Separate IOT Vlan

I wanted to start a new topic to see what others experience has been with advanced network setups.

Recently I got a Unifi Gateway Cloud Max and am thinking about going down the path of separating a few of my device types into dedicated network segements (vlans).

As of right now I have 3 vlans: My default secure VLAN , A dedicated VLAN for IOT devices, and a Work VLAN mainly to isolate my work laptop from everything.

The IOT Vlan is current rule setup as follows.

1. It has access to the internet
2. Access from the default (Home VLan) can open connections to the IOT VLAN
3. Any traffic coming from the (IOT VLAN) is dropped coming to the Default VLAN
4. "IOT Auto Discovery" is enabled to allow mDNS tospan both the default Vlan and IOT VLAN
5. A rule has been added to enable access from Streaming devices to my Plex server

My wifi based IOT devices are as follows

1. A bunch of Govee devices that use a mix of Cloud API, Lan API, and Matter
2. Chromecast devices like a TV and a few Google Home Mini,
3. A couple Eufy cameras until they are replaced,
4. Ecobee Thermostat
5. A few Air Gradient Devices
6. Rokus, One TV and two streaming Sticks
7. Nintendo Switch,
8. 3d Printer
9. Some Wiz Smartbulbs.

For the most part I have been able to get it to work so far. I have run into a few issues though.

Govee and Chromecast have been pleasantly easy. Govee just works with the default setup. That Matter issues have presented a slight issue for those types of devices though.

Chormecast has worked as well as long as the mDNS stuff is working occasionally it seems to have a small delay.

I haven't tested the Eufy cameras yet, but I suspect it won't be to bad with them either.

The Air Gradient devices with the new drivers are polled from the Hubitat so that will work because of the rule allowing all traffic from the internal network to the IOT network.

I don't expect Ecobee to be a issue since I use Ecobee Suite to manage it and that is all cloud based.

The Roku's are really the biggest issue as they don't seem to have a good way to work well in a isolated VLan. I have tried applying some rules I have found online that discuss what is needed, but none of it seems to work.

Matter also seems to kind of work. I was able to add a test switch to HA across VLANs once, but then it failed when trying to add with Hubitat. After that I couldn't get it to reset and add to anything again with Matter.

I haven't tried the wiz bulbs yet, but I don't expect them to be to bad I need to pick a bulb to test with.

Lastly I am not worried about the Switch, or the 3d printer. They should be easy to do and will probably work with the existing rules.

So I guess after all that do any of our network experts out there have any suggestions for Roku to get it fully working?

Now ofcourse I don't have any rules to filter the IOT devices from talking to the internet. That could get messy fast I think and probably would be part of Phase 2 if I take it that far.

What isn't the Roku's doing when you have them on the IoT vlan? I have:

Roku's
Xbox's
Ecobee
Cell Phones
Weather Station
Amazon Echo's
Govee
Harmony Hub
and others

For the PC network I just have my laptop, desktop, and printers

For the Guest network I have my work PC and other devices from the kids when they are over.

For the Server network I have NAS, and other services via ProxMox virtualization.

I run my VLAN on a EdgeRouter12 and have a couple of Unifi APs and managed switches. I have pretty much exactly the same IoT VLNAN setup as you do below. On the Wi-Fi side I have a Google Home, a couple of Homepod minis, an Alexa, an Ecobee, Chromecast, Ring cams, HA on a Pi, a few Matter/Wi-Fi Tapo plugs, and a 3D printer (currently disconnected pending creating a new home for it) w/a printer status integration. Everything "just works," which has been nice. Have, but don't use a Roku.

I set the VLAN up originally only partly because I liked IoT being separated from my personal stuff, but also significantly because it was a fun project to learn how to set up/use a VLAN. Kind of an "I'd always wanted one" situation.

This is what has stopped me from actually implementing a few VLANs for my network at home.

I’m worried I will break some kind of connectivity that doesn’t bridge across VLANs well.

@ronv42 what kind of firewall rules do you use to block or allow traffic between VLANs?

The Rokus themselves work fine from the remote. The loss of functionality is when you try to use your phone to interact with them, well the one I am testing with. I honestly haven't even checked if Hubitat can talk to them. I haven't fully decided if i will move the hubitat to the IOT network or not yet.

The loss would really be for apps that don't exist on the roku but i want to cast from my phone. I just noticed you have Phones on your list of devices on the IOT network so that would certainly fix the concern I am having.

I am currently in the testing phase. As I think of new tech to test I have moved a non essential devices to test. Got to keep the WAF up you know.

I would be lying if I didn't say this was part of my motivation as well. Since I have the tech to do it, I figured I should try it out.

Ok, I see the issue, are you putting your phones on a "Trusted" network vs. "Untrusted" I use these terms in the strictest sense that the owner of the phone can't manage the phone like you can do with PC's thus our cell phones are on the IoT network and if you really wanted to use the app it works.

If I was to put my phone on the PC network even with firewall rules to open PC to IoT with the IP address of the Roku's the app doesn't work as you stated. Roku for some reason doesn't use mdns or any type of IP relay services. You controlling device must be on the same subnet.

I use a full deny all on all my networks and then rules to get access to the device/port for the services. I am using pfSense as my firewall and rules are pretty simple to write. The rules look something like this:

From: IoT Network To: Server Network DNS port 53 allow
From: Iot Network To: Server Network Time port 123/udp allow
From: IoT Network to: Server Network NAS port 3800 allow (EMBY Media Server)
From: IoT Network to RFC'd private addresses BLOCK (covers every private address)
From Iot Network to non-RRF'd private access Allow to WAN
From * to * BLOCK (the last rules in the chain)

As an aside, how do you like it so far? Given the age of my EdgeRouter12 and updates few and far-between, I'm always thinking about what my next "box" will be when it fails. The Cloud Max looks pretty cool...

