[m34]

(tech) people tend to laugh at me/pull the tinfoil hat card for putting my dlink/iot stuff behind a very restrictive, dedicated, iptables filtered, hostapd based custom network running on my pi zero w that isn’t allowed to talk to the home network or internet at all.

As mentioned by others, I guess it really needs severe identity theft/abuse with vital services until people realize that today‘s IoT 'plug & play' is worse than than the level of 'plug & pray' we‘ve seen in the early PCI/USB/Win98 era (that only impacted your local device functionality).

[oauea]

I've recently put some time in setting up zigbee2mqtt (http://www.zigbee2mqtt.io/) which lets you use all these smart home things without their proprietary hubs. So I can use all the chinese smart home stuff, without needing to use their hub, so no risk in it phoning home.

It takes some work to get going, but it's amazing. Cheaper (no need to buy all those different hubs), more flexible (you can use node-red or any programming language to do exactly what you want), and way more secure (nothing leaves your home network unless you want it to).

[teekert]

I'm a "tech people" and tip my hat at you wise sir (#no_sarcasm).

[gumby]

The first consumer router that supports a VLAN specifically designed for iot devices should sell well. Who will be first?

[DiabloD3]

Or just use routers with the guest WiFi feature, and set WPA2 security on it. Can't talk to your devices, only to the Internet.

[m34]

As others have mentioned VLAN is an opt-in step and requires support from the hardware.

I also DONT want those devices to be able to connect to the internet: I have a D-Link webcam that has (had?) some issues around being exploitable remotely via the MyDLink or whatever it‘s called service. I don’t want to have (more) devices sitting in my network that open it up from the inside.

Also I need my guests should be able to access the internet without me having to whitelist their MAC address.

[bencollier49]

Why would regular VLAN support not work to secure or segregate IoT devices?

[dboreham]

It would but most consumer devices don't support VLANs and if they did no consumer would know how to configure them.

If you do need low cost VLAN-capable gear I've had success with TP-Link switches and Mikrotik WiFi APs.

[gumby]

Yeah, what dborham wrote: most people wouldn't know a VLAN if it bit them on the nose, but if your your router automatically created the SSID "foo-devices" to go alongside your regular "foo" people might use it.

Like the "offer a guest network" button which, now I think of it, might already be enough.

[Marsymars]

Sounds essentially like what HomeKit for routers is doing.

[peterhadlaw]

Do you have any resources you can point to on how you went about setting this up? I tried setting up a VLan or something with little success. I'm running DDWRT but any sort of firewalling or subnetting is outside my comfort zone

[m34]

Not really.

It‘s mostly a blend of many different tutorials/blog posts/forums on hostapd, raspbian, dnsmasq and the likes.

I took notes during both times when I set this up (first time the sdcard died shortly after, no backup of sorts; second time some changes in drivers, raspbian lite and other tooling were different so I had to start over).

I thought this project would make a good first blog post, maybe I can gist some steps / bullet points next week or so.

[alimbada]

Do you allow inbound traffic from your home network to your IoT network in order to control IoT devices or do you have to switch WLAN connection when you want to do so?

[m34]

Yes, I allow _some_ more or less we’ll defined traffic from home network to iot specifically to allow control.

I also do run HomeKit, homebridge but devices/hubs are in the dedicated network.

[strooper]

"I" of IoT literally means internet. How does barring your IoT devices from communicating over the Internet make sense? Wouldn't it make total sense to get rid of all your IoT devices instead?

[gen3]

Why not make it stand for intranet of things?

[CaptainMarvel]

Intranet of Things with an optional single secure gateway to access all devices remotely through a uniform interface...

[dpau]

there's definitely a market for an easy-to-use security product like this