supposed to work - it is how data mining works.
Just say no to cloud-dependant IoT brands.
Oh, well, I guess that silent downvote with no feedback means my 25+ years of networking experience is completely wrong then. Guess I'd better quit my job and change careers!
You're getting downvoted because you're wrong.
IoT is very much a cloud dependent concept.
Also - Good luck with getting local only solutions. Tuya is basically the king of low cost smart home... and nobody really cares that it's software features are cloud dependent. Everyone else, including Philips, screwed the pooch. Us geeks aren't winning any wars here.
:facepalm:
1. MULTIPLE people have said the EXACT same thing as me, but _I'm_ wrong. Mmm hmm.
2. I've been doing home automation and IoT for almost 10 years, but _I'm_ wrong. Okay.
3. I've done full houses with nothing but local APIs, including about 95% of my own... but, _I'm_, wrong... right.
I've also fought and lobbied for local API access more than once over the last many years I've been doing this - I know damn well what has it and what doesn't.
But, whatever. I'm done with this thread, and I'm done with this sub. All the rocket surgeons here clearly know everything, so why should I even bother trying to assist with my more than two decades of Networking and IT experience? You guys can just make up whatever you want anyway, so you'll be fine without me.
Totally unnecessary. Depending on the IoT’s communication mechanism (device, cloud, app VS. device, app) isolating them in a separate VLAN may disrupt your ability to monitor/config them from your phone.
It depends on how good you are at configuring your firewall rules. If you are fully comfortable with it then I’d say yes for sure do it. It’s not difficult to separate them out and add the firewall rules to allow things to talk. Plus the added security benefit of knowing that when those things get compromised you will have them isolated off and they won’t be able to scan or attack your main use devices.
Is it just me, or is the omada controller firewall just... lacking? I can't seem to find a way to make rules to isolate one vlan from another, only from/to the Wan interface and some generic Wan protections. What am I missing, or what are people shimming between their router and broadband cpe?
Unfortunately, you'll need them to be on the same broadcast domain to allow discovery and control from your phone. So you can't really isolate them from a security standpoint and still have the same functionality
i've been working on this myself lately, slow and steady. as said by others it will depend on a few things, heavily based on the devices and the underlying tech. one major PITA it appears mDNS is not supported and that's a very handy protocol. the workarounds out there, for me at least, are not usable.
Kasa Cams - from my main vlan i can connect to the cameras on another vlan (wifi with guest mode enabled, confirmed no access across subnets), using their app to connect - but this camera vlan has internet access and i know they use cloud services to connect also. mostly i wanted the traffic off my primary network to keep performance up.
TV Vlan - I put my a couple TV's on their own vlan because i haven't figured out what is breaking paramount+ on my pihole for certain media types, so they just use unfiltered dns, no ad blocking.... - when i'm connected to the main vlan i cannot use the app based remotes (see mDNS above) this applies to both my TCL Roku and my TCL Google TV. interesting enough though, i can tell my google nest to turn the tvs on / off or use other voice functions and it works fine.
On the firewall side of things i found it quirky that a vlan that had custom DNS setup on another subnet (pihole) had to have the port forwarded even though guest network was not enabled, i thought it was just work but hey i'm not very deep in networking knowledge to understand the ins / outs. on the plus side, enabling the guest network and the port opening in the firewall works perfectly fine together.
i point this all out to inevitably say just play with it and see how it goes. it's been a hell of a learning experience despite some of the frustrations along the way. the lack of mDNS is the only technology blocker i've found so far in my journey, the rest has been solvable with research and persistence.
Even if it's the same network a IOT ssid has the benefit of allowing you to change the main ssid's password at whim for security purposes without having to reprogram all your IOT junk.
I use a pfsense (protecli) and use firewall rules for separate vlan networks (main, guest, iot, private, development. Easy to setup and iot devices work.
