My knowledge about home networking is VERY limited.
My home network runs off an Asus router that is the first router I've ever owned that does not cause wifi issues so I'd like to keep that variable constant. This router offers
a. the default wifi that connects to both 2.4 and 5 gh devices. I presume this is my "intranet"(?)
b. 3 each guest wifi networks for both 2.4 and 5 gh devices. Each of these six has a toggle to "access intranet" which is currently set to "Disable"
c. The devices connected to the router via ethernet. As far as I can tell these devices connect seamlessly with the devices on the main wifi, so they must be on my "intranet." My C7 is of course plugged in via ethernet.
The laptops, cell phones, e-reader and other "computer" devices used by the household are connected to the "main" wifi. They work fine with Hubitat as needed.
Items that don't interface with Hubitat, but must connect to the internet, such as Roku and security cameras, are on one of the "Guest" Networks on which "access intranet" is set to Disable, as several years ago I read that is somehow a safer way to connect them.
Now I'd like to be able to control the Roku from the Hubitat. It won't connect, which I presume is because it is on a different wifi than my "intranet." Seems I have two choices to connect it to Hubitat.
Put the Roku (or any other such device I want to integrate with Hubitat) on my main "intranet" network
or
Change the toggle on the Guest network to which the Roku is connected to enable "Connect to Intranet"
Is one of these solutions inherently safer than the other and if so, which one?
For those that presume the Roku, as a mass market consumer device is safe from (??) and thus ok to put on my intranet, what if instead of Roku the question was about an internet connected security camera?
I presume the risk is the device has some sort of malware, and that if it is in my intranet, it can then get to personal data when a laptop or other is connected to the intranet? Or maybe the risk if something else?
I did connect a few wifi ceiling fans to the main wifi intranet, but once they were set up and connected to Hubitat, I enabled "Block internet access" in the router settings.
Neither option is inherently safe, for the reason you’ve surmised:
Just because Roku is a household name doesn’t mean there isn’t a vulnerability that could make it subject to getting hijacked.
But in general, I would argue it’s probably less risky to choose option 1 that you described, rather than option 2.
The reason being that the first option gives only one device access to your other LAN devices, namely your Roku.
The second option gives every device on the guest network access to your LAN.
I don’t think you mentioned how many or which other devices are on that guest network. But just from a numbers perspective, multiple devices subject to being hijacked is a greater potential risk than only one device subject to being hijacked.
Thank you! The only things on that "Devices" guest network (its a different guest network than the one I offer my real guests) are Roku and the security cams.
So how do others handle this issue?
I presume (but am not sure) that the C7 and the other devices connected via ehternet (Airthings Hub, Honeywell Redlink Gateway), are connected to what the router refers to as the "Intranet". Thus, I presume (but not sure) it would not work to put all the wifi devices that interface with Hubitat on a pair (2.4 + 5 gh) of guest networks and not allow access to the intranet, because they could not communicate with the Hubitat and the other ethernet devices. Is this correct?
I further presume the goal is to somehow separate the data on the laptops from the group of devices connected to Hubitat. Should I put all things Hubitat on the main network (since that includes ethernet devices), and reserve one of my "Guest" networks for the household laptops, computers and cell phones (since those are 100% wifi) and prevent that guest network from accessing the intranet? Would I then need to change networks to access the Hubitat locally from my laptop or cellphone? Would the laptops and other devices connected to that guest nework be able to connect to each other for file sharing & printing?
I am very interested in how others, who have a much better understanding of this stuff than I do, handle this issue...
Or is there just a decision point of either do cool stuff with Hubitat (connected to Roku, images from security cams on dashboards) and compromise security, or forgo cool stuff to maintain security?
The way to minimize risk like this (you can’t eliminate it completely unless you stop using Roku and IP cameras) is to segment your LAN with VLANs and create firewall rules to prevent these devices from reaching most other things on your LAN, but still creating exceptions so that their basic and desirable functions aren’t broken.
You’re probably not going to want to do that. It’s too much work and requires a good deal of networking knowledge.
