I have a room mate situation, so I just put all her stuff on one and all mine on the other. She doesn't need access to my files, ever. I don't need access to her stuff, ever. My fire stick requires access to my plex, locally, my phone requires access to my FreeNAS for backup, locally. Putting those on IoT is just more of a hassle. I'm also running a Meraki network. so I'm not too worried about someone getting into my firewall. The crazy thing is, I work in the MSP world and a lot of companies look at you like you're an idiot when you talk about segmenting for VOIP let alone an IoT network. This is a very good explanation of how and why, Tom. Keep up the good content.
Network Video Recorder Recorder! Redundant initialism is redundant! Thanks for the great in-depth explanation and thought process, Tom. Not enough people do that "thinking" thing these days.
At last check Untangle never supported multicast DNS/DNS-SD service discovery so I stayed clear of it and went back to pfSense from USG. Would be good too see a video of setting up Untangle for IoT VLAN with mDNS if it is possible. Keep up the great videos, Cheers.
@@JasonLeaman Hey. It's generally whatever works for the enduser. mDNS is a crucial part of my network design much like @Scott T mentions in his comment. I have a Guest VLAN as well as an IoT VLAN so without mDNS the "Guests" cannot use Sonos, Chromecast etc... similar with my main LAN, where we cannot control various IOT devices across the VLAN. Going full fledged tin foil hat mode using the above method may still allow access to your "protected" nodes using a proxy node which has access to both devices. Once you are in the LAN things get a lot easier. But hey we are talking about a home setup here and I doubt anyone will be specifically targetting any one us individually at that level of detail, I just like to always assume they may.
NAS is good for NVR and data storage, but it is like any other computing client on your network. It's critical to afford it the same firewall protection. At issue, is most retail firewalls protect inbound communication. Do you trust that NAS or IoT is communicating outbound from your network in a secure way. Intrusion Protection System (IPS) implemented by Unifi or PFSense go way farther in auditing that outbound traffic. It's all about trust.
NAS should be on a "secure" VLAN. The main issue with the IoT devices is once they are through your internet facing firewall and hence in your network they are in and there is very little a firewall can do once they are on the LAN. IP Blocking doesnt do a great deal as well it Layer 2 traffic, plus you can spoof an IP or use a zombie node. Moving IoT on to a different VLAN means they have to go back through the Firewall as it is Layer 3 traffic. A good setup is block All traffic from IoT VLAN to any other VLAN and only allow access to the internet. For internal traffic you should only allow communication to be initiatied with the IoT devices from another network and use mDNS to keep all the same funtionality you would have if you were on the same VLAN. Just my view though.
At the end of the video you talked about the Amazon dot being a privacy issue. Is there anything we can be doing to protect privacy (via pfsense or other) or is just the reality of using devices like that?
Just a case when printers have access to the web: printers supporting google cloud print are sometimes useful in our offices to print administrative stuff from a remote office to our main site. We don't care about bigG having our data cause we store all our documents on Drive :D :D :D nice content as usual! keep it up with the great work! love it
Hi Tom , Luv the show.. :p What about the Hp printers with the Insta-ink subscription they reach out often to the mother ship at HP. how would you handle that situ? Rules or put it on the IOT side. (my choice) Thnx
I think IOT is rubbish, the more stuff you have with IOT the more firmware you will have to update. By the time you are old you will be unable (mentally unable) to keep up to date with all the firmware around your house. Like Ring/secuirty cameras,computers,tablets,phones,cars,televisions,media player etc.
I have a room mate situation, so I just put all her stuff on one and all mine on the other. She doesn't need access to my files, ever. I don't need access to her stuff, ever. My fire stick requires access to my plex, locally, my phone requires access to my FreeNAS for backup, locally. Putting those on IoT is just more of a hassle. I'm also running a Meraki network. so I'm not too worried about someone getting into my firewall. The crazy thing is, I work in the MSP world and a lot of companies look at you like you're an idiot when you talk about segmenting for VOIP let alone an IoT network. This is a very good explanation of how and why, Tom. Keep up the good content.
