Secure IoT Network Configuration

I can't thank you enough for all your super simple but through explanations of all the concepts that you teach. You are an absolute legend!

For those who have issues casting from Private to ioT network with Chromecast - you need one more rule. Add to the ioT Local Ruleset: allow UDP, destination port 5353(mDNS). [match the allow ioT DNS rule, just using port 5353]. You're welcome.

I just started to setup my 1st iot network today. Literally. Then, I stumble on this video.
Absolute gamechanger.
You sir, are a gentleman and a scholar!

This is one of the best guides to this setup I've found. Excellent info and great presentation man!

MQTT is used to broadcast JSON (or similar, i.e. YAML) requests. On IoT devices, this normally tells an MQTT server the status of that device (i.e. on or off, or temperature/humidity). It can also be used to turn the device on off, of course, via 2 way communication. It is highly efficient, as the packets are tiny, and is widely used in the Home Assistant environment, for example.
P.S. Nice video. I am obviously here, as my weekend project, coming up, is to move onto a new router, switch, and AP, and implement VLANs for my IoT devices. Thanks for the share!

Ha! Crazy small world, I did this two weeks ago for my setup at home as well. Great content Chris, love the channel

Your videos are great ! Straightforward and to the point while being clear and conveying information in a way that anyone can understand. LOVE your channel !

Great timing for a great video. Thanks Chris, very helpful indeed and was just wondering about setting all this up the other day so cheers! Looking forward to your next vid.

Thanks for this! It’s such a pain trying to search 20 places to put all of this together is super convenient.

This couldn't have come at a better time... Thanks Chris really appreciated 👍

I hit like on this even before watching as this is something everybody should do - at least anyone with IoT devices.
Before I made my first IoT purchase (t-stat & lights) I made sure to setup a separate SSID, vLAN & routing/firewall rules. This was early on & the devices used were not ideal, but I committed to not getting any IoT devices until this was at least somewhat segregated from my main LAN.
I strongly recommend to any/everybody to setup vLAN or even subnet to isolate traffic (something's better than nothing).
PS - SSID is excellent! Also like the 107.

I've been meaning to do this at my home. Looks like I got a project to do this weekend. Thanks for the video!

Perfect IoT ssid... perfect

Hi Chris
Please make a video for IoT devices again with USG router.
From London with love

Great video...been thinking of doing this at my house but just did not want to invest the time to research the firewall rules I needed. This is a great guide which gives me NO excuses now! ;)

Very well explained!
I followed this comprehensive video today and set up an IoT network for my TP-Link smart plugs.
Thank you Chris.

Excellent video dude! I just joined the Ubiquity family with two Pro AP's and an Edgerouter 4. I'll still be using my Netgear GS724T switch for the time being, but we also just put in a new security system and I'll soon be spinning up a Blue Iris camera system. I also have a media server on the network. I'm going to try and replicate this for my camera system. Essentially, I may create a total of 4 VLAN's which one will be for cams and another for my existing Smarthings IOT network. I'm still pretty new to all this level of control (I mean my old router did allow me to SSH into it and make a few changes), but I have high hopes. I'm liking the Ubiquity platform thus far (just started literally yesterday) and will start digging in deeper today as soon as my new router comes in.
Thanks again for these detailed quality videos; it's really helping me get off my feet with this.

Stuff to think about:
1. Remove/blackhole VLAN1
2. Add new default VLAN to replace VLAN1
3. Add a management VLAN
4a. DNS reflection rule. I use this to redirect all external DNS requests from internal clients to my DNS server from any incorrectly configured client. (I do this for NTP as well as some devices don't accept the DHCP NTP option).
4b. DNS block internal clients from using external DNS services. I've been thinking/working on blocking internal clients from using DNS over HTTPS and/or TLS.....
4c. Move internal DNS server to HTTPS or TLS
Going down a rabbit hole. Stopping now.
Keep up the good work. You not only need to have a grasp of the tech, but also the charisma to present it. Well done!

Outstanding video. You make things very clear for even people who aren't the best or that knowledgable to do this stuff.

Haven't finished watching yet, but let me say I love the names you gave things.

Solid information Thank You! Answered a LOT of questions but....
Now I have just as many new questions!!!

This is really great stuff. I have a UDMpro and I'm trying to setup a secure iot network, this is almost exactly what I need. I only say almost because I know next to nothing about networks so I'm making educated guesses as to how the edge router configuration translates to the UDM. It would be extra awesome to have this same video remade with the new unifi interface.