Your router is probably doing something like that for you in a more user friendly way with its UI that creates multiple WiFi networks, and includes options to block internet or local connectivity for each network. But it’ll never get as granular as possible.
There’s always potential trade offs between security and convenience with IoT devices.
Devices that you use every day should typically not be on a "Guest" network. Most consumer router "Guest" networks are setup so that they do not have access to any other network. It sounds like your router creates a main/primary network it calls "Intranet" and an isolated network called "Guest".
Since you mention you are not network savvy, my suggestion would be to place all devices such as laptops, printers, Hubitat, etc. on the "Intranet" network. This can be hardwired via ethernet or via WiFi. This would allow all these devices to see and access each other. Other devices that may not need to speak to devices on the "Intranet" can be placed on a "Guest" network that does not have "Intranet" access. This allows them to connect to your network but simply have acces to the outside Internet for what they need.
@jkudave - Thank you. That is almost exactly how I currently have it set up, with the caveat that my router has three available guest networks, each with the toggle of "connect to Intranet" or not. I was using one of the guest networks for both the Rokus and the Internet Connected Security cams, and with "Connect to Intranet" toggled off, and everything else on the main intranet network.
However, if I want to be able to either control the Roku with Hubitat, or see the cams on a Hubitat dashboard, that won't work, and the only solutions I know of are either EVERY device gets connected to the main network or I allow the "Guest" network on which these devices are (it's not the one used by Guests) to access the Intranet. Neither solution is ideal.
So I'm wondering how others solve for this. I'm willing to do some reading to learn some networking basics, if someone will point me in the correct direction...
Can you point me to a link or something where I can begin to learn what the above even means? Is this something a non-IT professional can learn to do with some reading and research? Does it require expensive equipment or software?
Most users follow the KISS principle when it comes to their home networks. A few folks, like to complicate their network design in the name of improved security. Many in the latter group, especially those with minimal network engineering experience, often 'shoot themselves in the foot' and cause a lot of problems. For example, Hubitat hubs are not extremely fond of having to navigate multiple VLANs to communicate with devices, especially those that use network broadcast protocols.
As you've already figured out, there is no one 'right answer' to your questions. Since you've indicated that you'd like to stick with your reliable Asus router, your choices are somewhat limited. "Guest" Networks are primarily designed to allow true guest users limited access - typically only Internet access with no ability to communicate with any other devices on your home network. This is a good best practice to make sure malware is not introduced into your home by these guest users. It also prevents tech-savvy guest users from messing around on your home network (as my two Electrical/Computer Engineering sons have been known to do when they come home for a visit. They are now relegated to a Guest WiFi network like everyone else! )
So, if you have devices that truly need nothing other than Internet (WAN) access, then placing them on one of your Guest WiFi networks with NO Intranet (LAN) access makes good sense. However, once you decided to have those devices communicate with other LAN devices, just move them over to the main LAN network with everything else. Just please to not enable port forwarding on your home router. That opens up your home to network attacks from very creative people, who have nothing to lose and tons of time and computer resources available to them.
In order to go to the next step (I.e. a complicated VLAN configuration), you will need to purchase much higher-end network equipment, like a full Ubiquiti UniFi network system. You will then need to learn a lot about how to set everything up in a way which provides security as well as proper functionality between the different VLANs.
I have a full UniFi network setup, however I have chosen to not overly complicate my home network design. I make sure I have no ports forwarded on my router whatsoever, which blocks all unsolicited incoming traffic from the Internet. I enable Intrusion Detection and Prevention security on my UDM SE, and I block traffic from specific countries. I do not create a bunch of VLANs that will require firewall rules to make things work in my home. It is just the two of us now, so the devices on the network are well controlled. I do have a Guest network set up for visitors. The only problem those users experience is the inability for them to cast/airplay media from their smartphones to our televisions. Small price to pay to keep my network secure.
