Securing WiFi / LAN IoT Network & Devices

Hi there,
I'm a bit of a stickler for network security and enjoy coming up with novel approaches to having a functional and secured LAN.

I've listed a few thoughts below on creating a secure environment and am looking for input and feedback from others on methods to secure a home network.

  • Segment IoT network to its own subnet
  • Create rules that block traffic from the IoT subnet to any other nets, only allowing hubitat(src)->device(dst)
  • Enable a MAC Address whitelist for all devices on the network, denying access from any other devices.
  • Chromecasting or similar? Google is your friend
  • Don't trust your smart TV wireless drivers? Consider buying a WiFi bridge with an Ethernet port to act as a network adapter.
  • Don't trust your smart TV ... at all? Consider buying a Roku / Apple TV / Android TV box that gets frequent updates.

Open to more!


Watch where your devices "phone home" and block it if there is not a very good reason for it (e.g., "Why do my Chinese built IP cameras keep connecting to a site in China?").

Make sure your devices are not bypassing your firewall rules by using IPV6.

Put a hat over your TV's and your PC's cameras when you are not using them.

Keep ALL your software up-to-date (this is vastly easier to say than it is to do).


I have a untangled router with ubiquity access points and Vlan managed switches. I have created network segments for the following:

Appliances (TV's, Xboxes, Roku's and if ever washer /dryer /refrigerator)
IoT (Smarthings, Hubitat, Ecobee, Dashboard Tablets, etc)
Network devices-core (NAS, Time Server, DNS, others )
Personal Devices (Phones, Tablets, and computers)
Guest Devices (Wifi only)

Each of these segments have their own firewall rules and I block as much of the IoT traffic to the internet since tablets that run dashboards don't need to be talking to amazon or google if they are just displaying my dashboards.

Untangle router has provided a good method of creating rules that allows very granular rules based on the host and the vlan they are on.