Why? It's because he's using firewall to separate trusted vs untrusted devices?
Network Video Recorder Recorder!
Redundant initialism is redundant!
Thanks for the great in-depth explanation and thought process, Tom. Not enough people do that "thinking" thing these days.
At last check Untangle never supported multicast DNS/DNS-SD service discovery so I stayed clear of it and went back to pfSense from USG. Would be good too see a video of setting up Untangle for IoT VLAN with mDNS if it is possible. Keep up the great videos, Cheers.
^^^^ This, IMO i just created block rules so IOT devices can't talk to my servers and other important devices..
I use Untangle !
@@JasonLeaman Hey. It's generally whatever works for the enduser. mDNS is a crucial part of my network design much like @Scott T mentions in his comment. I have a Guest VLAN as well as an IoT VLAN so without mDNS the "Guests" cannot use Sonos, Chromecast etc... similar with my main LAN, where we cannot control various IOT devices across the VLAN.
Going full fledged tin foil hat mode using the above method may still allow access to your "protected" nodes using a proxy node which has access to both devices. Once you are in the LAN things get a lot easier. But hey we are talking about a home setup here and I doubt anyone will be specifically targetting any one us individually at that level of detail, I just like to always assume they may.
The S in IoT is for security
There is no S....Oh! :-)
How do we troubleshoot a rule we set up? Like a printing not being able to update itself? how do you track a rule that's being blocked?
What about a nas. Used for both backups of data and for movie storage ?
Firewall my friend. You'll need more than the basic home router. Get an sg1100.
NAS is good for NVR and data storage, but it is like any other computing client on your network. It's critical to afford it the same firewall protection. At issue, is most retail firewalls protect inbound communication. Do you trust that NAS or IoT is communicating outbound from your network in a secure way. Intrusion Protection System (IPS) implemented by Unifi or PFSense go way farther in auditing that outbound traffic. It's all about trust.
NAS should be on a "secure" VLAN. The main issue with the IoT devices is once they are through your internet facing firewall and hence in your network they are in and there is very little a firewall can do once they are on the LAN. IP Blocking doesnt do a great deal as well it Layer 2 traffic, plus you can spoof an IP or use a zombie node. Moving IoT on to a different VLAN means they have to go back through the Firewall as it is Layer 3 traffic. A good setup is block All traffic from IoT VLAN to any other VLAN and only allow access to the internet. For internal traffic you should only allow communication to be initiatied with the IoT devices from another network and use mDNS to keep all the same funtionality you would have if you were on the same VLAN. Just my view though.
At the end of the video you talked about the Amazon dot being a privacy issue. Is there anything we can be doing to protect privacy (via pfsense or other) or is just the reality of using devices like that?
Just a case when printers have access to the web: printers supporting google cloud print are sometimes useful in our offices to print administrative stuff from a remote office to our main site.
We don't care about bigG having our data cause we store all our documents on Drive :D :D :D
nice content as usual! keep it up with the great work! love it
VPN !
Google cloud print service will be shut down, no?
Hi Tom , Luv the show.. :p What about the Hp printers with the Insta-ink subscription they reach out often to the mother ship at HP.
how would you handle that situ? Rules or put it on the IOT side. (my choice) Thnx
i think most people watching your videos have their own cloud , so what will you do if my IOT must talk to the rest of the network?
Thanks, great video
You have a typo in the description:
Google Fi Service Referla Code
"Referla"
thanks
Tks for this video....
Good video !
I think IOT is rubbish, the more stuff you have with IOT the more firmware you will have to update. By the time you are old you will be unable (mentally unable) to keep up to date with all the firmware around your house. Like Ring/secuirty cameras,computers,tablets,phones,cars,televisions,media player etc.
Lossy Lossnitzer you sound like John C Dvorak 🤣