I’m concerned about the growing number of IoT devices, so I ask you gurus if you advise me to separate the network in different domains (and how), in order to avoid low performance on the crappy router provided by my ISP, meaning wifi drop, low speed while streaming, and so on.
A bit of description of my setup in the following:
my entire home automation is based on a RPi2 with MQTT, InfluxDB, Grafana running on a OpenHABian SD.
All my IoTs are wifi Sonoff devices (with Tasmota), MAX! for heating with cabled MAX! cube and a USB CUL for the Intertechno-like power switches.
Manual control of OpenHAB is gained via Android app (BasicUI) or HabPanel, depending on the device I’m on.
In my network, I serve a NAS with different services. Among others, rsync is what I run via cron on the RPi, in order to save the SD content on the NAS.
My ISP router is bridged to a TP-Link (ddWRT enabled) that serves a separate network to a third router in my garage. It’s a wifi bridge, configured like here: https://www.dd-wrt.com/wiki/index.php/Repeater_Bridge
Since I still have a ddwrt router around, since I plan to add 10 more Sonoff-Tasmota, and since I’m concerned of ‘friends/ISP colleagues’ playing around, would it make sense to separate the IoT domain (Sonoff, MAX! and RPi) from the Home domain (streaming, www,…)?
If yes,
how can I still control OpenHAB manually via the Android app/HABPanel (remember Grafana plots)?
how can I still rsync on my NAS via RPi?
I hope my question is clear. Of course, I’m confused, I know :slight_smile:
My situation is similar but not identical. Here's what I did:
1) Split the network into multiple subnets, with virtual wifi instances for each as needed. In my case I have:
- Internal "secure" high speed, trusted
- Internal, untrusted - for IoT etc
- Guest, lowest priority access
I use QoS to adjust packet priorities.
I set the Guest network to be fully isolated; it can't see anything but the Internet. That's what guests are told about.
You can create firewall holes that allow access as needed between the subnets. Not as easy as I might like but that's the price of separating things out. (In practice, so far I have only created a few such holes.)
Posted: Mon Jan 28, 2019 16:27 Post subject: how to set up internal, untrusted wireless network for IoT
I’m trying to set my system up with an Internal, untrusted - for IoT etc.
Currently I have a couple of wifi switches on my guest network and Hass.io on Rpi is wired to my primary network. I was thinking if I could gain local access to the switches I could accomplish the goal – i.e. accessing wireless switch with static IP 192.168.2.xx from specific device with static IP 192.168.1.xx.
I don’t know if this is the best way to do it. I’ve seen people talk about setting up a vlan for IoT and I guess I could do that if it were vlan with enabled wireless as my switches are wifi. Not sure if that would make any difference.
Assuming I’m on the right track I can’t fire out how to access my wireless switch which has static IP 192.168.2.xx from specific device (also with static IP) at 192.168.1.xx.
Guest network set up following the beginner tutorial (https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners) (I skipped the QoS part). I’m new to networking and dd-wrt and trying to learn. Any guidance would be appreciated.
I definitely can connect to the wifi switches when connected to the guest network but I’d like to connect to them when I’m on the primary network (not the guest network) so I don’t have to switch networks to do it. Also my Rpi is wired and on the primary LAN and it will run automations which could include the switches and I want to be sure those will work (I'm not sure if the Rpi already has this ability to access devices on the guest network as switches carry IPs 192.168.2.xx and the LAN or Rpi IPs are 192.168.1.xx)
On the rule you shared
1) do I paste it into Commands and Save Firewall then reboot router to implement it?
2) I have not set up a bridge and my guest network is on wl1.1 so is the rule allowing any device on my primary network full access to the guest network? If so I’m assuming this would be 1-way (ie guest network users are still prevented from accessing the LAN).