FWIW I do have my hub (all my hubs, HE, Hue, Lutron, etc.) on my IoT network, should have mentioned that above.

So far I really like it. It was my first foray into Ubiquiti and their suite of products. It was a significant jump from my 3 puck Google Wifi(gen1) solution I had previously. Because I was replacing the Google Wifi,

I had been thinking about it for a while myself as I was starting to hit the previous systems ceiling of abilities but wasn't sure what would be the best solution to jump to. I had also taken a hard look at the Unifi Express and The Unifi Cloud gateway Ultra previously. What finally got me was that the UCG-Max had 5x2.5gbe instead of just 1GB, , the full stack of Unifi applications instead of just network, and some storage for Unifi Protect built in. The storage ment I didn't need another appliance for protect. The Max also supports up to 30 Unifi devices so I wouldn't be hamstringed like the express. The 2.5gbe was a big thing for me as well since all of Unifi's Wifi 7 Gear needed 2.5gbe as their uplink.

At this point I have the UCG-Max, U6+ AP, U7 Pro Inwall AP, G4 Instant camera, and a USW Flex Mini 2.5GB Switch.

My only complaint is I do think Unifi needs an affordable 2.5GB utility switch with PoE to supplement the UCG-MAX, but that is really my only complain so far. Right now both of my AP's are using injectors for power instead of a manageable switch. Right now the only switches that can do 2.5gbe and POE are fairly pricey for a home user. The Enterprise 8 POE is really the only utility type switch that doesn't go in a rack and it is 479 which is over twice the cost of the UCG-MAX. I think the perfect option would be a upgraded Ultra switch with 2.5gbe. I would jump on that as soon as it was announced.

Update >>> The above paragraph is no longer valid. Unifi released the Flex 2.5 and Flex 2.5 PoE switches which are 8 port 2.5Gbe switches that also include a 10gbe multi-speed/combo port that and a SFP+ port for uplink. I know have one of these between my UCG MAX and the rest of my network.

i have a similar configuration.
I use PFSense. PFSense also supplies NTP, DHCP and DNS

I have a vlan for IOT devices only. Things like motion sensors, lights, switches, plugs, Amplifiers.
this vlan has no access to the internet.
I have on the IOT vlan also AppleTVs and Apple HomePods.
these have specific rules that allows them to the apple network and a few other ports for streaming tv.

I have another vlan for cameras only. I also block all traffic to the internet for these cameras
I use Ubiquity cameras and network devices.

I have another vlan for household members to get to the internet and control the TV's, amplifiers.

i have another vlan for guests. its a guest vlan portal with authentication to get on the network.

household members are allowed to the internet on web ports and high ports. they are allowed access to the internal NTP, DNS

Guest users are allowed to the internet on web ports only. they are allowed access to internal NTP, DNS.

IOT devices are blocked to the internet and allowed to internal NTP, DNS.

Cameras and network are blocked to the internet and allowed to internal NTP, DNS.

I have a scheduled rule that opens specific firewall ports checking for updates of HE, IOT devices and Ubiquity consoles.

to fix the issue of hard coded products and users that try to evade controls. i have NAT rules that convert any NTP, DNS queries and redirect them to my internal NTP, DNS.

on top of everything all end points use pihole as DNS. the pihole uses the PFSense to resolve everything. the pihole sends all unwanted queries to the bit bucket.

When i leave the house i enable a rule that allows remote access into the cameras. this rule exists because ubiquity tries to force connections out to amazon servers that sometimes cause laggy response before it fails over to local access. with no access to the internet its allways quick response. i plan on creating a geofence rule that does this for me automatically. just havnt figured that part out yet.

A Separate IOT VLAN is the way to go, and how I run my network.

Any device (retail), (commercial), etc, that has internet access may be a threat, untrusted. I've seen all kinds of sloppy security from these devices. I will not freely allow them on my home default VLAN.

I have specific router firewall rules to allow to me reach/speak to the devices from my (trusted) LAN. they can speak when spoken to, but cant speak independently unless there's a specific rule for that (like sending entries to my syslog server, for example.

Which ports do you have to unblock for apple devices?

Same here. But i dont even treat my most trusted vlan as fully trusted. My firewall rules only allow Whats needed to function.

Maybe a little overkill but why not!!..

The iot vlan is DHCP but i use DHCP reservations for writing firewall rules.

Ive modified this a little since last post but right now i have
HomePods/Apple TVs > anything not internal networks 80 and 443

So to the internet but not internal access.

So you don’t have any need to use Apple’s local protocols like AirPlay or mDNS?

Ugh, so I'm not a Apple device user... but I'm no fan of mDNS. It solves some discovery problems (that I dont really have), but for the most part its a bunch of devices over-spewing traffic at ridiculous rates on the lan.
Ive got firewall rules for some devices as well that bang away.

Don't forget that too many IoT device makers never fix problems with avahi/mDNS. If you have both IPv4 and IPv6 on your network many times they only use IPv4 and other time both. IPv6 was supposed to resolve discovery issues but with such low adoption in the home it's the wild west out there.

I have the same problem with my UniFi setup and my Roku devices.

When my phone is connected to my main VLAN, I can't use the iOS Roku app to control the Roku that is on my IoT VLAN.

From a Hubitat perspective, what VLAN do you put your hub on?

My HE hub is on my IoT VLAN.

You need to configure a firewall rule to allow this.