All these IOT devices

[garethsnaim]

Hi sorry I see that this has variously been asked but I have never set up a separate VLAN, what I dont understand is how I would control these devices from say my iphone which would be on the main network?

I have a number of devices that could do with being separate, I also have two boys using PCs, again that might benefit from being separate from work PCs etc, but I would still like to be able to Remote into their PCs etc as needed.

Not sure what search terms to put in so any hints would be welcome

[Jim.Alles]

what is your goal with being separate?

[garethsnaim]

Well I am being told all the time that one day these devices will in the night come together to create one large transformer device and destroy my house.

I just want to minimise any risk of being hacked, but yes as your simple question intimates, I dont really know.

[f1assistance]

Ah, the fun of unmanaged devices...where defense is not an option. D'oh!

"Microsoft finds Russia-backed attacks that exploit IoT devices"
https://tinyurl.com/y2ctxprq

[garethsnaim]

So can I do anything to mitigate this other than not use them? (They are super useful!)

[jcoehoorn]

There are three reasons to use separate vlans:

1. Performance. If you have a lot of devices on a wireless network, the normal background protocol chatter for dhcp, discovery, etc, can start to eat up significant portions of the available throughput on your network. Segmenting these devices into separate vlans can help alleviate this problem. This is unlikely to ever be an issue on a home network.
2. Logical Groupings (management). vlans create boundaries for the common discovery protocols like bonjour/mdns and broadcasts. When you have a lot of devices for lots of different people, you can use these boundaries to control who sees what. Be careful, though, because these boundaries tend to be absolute. Vlans don't play well if you want to be able to mix common or shared devices and list them next to private devices. It's hard to, say, keep a common family chromecast next to the living room TV and some home office devices only you can see on the same network, without a specialized and complicated software service.
3. Security. The boundaries created for the logical groupings can also be used as security boundaries, as long as you understand the limitations and have appropriate filtering and control capability at your layer-3 routing point.

For the use case in your question, I believe you are likely to run into the limitations described in #2.

[Jim.Alles]

yesYes, divide and conquer the evil transformers!

So lets say it is not a crap-ton of devices. And we want to make things more secure.
But you want to keep significant others (S.O.) happy by not breaking their Things.

well segmentation, in it's various forms, will break connections intentionally.
And it probably isn't worth the work of putting a brick wall up and then punching holes in it -
to get say, Bonjour/MDNS functioning for discovering printers, or casting streaming content.
It is just a pain in the butt to do the work-arounds needed.

So let's keep your home network just that. You normally have control over the physical environment. That is computer security 101.
When you identify 'work PCs', do they belong to an employer, or is it your private business?

Now, a common scenario is two flavors of Wi-Fi, one for trusted devices that your family has control over, and then a secured guest Wi-Fi with a passphrase that you hand out to occasional visitors, kid's friends, etc.
The right Wi-Fi access point (AP) with dual SSIDS can use a Vlan over a single Ethernet cable back to a Untangle port (or through a managed switch) to isolate those two use cases.
To me, that is one class of security worth doing. Because you don't always know who is sitting in the neighbor's driveway, you don't want to give them unlimited, unsupervised time to mess with your Things.

Another class of security is putting all the smart things in jail as much as possible. Untangle can do much of that at the edge without VLANs. I happen to favor things that don't want to phone home to their manufacturer. Otherwise, they don't come into my physical environment (with the exception of smartphones, of course).

So, does any of that resonate with you?

[garethsnaim]

Its a bit confusing TBH, so in essence we are confirming my concern at the beginning that if I put say my smart home plugs (for switching stuff off and on) on a separate VLAN, I cannot then control those devices from my iPhone which would be on the main VLAN, so that makes it a no go.

So I guess the only other option is to try and ensure security as much as possible with untangle, but these devcies are of course phoning home, I can control them when out and about. Therefore I dont see any reason that should someone take over the devcies server or what ever that I am now super vulnerable, I dont see what untangle can do in this instance really.

[sky-knight]

If you cannot control devices from another network, perhaps the issue is the software? How "smart" is a home plug that cannot be used via another IP range? Functionality that was literally developed in the 60s.

Which honestly, is why I don't have any of that crap in my home. I'm not buying smart ANYTHING until the vendors in question build something that can perform using 60 year old standards.

[f1assistance]

D'oh! Tomorrow we'll discover VLAN isolation was a pipe dream and simply a convenience dopamine hit. The only thing I trust is physical segment isolation and zero unmanaged 'smart' devices, and will not ever connect my BB10 tracking device to my protected domain (cellular only). We admins are witnessing security's collapse simply because we allowed it (and knew better).
If I must trust a single hardware, today, I choose Untangle!
Wake up, Neo...
The Smart Grid has you...

"Router Network Isolation Broken By Covert Data Exfiltration"
https://tinyurl.com/y3ortplo