This is a nice first cut for improving IoT security, but you should really have separate VLANs for each unique type of IoT device or you'll be vulnerable to lateral attacks within the IoT domain: e.g., access control on one VLAN, video surveillance on another, home automation on a third, entertainment on a fourth, etc. For WiFi, put each device on a separate WLAN group, and use hidden SSIDs to eliminate unnecessary beaconing polluting WiFi spectrum, and then associate those WLANs with the corresponding IoT VLANs. Now you can control all communication between IoT realms and between IoT, the protected LAN, and the Internet.
This last control is often overlooked: always filter Internet traffic from each IoT device to only permit addressing the public IPs they actually need, rather than the entire Internet. You can discover which destinations and protocols these are by initially denying all Internet traffic and checking the firewall logs to see what is getting denied..
This is the standard for enterprise IoT security, as implement by Cisco, Juniper, etc, and is also the approach used going forward in automobile and aircraft IoT networks. An interesting article on IoT enterprise deployment is www.networkworld.com/article/3213868/3-real-world-examples-of-iot-rolled-out-in-the-enterprise.html

can you make a video or a article on your website for the USG? so we can follow along with the USG

this is a great tutorial. I used it to build by IOT network about 3 years ago, shortly after you posted it. I finally wised up and built a Pihole on an old PC since I can't find a Raspberry Pi anywhere for reasonable. I came back to this video to see what I was missing on my firewall. The rules you have, fixed me right up. Your Pihole video was really helpful as well.
At the end of this video you talk about other firewall rules that could be setup. Any chance you have a blog or video talking about those other rules?
Example blocking DHCP for anything other than the pihole.

Finally picked up a managed switch to implement this and worked a dream! Thank you for such good videos explaining everything and making it straight forward.
I came across one snag. I enabled mDNS but still couldn't see any Google Devices - other IOT devices worked and I could control etc. I found that adding a third rule to the IOT_LOCAL to accept port 5353 on UDP fixed the issue. Hopefully this was the right thing to do!

Thank you Chris for the tutorial! Note to others regarding mdns repeater; I had to reboot my Edge Router X before this would work.

An informative video Chris... Thanks

The S in 'IoT' is for Security

I understand that by having your private network on a separate VLAN from your IoT devices you will save a lot of bandwidth on the private LAN. But, on average, how much bandwidth do the IoT devices eat up on your internet connection? You seemed to touch on internal traffic, but I would like to know how much traffic the devices have to the outside internet.
This is a wonderful video explaining what the general public should for IoT setups. I haven't found anything else that covers this topic as simply nor as completely as you have. Thank you!

You saved me a lot of time! Thank you so much! It works perfectly :-)

Loving the spaceballs shirt.

Great video! Thanks for pulling it all together. My challenge has been trying to get Sonos speakers on an IoT network!

Hi Chris, Do you have a tutorial on how you setup the Pi-Hole you mention on your "Secure IoT Network Configuration" video?

Thank you for the execulent video. I tested it on an old sonoff device flashed with tasmota. The only thing I had to do was add a rule for the IoT network for the MQTT server on my raspberry pi. I don't feel I need this for my tasmota devices but plan to use it for my IoT devices which use the cloud such as my thermostat and wyze cameras.

Hi Chris thanks for the wonderful content, this help me a lot in setting up the firewall in my network. Also hope you don't mind if you can post a procedure on how we can forward UDP broadcast to certain VLAN. Again thank you so much for the content you have shared.

Love to see this video updated for the UDM-Pro. Could you do this for both a main network and guest network setup (showing all three separate but showing the guest or main networks being able to access airplay, Chromcast, etc). I want to be able to access all networks from the main network, but have my iOT be separated off

Thank you finally i found help with what i wanted to do

It would be good if you could show people how to handle devices like Phillips Hue, Sonos etc. that need an igmp proxy. I never got this working on my USG

Great tutorial! Exactly what I was looking for. Only thing I had to do next to this tutorial is to allow UDP port 5353 in the IOT_local firewall rules. This made my Chromecasts visible again in my main LAN. Just MDNS did not do the trick for me.

Chris,
You do an outstanding job with the videos! Can you do a side-by-side comparison of EdgeMax vs USG? It would save time and effort for a USG focused.
Thanks!