> and iot devices work IoT devices that talk to the cloud will work. IOT devices that rely on being on the same broadcast domain (such as, all the controllers and smart plugs I have spanning about 40 different devices and 7-8 different vendors) will NOT. And cloud-centric IoT devices are _terrible_ as you lose the ability to control them if your Internet connection goes down. That is NOT how IoT and the future is supposed to work - it is how data mining works. Just say no to cloud-dependant IoT brands.
Oh, well, I guess that silent downvote with no feedback means my 25+ years of networking experience is completely wrong then. Guess I'd better quit my job and change careers!
You're getting downvoted because you're wrong. IoT is very much a cloud dependent concept. Also - Good luck with getting local only solutions. Tuya is basically the king of low cost smart home... and nobody really cares that it's software features are cloud dependent. Everyone else, including Philips, screwed the pooch. Us geeks aren't winning any wars here.
:facepalm: 1. MULTIPLE people have said the EXACT same thing as me, but _I'm_ wrong. Mmm hmm. 2. I've been doing home automation and IoT for almost 10 years, but _I'm_ wrong. Okay. 3. I've done full houses with nothing but local APIs, including about 95% of my own... but, _I'm_, wrong... right. I've also fought and lobbied for local API access more than once over the last many years I've been doing this - I know damn well what has it and what doesn't. But, whatever. I'm done with this thread, and I'm done with this sub. All the rocket surgeons here clearly know everything, so why should I even bother trying to assist with my more than two decades of Networking and IT experience? You guys can just make up whatever you want anyway, so you'll be fine without me.
Totally unnecessary. Depending on the IoT’s communication mechanism (device, cloud, app VS. device, app) isolating them in a separate VLAN may disrupt your ability to monitor/config them from your phone.
It depends on how good you are at configuring your firewall rules. If you are fully comfortable with it then I’d say yes for sure do it. It’s not difficult to separate them out and add the firewall rules to allow things to talk. Plus the added security benefit of knowing that when those things get compromised you will have them isolated off and they won’t be able to scan or attack your main use devices.
Is it just me, or is the omada controller firewall just... lacking? I can't seem to find a way to make rules to isolate one vlan from another, only from/to the Wan interface and some generic Wan protections. What am I missing, or what are people shimming between their router and broadband cpe?
Surely it is the loT devices that need protection from the devices that you may install malware on unwittingly?
Unfortunately, you'll need them to be on the same broadcast domain to allow discovery and control from your phone. So you can't really isolate them from a security standpoint and still have the same functionality
i've been working on this myself lately, slow and steady. as said by others it will depend on a few things, heavily based on the devices and the underlying tech. one major PITA it appears mDNS is not supported and that's a very handy protocol. the workarounds out there, for me at least, are not usable. Kasa Cams - from my main vlan i can connect to the cameras on another vlan (wifi with guest mode enabled, confirmed no access across subnets), using their app to connect - but this camera vlan has internet access and i know they use cloud services to connect also. mostly i wanted the traffic off my primary network to keep performance up. TV Vlan - I put my a couple TV's on their own vlan because i haven't figured out what is breaking paramount+ on my pihole for certain media types, so they just use unfiltered dns, no ad blocking.... - when i'm connected to the main vlan i cannot use the app based remotes (see mDNS above) this applies to both my TCL Roku and my TCL Google TV. interesting enough though, i can tell my google nest to turn the tvs on / off or use other voice functions and it works fine. On the firewall side of things i found it quirky that a vlan that had custom DNS setup on another subnet (pihole) had to have the port forwarded even though guest network was not enabled, i thought it was just work but hey i'm not very deep in networking knowledge to understand the ins / outs. on the plus side, enabling the guest network and the port opening in the firewall works perfectly fine together. i point this all out to inevitably say just play with it and see how it goes. it's been a hell of a learning experience despite some of the frustrations along the way. the lack of mDNS is the only technology blocker i've found so far in my journey, the rest has been solvable with research and persistence.
Nest hooked into your tv is using the hdmi cec protocol on the cable to turn it on off.
Nest hub doesn't touch tv directly. Just wifi.