IoT device segregation on EdgeOS
Sep 14, 2020 - ⏱️ 4 minutes to read
Having a good firewall in place when building a home network is something that now is more important than ever. Traditionally, home firewalls were made to protect the internal local network from connection that could originate from the internet (That's what you expect from an ISP provided modem/router combo). In this day and age, thanks to the fast rise of smart home gadgets, our home networks are becoming more and more occupied by little computers usually running firmware that is not possible to check or manage. A firewall can help us mitigate the potential issues that can occur by using this kind of devices.
The intent of this article is to provide a sensible baseline configuration that you can expand to suit your own needs. These concepts can be applied on a variety of SOHO routers (check yor router for VLAN tagging support and firewall capabilities between different networks).
The router I've chosen to use for this post is the small and mighty Ubiquiti EdgeRouter X, a five port router that's plenty capable of handling a medium-to-large home network without breaking the bank. This router runs a fork of Vyatta called EdgeOS as the stock operating system. I've paired this device with a Unifi Access Point to satisfy all my Wi-Fi needs.
High-level overview
The steps you need to take care of are the following:
- Create a new virtual interface and assing it an IP address;
- Attach the virtual interface to an ethernet port;
- Setup a firewall to isolate this new interface from the rest of your network.
EdgeOS specific configuration
To configure the EdgeRouter we are going to use the CLI. We are going to start a configuration session by typing "configure" into the shell.
- Create a network group that targets RFC1918 networks:
- Setup the firewall to block traffic to RFC1918 networks but allow DNS and DHCP:
2.1 We are going to allow established and related network traffic so that we can access the IOT devices from other networks.
2.2 We can't forget to allow DHCP requests so that our devices can get an IP address. It might be useful to allow DNS requests originating from our IOT VLAN too.
2.3 The last firewall rule we are going to setup is the one that blocks traffic going to our other private network(s).
- Create a new virtual interface for the VLAN intended to be used by our IOT devices:
- Assign the firewall ruleset to the in and local sides of the firewall.
- Setup the DHCP server to listen to the requests coming from the new VLAN:
- Setup the DNS forwarder to listen on this virtual interface:
- Configure the mDNS repeater to enable mDNS resolution from our other networks (useful for devices like the Chromecast).
- Save your configuration with "commit" and then "save".
At this point you should now have a new VLAN that cannot see your other networks but can still access the internet.
Disclosure: this post contains one (or more) affiliate link. If you buy something through one of those links you won't pay anything more but I'll get a small commission that helps me mantaining this blog.