Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Newbie
    Join Date
    Oct 2018
    Posts
    2

    Default Firewall Rules for IoT devices

    Hello everyone-I have dozens of Wi-Fi IoT devices on my network, all residing in a single isolated vlan. These include cameras, switches, irrigation controller, hvac, door lifts, echos, weather nodes, etc. Could you opine in which is better practice with respect to firewall approach for IoT devices:
    1) include the block all rule at bottom of firewall rules list and explicitly allow ports (through rules) needed by the various devices; or
    2) donít include the block all rule, and just let the devices use the ports as needed?

    I notice several of the devices want/need to phone home, and they seem to not function properly if I block these phone home attempts.

    Or any other best practices would be most appreciated!
    Thanks!

  2. #2
    Newbie
    Join Date
    Jan 2018
    Posts
    11

    Default

    I have done like you and put them all on a isolated vlan as well as blocking all access to the untangle UI from that vlan and left it that. I am guessing that things like an echo would be using different ports for accessing different serves which could prove a headache if you really wanted to lock things down. Maybe put things like cameras in a more locked down vlan on their own for added security? I'm far from a expert but seems logical in my head!

  3. #3
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default

    So far Iíve put only my IP cameras on a VLAN that cannot access my LAN or Untangle UI.

    Have left all other IoT devices like irrigation controller, TVs, thermostats, etc on my WLAN.

    TBH I wasnít quite sure how to put a WiFi device on a VLAN if not connected to a managed switch via Ethernet wiring.

    Am now interested in how to best do this in a home environment.


    Sent from my iPhone using Tapatalk

  4. #4
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    690

    Default

    VLAN config is dependent on how your home architecture looks. Many pro-sumer people use things like Meraki or UniFi in their home environment to get full VLAN and management support across their Ethernet and WiFi. On those systems it is easy to make a VLAN on WiFi, etc.

    If you are using more consumer gear like Orbi or Google WiFi for your wireless, you are probably out of luck.

  5. #5
    Master Untangler
    Join Date
    May 2008
    Posts
    924

    Default

    Quote Originally Posted by JasonJoel View Post
    VLAN config is dependent on how your home architecture looks. Many pro-sumer people use things like Meraki or UniFi in their home environment to get full VLAN and management support across their Ethernet and WiFi. On those systems it is easy to make a VLAN on WiFi, etc.

    If you are using more consumer gear like Orbi or Google WiFi for your wireless, you are probably out of luck.
    Or install openwrt on your wireless access point if you can.
    Last edited by donhwyo; 11-12-2018 at 09:33 AM.

  6. #6
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    690

    Default

    Yes, there are ways to get VLAN support on some consumer routers as well. Fair point.

  7. #7
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default

    I do run Ubiquiti APs behind Untangle. Havenít created a WiFi VLAN. Yet. Currently have those devices on their own wireless network for now.


    Sent from my iPhone using Tapatalk

  8. #8
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    981

    Default

    I'd suggest being completely safe and have another subnet for the unmanaged IoT devices, and have them completely away from the other...plus you only have to manage them once.
    miles267 likes this.
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  9. #9
    Master Untangler
    Join Date
    Jun 2015
    Posts
    154

    Default

    Quote Originally Posted by f1assistance View Post
    I'd suggest being completely safe and have another subnet for the unmanaged IoT devices, and have them completely away from the other...plus you only have to manage them once.
    If someone could post or point to a guide for this it would be awesome!


    Sent from my iPhone using Tapatalk

  10. #10
    Master Untangler f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    981

    Default

    I'm not one for playing with nor trusting VLAN's nor having unmanaged promiscuous devices reside within the same subnet of the protected domain. Your firewall simply needs another NIC for this additional subnet. If it doesn't have one, either install one, or get device that does. ez pz
    Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2