Trusted and untrusted devices

i'm trying to properly setup my network to have a minimum level of security :slight_smile:
but there are some devices i do not know how to properly limit, so i'm looking for some ideas and experiences :slight_smile:
My zones:

  • lan (with "official" wifi): can do all and connect to all other zones. My notebooks, nas, pc, phones, xbox, sky and smart tvs are connected here
  • guest wifi: access to wan, nothing else (apart from local dhcp and dns)
  • iot wifi: my sensors and other "stupid" iot devices are connected here

Question 1: should i remove multimedia devices from lan? but in this case i'd loose the dlna service, isn't it?
question 2: where should i connect the "smart" iot devices? for example, alexa devices, or the philips hue bridge..i could add them to iot zone and allow specific wan connections or to guest zone, what should be the better solution?
for wired devices i should create a dedicated vlan, right?

how do you manage your lan?

for me the minimum level of security is nothing in my house has a camera or microphone and also access to the internet. I've got a VLAN for several cameras but it doesn't route to the internet.

since Alexa is useless without an internet connection there won't be any Alexa here... but I think Philips hue does not require internet. I think id put Philips on its own VLAN personally.

I am considering kicking my phones and tablets off my lan, where only desktop and laptop machines would remain. but not putting them on guest, instead providing a phones and tablets wifi. guest would remain as just for guests.

1 Like

I believe that conceptually one should stop thinking of one's inner network as effectively more secure than the rest of the internet. Either completely disable access for some subnet to the rest of the network/internet (ideally by a air-gapped set of separate wiring, or by proper and strict VLAN usage if the first is not an option, but at that point you already relay on the quality of the VLAN isolation), or simply assume that everything is terrible and require strong encryption even for all internal traffic.
If that is not an option (or to inconvenient) then, as @dlakelan hints at, it might make sense to separate all devices by some sort of classification, based on requirement to reach the internet and the assumed individual level of security (all devices being used on public networks, like laptops and smartphones need to be fully secure even with out your router's firewall, but then again might be more likely to be compromised, so separating these from the rest makes a ton of sense).
And finally remember that the S in IOT stands for security...

1 Like


I run Kerberos auth and encryption on my nfs4 server, and have turned on Kerberos and encrypted smb3 on samba. each of my desktop machines has its own firewall.

my biggest concern these days is malicious phone apps, which is why I may separate phones and tablets. if you need dlna type stuff you have to put things in the same broadcast domain, so phones would go with smart TVs and things... though I wouldn't let a smart TV on my network, they explicitly have a business model of spying on your viewing. fuck em. they'll be connected by HDMI only to a trusted Linux machine.

also I run a proxy on my LAN so http and https only goes through the proxy at speed, you can connect without but you get 1Mbps