Superb Video, Thanks!

another great lesson

Amazing video. Followed your config for my network and started transferring my IoT devices.
I have an EdgeRouter 4, Cloud Key (Gen 1), US-8-150W, 2x UAP-AC-PRO, so the setup is pretty the same as yours.
I have a streaming box with Kodi and it's configured to access my media library from my NAS using NFS. If I transfer my streaming box to the IOT VLAN, how do I allow it to connect with NFS to my NAS?

Just wanted to say thanks for this awesome video! I'm planning on implementing a fair mount of this on my own home network as well. I'm having some issues in planning on how to do this, though. I'm using Ubiquiti for my networking equipment. I have a USG 3P router, 2x UniFi 8 switches and 1 UniFi AP Lite. I have my home and IOT networks configured and mostly working as I'd like. The issue is trying to figure out how to correctly work my ESXi server and VMs into the equation. As it stands, I have my Windows Server 2019 VM running DHCP and file storage, 2 Ubuntu servers: 1 for Pi-Hole and the other for the Ubiquiti controller. With the current setup, my home network gets ip address just fine. The thing I'm trying to figure out is how to get my Server 2019 to handle DHCP for the IOT network. I'm currently using the USG router as a DHCP server for that network, but my goal is to have the Server VM serve IPs for both my home and IOT network.
If I recall from the couple of Cisco classes I took a few years ago, I need to have trunk ports on my switches in order for my VLANs to work correctly. I don't think Ubiquiti uses the term "trunk" in this use-case and I believe I have that configured correctly on my equipment. The problem I'm having is figuring out how to get my ESXi host and Windows Server VM to work across VLANs. If anyone has any suggestions or pointers, I'd greatly appreciate it.

Thanks, works great for wireless devises. How would I allocate one of the Edgerouter ports for wired devices?

Hey Chris! Thanks for the guide. Much appreciated. I followed the guide to the letter, including setting up an mdns repeater on my EdgeRouter 6P, but I still could not see my Chromecasts (on the IoT vlan) from devices running on my trusted vlan. I solved this by adding the following third rule to the IDIoT_LOCAL ruleset:
rule 3 {
action accept
description "Allow MDNS"
destination {
port 5353
}
log disable
protocol udp
}
I can now stream to my Chromecasts and TV's on the IoT vlan from devices on the trusted vlan. I hope this helps someone!

Great video! ... Talking about IoT, have you heard of anything Ubiquiti and 802.11ax (WiFi6) road map, rumors or other?

Great video. Having a hard time translating the Edge Router firewall to the UniFi controller firewall. For example, I don't see a Interface option and I'm also unsure about setting the source versus destination.

I'd love to see an updated version of this. and using a separate security vlan for protect. +1 more for wanting to see this with UBNT gear, maybe a new dream machine pro.

Would be great to have a video for the Secure VLAN and firewall rules !

Great video explanation!!! One suggestion: You should do a video on how to connect to a SONOS speaker in the IoT VLAN from another VLAN.

Chris, I thought that "Local" was traffic destined for the router itself. (router services etc) You are saying here that it's on the VLAN itself. And inter-VLAN. Can you elaborate on this please?

Great video. Do all your smart devices still have accessibility from your smartphone or tablet while outside of your house coverage area? If you have camera that has both a direct connection while on your network but web connection while not on your network is that also possible and able to be secure like you have isolated everything else? I don’t want to loose functionality or accessibility from anywhere of the “smart” items I am buying or have. Thanks

Great video. Would like to see this done with the UniFi controller instead of the Edgerouter. Similar concept but nice to see the exact screens

Would like to see similar video with USG instead of Edge Router. Thanks.

For anyone struggling with vlans and the dual wan feature you want to add the modify balance profile to the vif as per the parent eth interface.

OpenDNS is a very good backup for your IOT network. I also have my USG relay through it says I don’t have a piehole.

Hi Chris, thanks for this clear tutorial! I take the first steps in the edgerouter and to increase knowledge I did set this configuration up... But when I connect to the IOT wifi and go to the internet, I get no response. Looking at the statistics of the firewall, it is all blocked by the local default action.. drop.. For internet access on the IOT network, do you need to add a firewall rule to allow new traffic? Or do I do something wrong elsewhere?

Hi Chris
Please make a video for IoT devices again with USG router. please please please, BTW thanks for everything, my Unifi network rock because of your guidance. you da man

I love how he says, "eye dee eye oh tee" network with a straight face, lol.

