Subnets and Routing

Advertisements

One of the biggest reasons to setup your own home network is to manage the security and privacy of all the devices on the network. One big factor is to isolate risky devices from sensitive clients. Examples of risky devices include cheap IoT devices such as smart lights and switches that have poor or questionable programing or game consols that want to open lots of ports to the internet. The easiest method is to put all the risky clients on their own network where they can’t reach your computer, laptop or phones.

I have previously experimented with this by borrowing a WiFi range extender and setting it up as a WiFi access point to create a seperate WiFi network from my home network that was just for a couple of cheap smart switches. The switches had been bought online from China and were very cheap so I had some doubts about the quality of their security programing. The WiFi access point had its own DHCP server and the smart switches were assigned IP addresses on a different subnet than my home network.

As a quick example my home network is 192.168.0.1/24 (Subnet mask 255.255.255.0). This means clients on the network can have an IP address from 192.168.0.2 to 192.168.0.254 and the address 192.168.0.1 is reserved for the router. If a client on the network wants to talk to a client with an IP address outside of the range of IPs in the 192.168.0.1/24 Subnet the that traffic is refered to the gateway for routing to a different network.

The IoT smart switches were connected to their own WiFi network that had the network 192.168.10.1/24. So the smart switches would be assigned an IP address between 192.168.10.2 to 192.168.10.254. If one of these switches was trying something naughty like scanning the network to see what other clients are there they would only see the other IoT devices and nothing else. This isn’t perfect because I had the WiFi access point connected to my router and it would be possible for the device on the IoT network to probe devices on my home network but the device would need to know the subnet of my home network.

A question I had is if devices on my home network would be able to control the IoT devices. If the lights are on a different network than my phone could I operate the light from my phone. The answer is that since the lights are designed so they can be operated from anywhere they don’t directly communicate with my phone. Instead they communicate with their manufacturer’s own server and my phone sends commands to the lights via the server. This means that the light switches only need access to the internet to work. It also concerns me that there is something on my network constantly pinging a server overseas. So there is another reason to isolate these devices and keep them in the dark as to what else I own.

To setup the IoT devices I am required to use an app on my phone. A smart switch has one button and one indicator light so entering in a WiFi password would be difficult to do on the device. When setting up the device from the phone the app generally uses the details of the WiFi network that the phone is connected to. This means I need to switch my phone’s WiFi to the IoT network before setting up the device and then switch back after the device is setup.

After upgrading my WiFi to the Ubiquiti Unifi access points I could setup multiple WiFi networks on the one access point. This means I didn’t need a seperate access point for each network. This keeps the cost down and also allows me to manage all the different networks from the one interface. I now have 2 different networks, each with its own SSID. I have my home network and an IoT network.

Since both networks are running on the same router I am able to setup routing rules that prevent either network from communicating with each other. In fact I have setup rules that prevent devices on the IoT network from communicating with each other. As far as each IoT device is concerned they are alone on the network and only have access to the internet. Of course this only works with layer 3 IP traffic and the devices could still use layer 2 Ethernet protocols to ping other devices on both networks. The Ubiquiti access points can limit inter-network Ethernet traffic but my cheap switch that connects the access points to the router doesn’t have any such features. When I upgrade the switch to a managed switch I can enable VLANs for each network and I can lock down the layer 2 traffic as well.

Leave a Reply