Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17
  1. #11
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default Firewall Rules for IoT devices

    Quote Originally Posted by f1assistance View Post
    I'm not one for playing with nor trusting VLAN's nor having unmanaged promiscuous devices reside within the same subnet of the protected domain. Your firewall simply needs another NIC for this additional subnet. If it doesn't have one, either install one, or get device that does. ez pz
    I do have an extra, unused NIC in my NGFW appliance. Are you referring to plugging that NIC into a separate WiFi access point altogether for these IoT altogether?

    I currently just have them on a separate Ubiquiti wireless network until I know how to handle them.

  2. #12
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495

    Default

    Quote Originally Posted by miles267 View Post
    I do have an extra, unused NIC in my NGFW appliance. Are you referring to plugging that NIC into a separate WiFi access point altogether for these IoT altogether?

    I currently just have them on a separate Ubiquiti wireless network until I know how to handle them.
    Hammer meet nail!
    There are many here with much more experience and knowledge concerning this idea and I would wait for there comments on this. Mine simply a minimal experienced opinion, which makes logical sense to me...KISS!
    Last edited by f1assistance; 11-15-2018 at 04:47 AM.
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  3. #13
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    There is a potential issue here that I think is often overlooked.

    You may not care if your webcam gets pwned (trashed).

    The IoT 'things' that are inexpensive and not well designed may have back doors or easily exploitable vulnerabilities that will never get patched. They can give bad actors a workspace platform inside of your network (trusted or otherwise). Then, anything the device can communicate with, or any data it can sniff off of the network, is at risk.

    OR what people don't pay attention to is that the things may get drafted into a botnet, which can be aggregated with lots of other like things for crypto-mining, or denial of service (DoS) attacks on others. Using your bandwidth all while you sleep peacefully because your house is 'protected'.

    I know I don't want even an app on an Android tablet phoning home to China.

    So after physically segregating those things, I would lock down ALL outgoing traffic except for precisely what I want to see remotely, and log the snot out of the rest. This is normally not recommended for IPv4 web browsing behind NAT. Too much normal functionality gets broken, which makes for too much admin work.

    On the other hand, IPv6 is coming, so get used to it! And be smarter than your toaster.

    Jim.A
    Last edited by Jim.Alles; 11-15-2018 at 09:19 AM.
    If you think I got Grumpy

  4. #14
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default

    Have just finished setting up separate VLANs in NGFW 14.1 for my Guest and IoT wireless networks. Currently I have a network printer on my LAN that supports Apple AirPrint. Is it possible to allow clients on the Guest VLAN to access this printer on the LAN?

    Or should I be putting the printer on the IoT VLAN and allowing the LAN and Guest VLAN clients to access it?


    Sent from my iPhone using Tapatalk

  5. #15
    Untangler
    Join Date
    May 2008
    Posts
    464

    Default

    Airprint uses mdns (bonjour). As far as I know it is not routable. If you find a way let us know.
    miles267 and Jim.Alles like this.

  6. #16
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    You can setup an Ubuntu server, install AVAHI, and configure it for mDNS repeating to span VLAN/subnets. Fairly easy to do, there are multiple guides floating around the net. Here's one, but there are many more. http://chrisreinking.com/need-bonjou...avahi-gateway/

    You can also vote for the Untangle feature suggestion to add AVAHI/mDNS repeating directly into Untangle itself (which would be a GREAT addition that some other products like pfSense already have). As AVAHI is already supported in Debian it would be fairly easy for Untangle to do so...
    https://untanglengfirewall.featureup...r-vlanssubnets
    Last edited by JasonJoel; 11-25-2018 at 01:38 PM.
    miles267 likes this.

  7. #17
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default

    Thank you. I just voted on this feature. Would prefer not to run middleware to accomplish something that should be native to the UTM.


    Sent from my iPhone using Tapatalk
    Synical likes this.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2