Great job. Clear clean instructions.
I used it on a USG-Pro-4 , cloud key and a UniFi Switch 16 POE-150W.
I have successfully blocked all internvlan communication and so on.
I don’t have any Ubiquiti access points.
I have 2 questions.
1. I wish to block internal communication between devices inside the guest network?
2. Is there a way to limit speeds via mac accress or IP without using a Ubiquiti AP?
I know this can be handled on the Ubiquiti APs
I am looking or a firewall rule or a setting without using ubiquity APs.

Hi there, i have a question as far as i can understand, we have to make 2 vlan and 2 dhcp server and 2 wireless access point, for our private network and Iot, for isolate every things right? Im waiting for your answer. Thnx

Ludicrous speed, GO!

Thank you for all your videos - I’m new to the home network world and set up my own thanks to you. Any place I can get this detailed info for TP Link short stack?

Were you able to use the Roku remote app from your phone on the trusted VLAN to the Roku on the IoT vlan? I could not get it to work, I think it had something to do with SSDP as well as mdns. But couldn't narrow it down with wire shark. I installed avahi for pfsense.

Amazing video

Thanks for this video, I am moving toward Ubiquiti as I can afford it. I would like to add that Chris did a video on why he does not recommend the USG, it's definately worth looking up. From watiching that video I have decided on the Edge Router instead. Look it up and you'll see why.

hello
i want ask how i can cast file like UA-cam from one vlan to another vlan ?
thank you

I have RT-AC88U main router and an old RT-68U as AiMesh. My thought for security stuff (PC, phone, Ipad, etc..) are on the main router and IoT (doorbell camera, light, TV, etc..) will be on the the RT-AC68U. I can also set IoT on the main router under "Guest". Which option is best and safe to protect the main router access?

Hi Chris,
how did you associated IDIoT network with IoT SSID? It's done automatically by set VLAN ID?
Another thing is why is necessary create new network for IoT? Is it not enough to use default one? I'm able to obtain correct IP for VLAN 107 if I have corrected setup on EdgeRouter and EdgeSwitch for that VLAN (without any other network on uap).

Thank you for the video, should I still be available to ping from IoT network to the protected network?

I followed the great video thanks but have a question. The rule to drop all local traffic on the IDIoT network; does that not mean they cannot talk to each other if needed? Love your videos!

Great video. I tried this, but from my main LAN, I am unable to get to the AP connected to the IOT port. To access the AP, I had to be on the IOT network. What firewall rule should I add or reconfigure so that I can get to the AP @10.0.0.40? I can ping 10.0.0.1 from Main LAN, but no other leases.

Great video Chris... Thanks! :) How do the EdgeRouter clans work with a Unifi Switch? Do you have to duplicate the same vLans on the Unifi Switch? IE: Configure a vLan on the EdgeRouter and then the same vLan in Unifi?

Is the edge router required? Can I do all this with a USG, cloud key, ubiquity switch and ubiquity AP?

Superbe Vidéo, et super canal, Vous devriez nous faire une vidéo de la même configuration mais dans le UNIFI. Ce serait très apprécié.

It is necessary to add an ‘allow’ rule for address 224.0.0.251 and UDP port 5353 in IDIoT_LOCAL otherwise mDNS will not work (devices inside the IoT VLAN will not be able to broadcast). This gave me problems with Homekit accessories being unresponsive without adding this rule.
Homekit accessories will also fail to set up with these rules and I’m still trying to figure out how to overcome this.

Trying to follow along but USG, I think I got most of it figured out. When it comes to your IDIot_Local, would this be the same as LAN_Local on the usg?

Hi, I'm Brad from Outback Rural QLD Australia.
I strongly believe that all IOT must be it's separate vLAN. I have gone a little further by creating 2 IoT vLans - IoT & NoT. The second has basically the same rules as IoT as you shown with a few more including "preferred DNS" and blockling all other DNS servers (I have a standard DNS Drop rule on Google IPv4 & 6). Unlike Iot that can get out to the Internet under special ruleset, NoT can't get out and can't get to other vLans too, however Management vLan can access both IoT, NoT and Cameras vLans one way using "New/Est/Related". My Camera vLan is a bit like the NOT network too but with the NVR also residing in this vLan.
I have gone a little further by making my Management vLAN (primary Corporate LAN) having its own vLan number. I have a separate TRUNK vLan that interconnects from USGPRO4 to all my 4 switches and 8 APs etc., for some extra securty. I feel this network design gives a little more security. Yes the security is only as good as the Firewall Rules!
I just learning all this stuff, and taking it slowly and building my IoT devices which will basically connect to everything in the home and farm.
Any constructive comments most welcome.

