[JohnFen]

> However, if you want a home network that’s simple to configure, easy for your guests to borrow, hassle-free, and that all of your Smart Home gadgets can connect to, then you should close this tab now

Or do what I do: run multiple APs. I have my primary one, which is very tightly secured and monitored, and only gives access to my local VPN. I have a guest one, which is only as secure as any average AP and gets you internet access, but no access to my LAN. If I used "smart" gadgets that I couldn't really control and trust, I'd set up a subnet just for them alone.

[jmole]

You can run multiple SSIDs on the same AP and segment your networks with VLANs. No need to buy multiple APs unless you need the coverage.

[outworlder]

And in this case the coverage would be even worse unless they duplicated all APs for both networks.

It's probably much more cost effective to do what you suggest, and that's exactly what I do. Multiple SSIDs (one for the household, another for IOT stuff, another for work and another for guests) and control access via VLANs.

[lolinder]

Is there a reason you split IoT stuff off of the guest network?

On my network we just have a guest network which denies LAN access to anything connected to it, but I'm wondering if there's a good reason to split IoT off entirely.

[iforgotpassword]

I guess it depends on what kind of friends you have, but assuming iot devices are insecure rubbish, I wouldn't want them on the same network as guests. But then again you might want to turn on client isolation for the guest network, so that wouldn't really be an issue.

[lolinder]

Yeah, I have guests all isolated from the LAN already.

[iforgotpassword]

Client isolation means the clients on the network can't reach each other. This would prevent them from attacking each other or your insecure iot devices. Otherwise your friends will backdoor your security camera. ;-)

[Gh0stRAT]

I want my guests to be able to cast to my TV, add songs to the Spotify queue, etc. As far as I can tell, these sorts of features work via broadcast frames and thus require the relevant devices to be on the same subnet.

Things like my printer and wifi-connected grill live on a much more restrictive VLAN. (with some firewall rules to allow devices on the trusted network to still print to my printer's hard-coded IP address)

[privacyking]

You can do it some routers (e.g. opnsense) that let you retransmit that (e.g. with UDP broadcast relay). The main downside is that you have to set it up for each type, and open ports, troubleshoot a lot, waste many hours, etc.

I used to do this but it became too much of a hassle.

[philsnow]

I have a separate VLAN for things like security cameras with perhaps-dodgy firmware, and a firewall rule that drops connections that devices on that VLAN try to establish. They have no business connecting anywhere, when I want to see what they see I'll ask them.

[bongodongobob]

I split it off and give it zero access to the Internet, it's strictly internal. Everything can talk to the IoT VLAN, but not the other way around.

[31337Logic]

There's a simple reason (among many) that I segment IoT from Guest: I guess my Guest SSID password regularly but don't wish to do the same for my IoT segments (plural, because one has WAN access and the other doesn't.) For anyone wondering, the frequent changes to guest wifi password are offset by the fact that I make the password easily available to guests in the form of an NFC tap.

[JohnFen]

> Is there a reason you split IoT stuff off of the guest network?

I'd do it so that I could more easily prevent the IoT stuff from phoning home.

[lolinder]

That makes sense. In my case, I don't have a lot of IoT, but what I do have is entirely cloud based—if there's no phoning home then there's no point to having the device.

[willis936]

Yeah this is what I do. Both guests and naughty cloud devices get put on the same LAN as everyone else but can only talk to the gateway and the internet.

[heresie-dabord]

OpenWRT offers this. It's a good strategy to buy devices supported by OpenWRT.

And to donate to OpenWRT, of course!

[JohnFen]

Yes, this is actually what I do. They're conceptually separate APs, so I talk about them as such.

[tylerflick]

This is exactly what I do. IoT stuff sits on its own AP attached to a jailed LAN.

[scottyah]

So do you have to switch the wifi on your phone to access the IoT stuff?

[andrewaylett]

No -- not the GP, but I have a separate IoT SSID and VLAN with a distinct subnet.

I run an mDNS repeater (or rather, my Unifi controller runs it for me) to allow discoverability across subnets. The benefit, such as it might be, is in the ability to use a stateful firewall between the subnets and that I can have a relatively secure PSK that I don't need to rotate when I rotate any of my other SSID PSKs.

Relevant to the article, I also have a WPA-3 Enterprise SSID, a WPA-3 PSK SSID and a WPA-2/3 PSK guest/children's SSID. The different subnets have different sets of rules for what they may access and which DNS settings are applied by default.

[umeshunni]

I'm guessing it's the same wifi network, just on a different vlan

[sneak]

Anyone can have access to my LAN. It’s not a security boundary, and pretending like it is means you can never safely connect to airport or hotel wifi.