It's already been mentioned. VLANs and firewall rules. However I believe, based on what you've mentioned, that the subject goes beyond your skill level. In addition, it seems that your router simplifies things for you (as many consumer grade routers do) by creating the "Intranet" and "Guest" networks.
In my case, I use UniFi by Ubiquiti. To simplify my explanation I am just covering basics. I have a primary network, where devices like my laptop, printers, etc. connect to. The primary network has access to everything. I also have an IoT network, which devices like AppleTV, Amazon Echo devices, Ecobee Thermostats, etc. connect to. The IoT network only has access to the Internet. Firewall rules prevent the IoT network from seeing my primary network. However, at the same time, my primary network can see all devices on the IoT network.
If you want to learn more about networking, etc. check out the following YouTube channels:
I’m not an IT pro, and I’d say it’s been about 10 years since I started to learn more about IP networks in my spare time, largely as an offshoot of my interest in home automation (I got a smartthings V2 hub in 2015).
I’m at the point that I just barely feel confident I could setup a few VLANs and not break something in the process. I still haven’t enabled any other VLANs on my unifi network gear besides a guest network, other than to test things out for myself.
So while I’ve enjoyed learning about this stuff, I don’t put it all into practice because the risks/benefits/alternatives just don’t seem worth it to me.
While many people do setup VLANs with their unifi network gear at home, which can be expensive but more accessible/user friendly than alternatives, I’m comforted by the fact that there are others like @ogiewon who choose not to even though it’s within their capabilities.
If you do want to learn more about how IP networks function, as a hobby, and a necessary first step before you even try to segment your network at home, the YouTube channels @jkudave linked to have all taught me a lot as well.
@ogiewon ; Under Advanced, Settings, WAN, Enable Port Forwarding = Off, so I hope I'm ok there.
@marktheknife and @jkudave
They are Abode Home Security Cameras - Cam2.
I also have one of the older Abode IP Cams that is connected via ethernet. I guess this is on my Intranet.
I would love to learn where on my router I can find what, if anything, the cams are doing, other than recording to the Abode cloud (such as reporting home to China).
On the surface, this sounds ideal. I guess the devil is in the details as to whether or not Hubitat can communicate with the devices on the IoT network. My router is an Asus GS-AX3000; I'm not sure whether or not it can do what you describe.
I will definitely invest some time checking out the links. VERY much appreciated. Thank you.
Every router is different. It seems that if you put your Hubitat on the Guest network, but allow that Guest network to access the Intranet network, then yes it can communicate. However, that defeats the true purpose of having an isolated guest network.
I’ve been out of the consumer grade router side of things for quite some time, so I do not know if your particular router allows for the creation of other networks.
My router allows up to three guest networks, so I can still have an isolated guest network for actual guests.
However, the Hubitat is connected via ethernet. Everything connected via ethernet goes on the "intranet" part of my network. I don't have the option (that I'm aware of) to put an ethernet connected device on any of the guest networks.
If that is indeed the case, then you need to see if your router will allow you to even create new VLANs if you ever decide to go that route.
Are you even allowed to create new WiFi networks?
For now, it seems you have one of 3 options for your wireless IoT type devices:
Connect them to your Intranet network
Connect them to a guest network and enable the allow Intranet access option, which seems to essentially be the same as joining them to the Intranet network.
Connect them to a guest network without the allow Intranet access option.
The issue with most consumer grade routers' Guest Networks, is that they isolate the devices on that guest network from one another, as well as from the main LAN (Intranet) network. @calinatl's Asus router might have an option to allow clients on the same guest network to communicate with one another, but I am pretty sure my old Asus routers did not.
These are very likely manufactured by someone else and rebranded by Abode.
Are you able to find out more about the manufacturer and device model?
Do the cameras have a web server interface you can log into with a browser (similar to how you access Hubitat)?
If it’s possible to update each camera’s firmware, that’s almost certainly the lowest hanging fruit you can find with respect to decreasing your risk of a local device becoming compromised by a hacker (after avoiding/disabling port forwarding as @ogiewon mentioned, but you’re not doing that so doesn’t apply for you).
)