Hi, how does it affect the auto discovery features IE, Apple Bonjour, between mobile devices on secure LAN and the IOT devices on a separate broadcast domain.

Hi Chris, thanks for this video. I'm trying to do a similar setup using the OPNsense firewall. I don't see a similar setting in OPNsense for the advanced rule configuration (20:38). A few posts I read around the Internet suggest that those two options are the default for OPNsense. Is my understanding correct?

Chris.how do I clear the routing tables? I have an EdgeRouter with VLANs set up folllowing your guide. I have some Cameras that after a power surge can’t be accessed across VLANs. Only if I give them new IPs are they accessible again. This has happened a couple of times and I’m getting tired of changing IPs.

This is a bit confusing when you are mixing the Edge Router OS with the Unifi OS. Could you do the same thing for a UDM/UDM Pro? For instance, do I need to block all IoT traffic from LAN Local? At the moment I can still ping 192.168.1.1. Do I need a rule to allow time server requests on port 123 for IoT network?

I know it is asked a lot in the comments for a separate USG video but how about just a side by side comparison of the settings you use in the video for the ER with what/where/who they are in USG in a tabular form or graphically shown with screen grabs?

Is it possible to do this same level of configuration on a UniFi USG Pro 4? If so, could you do a video showing that? I get lost trying to translate the Edge interface to UniFi for DHCP and DNS configuration you do around the 9 minute mark.

Gracias

Great video and very timely with IoT growing in popularity. One question, will this still allow for HomeKit traffic / control from the outside. For example controlling a iDevices switch using Apple HomeKit while on the road ? My understanding is that mDNS responder ‘should’ allow that but if not can you mention here how you can enable that kind of remote access to control outside of the home ? Thanks

“IDIoT” 😂😂😂 nice!

Thanks for this video; it's been something I've been wondering/concerned about for a while. I'm pretty sure I can translate the EdgeRouter setup to my pfSense box, and the Unifi controller instructions will transfer directly to my WLAN, but my main switch is a Dell PowerConnect 5524P. I don't suppose you'd have any suggestions on setting up the "untagged port" there? I'll look through the docs, of course, but the manual is 700+ pages and poorly organized. Thanks again for this one.
Edit: OK, I think I have it sorted on the switch. First, the ports which feed your AP(s) and your router have the Port VLAN Mode set to "General". PVID is set to your default VLAN ID, VLAN list includes that ID as untagged, and 107 (or whichever ID you choose for the IoT net) as tagged. The port that feeds my Roku has Port VLAN Mode set to "Access" (which is the default mode), with the VLAN List containing only 107. I think my firewall rules still need a little work, but I'm getting there.

Chris, any chance you could do an updated version of this video using a UDM Pro?

Great Video!!!!!!

Hi Chris....At 20.40 you explain that the "Allow Established/Related" rule is tied to the network group. This differs to the same stage in Willie Howes video on the same topic. Can you confirm that both the "Allow" and "Drop" rules on the "IN" ruleset are tied to the network group please? Thanks in advance.

Great video tho, thank you!

Hi, is it possible to achieve the same result using the edge router and alternate switch? I have a 24 port TP link switch already. I have a raspberry pi 3B+ at present with the cloud controller installed on it with 2 unifi ac liites. I would need the edge router to setup VLAN's. not confident of the RPi's durability regarding power failures possibly.
Thanks

Great video....tks

If you were using say an edge switch, how would you configure the ports going to the edge router and your access point? I've gone through everything, but I'm getting DHCP timeout errors reported from my APs on the ioT wifi. Devices on the ioT wifi can't get DHCP. I set both ports on my switch as trunk ports thinking they would pass all the tag info for the APs to pick up the VLAN tag, but something is still not quite right.

Great video"s nicely explained, getting my Dream Machine Pro in a few day so will be using you videos to help me set it up me being a network novice, I have one question, Seri needs to be on the same network has you iPhone or so it keeps telling me 🙂 so if you put your iPhone on the main network and Seri on the IOT network would this work? Thanks again for the great content 👍🏻

Where do you get all the Ubiquiti Visio stencils from that you use in all of these videos?

Your diagram shows an AP for the secure network and a 2nd AP for the IoT network. Are there two APs for security reasons? If not, would it be a good idea to configure one UAP-AC-PRO to broadcast SSIDs for the secure network, the IoT network and a guest network?