Jump to content
RESET Forums (homeservershow.com)
Jason

IoT WiFi VLAN and Ubiquiti

Recommended Posts

Jason

Have any other Ubiquiti users gone about setting up a Ubiquiti WiFi VLAN for the purposes of isolating all of their IoT devices?

 

Would appreciate if anyone can share best practice here.

 

All of my Ubiquiti APs are currently running off of a

Ubiquiti managed switch. However that switch is not currently connected to a dedicated NIC on my Untangle appliance.

Share this post


Link to post
Share on other sites
oj88

We live in a compound with 4 families (parents and my sibling with their own families). I have setup VLANs for each home so that our IoT devices don't see each other. We predominantly use Echo devices.

 

That said, I did not dedicate the IoTs to specific VLANs. Hindsight is 20/20 so it would probably have been a good idea to do so. But I'm now too deep into my setup and frankly, I'm just too lazy to move them into their own VLAN. Besides, there are situations where the IoT must be within the same SSID or VLAN of your mobile phone for management purposes. As an example, you won't be able to manage Google Home devices when you're not within the same VLAN.

Share this post


Link to post
Share on other sites
Jason

Great info! Right now I have my IP Cams on a VLAN, but otherwise my IoT devices are simply on their own WiFi network on my LAN. Not separated from the rest of my LAN.

Share this post


Link to post
Share on other sites
pcdoc

I am doing that exact thing.  I did do a short generic video on my youtube channel.  Not sure if this will help you.

 

 

Share this post


Link to post
Share on other sites
ShadowPeo

Yes, I have an IoT VLAN and depending on the device depends on what the T stands for. I have basically anything I can on the IoT VLAN, where there is no need for it to access anything else and I can enable "local" (if needed) use over the router (allowing multicast to route between VLANs for example) if it needs local access and cannot be done across VLAN's then I will put it on the main network however.

I have also got a separate network for the Security Cameras, another one for guests etc. This design is changing with me moving to a new (larger) property in a few weeks and this design is in the process of being documented and shared

Share this post


Link to post
Share on other sites
Jason
I am doing that exact thing.  I did do a short generic video on my youtube channel.  Not sure if this will help you.
 
 


Great video. Hadn’t seen before. I have 6 Ubiquiti APs currently for my WiFi network. On the Ubiquiti WiFi network, I currently have setup 3 wireless networks: home, guest (w guest isolation) and IoT. All Ubiquiti APs are plugged into a Ubiquiti managed switch. Would this mean that I still assign all 6 APs the same VLAN ID (in your case 200)? Since I have wireless IoT devices scattered throughout the area, they each use the nearest AP and connected to the appropriate SSID for my IoT network.

Share this post


Link to post
Share on other sites
pcdoc
36 minutes ago, Jason said:

 


Great video. Hadn’t seen before. I have 6 Ubiquiti APs currently for my WiFi network. On the Ubiquiti WiFi network, I currently have setup 3 wireless networks: home, guest (w guest isolation) and IoT. All Ubiquiti APs are plugged into a Ubiquiti managed switch. Would this mean that I still assign all 6 APs the same VLAN ID (in your case 200)? Since I have wireless IoT devices scattered throughout the area, they each use the nearest AP and connected to the appropriate SSID for my IoT network.

 

 

If I understand, then yes, you can have the VLAN on all your access points which will allow you to distribute IOT devices anywhere you want.

  • Like 1

Share this post


Link to post
Share on other sites
Jason

It’s going to take me some time to digest this. I noticed your physical NIC Port 3 in Sophos is a LAN with static IP 10.0.0.1 with NM 255.255.255.0 (/24). And that’s also the port to which you’re binding the VLAN ID 200.

Are you able to show the settings for NIC Port 3 within Sophos? Am trying to connect dots between a 10.0.0.1 / 255.255.255.0 LAN port (is DHCP enabled?) and a VLAN ID 200 mapped to Port 3 with a 192.168.200.1 /24 address.

For example, how does LAN port 3 get access to the internet (or your WAN Port)? How does it get access to your actual LAN for WiFi devices on Ubiquiti AC Pro that aren’t IoT?

Thanks for your knowledge and patience.

 
If I understand, then yes, you can have the VLAN on all your access points which will allow you to distribute IOT devices anywhere you want.


OK. I’m just trying to have 3 WiFi networks broadcast in the area. Call them SSIDs home, guest and IoT. Only devices connected to the IoT SSID should be isolated to VLAN ID 200 for example.

Devices connected to Home SSID would be my personal devices (trusted).

Am using Ubiquiti guest isolation on the guest SSID for now. Seems alright. Only have a couple users on it. Perhaps once I’m tracking this IoT VLAN config, I’ll then create a VLAN 300 Guest, etc.

Share this post


Link to post
Share on other sites
pcdoc
22 minutes ago, Jason said:

It’s going to take me some time to digest this. I noticed your physical NIC Port 3 in Sophos is a LAN with static IP 10.0.0.1 with NM 255.255.255.0 (/24). And that’s also the port to which you’re binding the VLAN ID 200.

Are you able to show the settings for NIC Port 3 within Sophos? Am trying to connect dots between a 10.0.0.1 / 255.255.255.0 LAN port (is DHCP enabled?) and a VLAN ID 200 mapped to Port 3 with a 192.168.200.1 /24 address.

For example, how does LAN port 3 get access to the internet (or your WAN Port)? How does it get access to your actual LAN for WiFi devices on Ubiquiti AC Pro that aren’t IoT?

Thanks for your knowledge and patience.

 


OK. I’m just trying to have 3 WiFi networks broadcast in the area. Call them SSIDs home, guest and IoT. Only devices connected to the IoT SSID should be isolated to VLAN ID 200 for example.

Devices connected to Home SSID would be my personal devices (trusted).

Am using Ubiquiti guest isolation on the guest SSID for now. Seems alright. Only have a couple users on it. Perhaps once I’m tracking this IoT VLAN config, I’ll then create a VLAN 300 Guest, etc.

 

 

Good observation and sorry about the confusion but the video was done from the test environment.  Port 3 on my Sophos router is 192.168.20.xxx not the 10.0.0.1 on my actual system.  The VLAN is on 192.168.200.xxx.  I used different ranges on the video as my test enviorment is setup a bit different.  Every NIC physical or VLAN is on a different IP range.  I hope that makes more sense.

  • Like 1

Share this post


Link to post
Share on other sites
Jason
 
Good observation and sorry about the confusion but the video was done from the test environment.  Port 3 on my Sophos router is 192.168.20.xxx not the 10.0.0.1 on my actual system.  The VLAN is on 192.168.200.xxx.  I used different ranges on the video as my test enviorment is setup a bit different.  Every NIC physical or VLAN is on a different IP range.  I hope that makes more sense.


No worries. That helps. So your actual system has a single WAN and LAN ports (physical), but each VLAN is bound to that same physical LAN port, correct?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Project Fi now accepts iPhone!

Sign up with any phone now.



×