[wyager]

Put internet of shit devices on their own VLAN(s). Almost all wifi APs today support multiple SSIDs with separate VLANs. Have your firewall block inbound connections to devices on that VLAN. Every OS firewall has built-in support for this.

I spent a lot of time figuring out how to do all this in the most efficient way (in terms of my time and effort) during covid, and I suggest getting any arbitrary box with 2 ethernet ports and putting freebsd on it.

[soebbing]

I actually thought about that for a minute when I set up my home network a while ago, but that seems to be a pretty hard (or at least inconvenient) problem.

Often I need to access a device from my local network (think: use my phone to control Wi-Fi LED Strips, Sonos speakers, etc.), which makes it impossible (I guess?) to separate these devices into their own network completely (if they aren't controlled by an online service in general). Or is it possible to allow access from my trusted network INTO the restricted network, but not the other way around?

Total network noob here, in case you haven't figured that out yet. :)

[wyager]

> Or is it possible to allow access from my trusted network INTO the restricted network

Yes, my home network works exactly like this. I have a vlan called "trusted" which can connect to any other vlan. One line in pf.conf.

My VLANs are something like: trusted, guest, media, cameras, printer, etc.

Many of these aren't allowed inbound or outbound connections (e.g. cameras and printer can only talk to things on their subnet).

Only downside is that stuff that works off broadcast packets (like bonjour) does not work across subnets.

[kube-system]

There are mDNS repeaters that can in some cases make bonjour work across different networks. In my experience I spend more time fighting with mDNS than I do enjoying it.

[cassianoleal]

I have avahi running on my router repeating mDNS across all VLANs. I can't recall the last time I had an issue with it.

[labcomputer]

Each of the VLAN is (or can be) just another network from the router’s and firewall’s perspective. So you just have to set up appropriate firewall rules to allow traffic between the networks that you want to communicate.

You could, for example, allow only TCP traffic initiated by hosts in the “normal” VLAN to hosts the IoT VLAN. So IoT stuff can’t initiate outgoing connections to any other network, and can only receive TCP connections from one network.

You can also set up an MDNS reflector on your router if your IoT devices use that (e.g. HomeKit) to send data proactively back to “normal network” hosts.

[throwaway742]

>Or is it possible to allow access from my trusted network INTO the restricted network, but not the other way around?

Yes

[philjohn]

I go one further - the IoT VLAN (Sonos, Philips Hue, wifi controlled light strips, TV's) is hard segmented from my "trusted" VLAN (except for some specific holes punched so things like SSDP and streaming from a media server work).