Advice for setting up home network with connected devices (security)

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Nearly A Moose
Posts: 1015
Joined: Fri Apr 22, 2016 5:28 pm

Advice for setting up home network with connected devices (security)

Post by Nearly A Moose » Fri Apr 26, 2019 8:40 pm

A couple posts this past week about mesh routers and network security got me thinking about my own setup. I currently have an old router, recently moved, and seem to have some patches of poor connectivity in the new house. Over the years we've slowly accumulated an increasing number of connected devices, but we haven't been adding them in a disciplined way. I'm considering moving to a mesh network setup (maybe an Orbi), but I'm not in a hurry. If I make a change, I'd like to do it once and set up things in a better manner. Everything I've read says to put all connected devices on an isolated guest network, leave only your personal computing devices on the main network, and I guess have an additional guest network for actual guests.

So, a couple questions:
1. Is that right for the setup? And can an Orbi do that? From what I've read, an Orbi only has one primary and one guest network. If one network is my main network and the guest is for my devices, where do my human guests connect to? (typically it's just our parents)
2. I've read about some devices not working on a guest network, and I've experienced this with my Sonos. What's the recommendation for handling that?
3. Stupid question, but are there any operability issues with putting connected devices on a different network than my phone and computer? I assume that if the device communicates with my phone via the cloud, it doesn't matter, but if it's truly talking across the network, it does?
4. I have a couple devices (e.g., Lutron Caseta, Sonos) that connect to my router via an ethernet cable. Can you isolate those types of connections onto a guest network? How?

Here's my rough setup in case helpful. These are mostly on my main network SSID, but I've commented on what I'd propose doing and left some questions in case others have experience:
-laptops, phones, tablets --> would go on main network
-wifi printers --> main network
-Network attached storage --> main network via ethernet
-Lutron Caseta hub --> hub has to connect to router via ethernet, and Lutron light switches connect to the hub. Can this be isolated from main network?
-Sonos speakers --> one speaker connected to router via ethernet, which turns that speaker into a wireless hub for the other Sonos devices. I tried a wireless connection and could not get this to function on a wireless guest network. Can the ethernet be isolated?
-Amazon Echos and Fire TVs --> would go on guest network, provided I can still control other devices with them
-Nest Thermostat - Would go on guest network
-Ecobee Thermostat - Would go on guest network
-Nest Camera - Would go on guest network
-Nest Protect Smoke Detectors - Would go on guest network
-Arlo Cameras and hub - Hub has to connect to router via ethernet. Can it be isolated? A couple of the cameras connect directly to the network. Any problems with them being on the guest network?
-Frontpoint Security System - Connected to router by ethernet to supplement cellular connection to security company. Can this be isolated onto a guest network?
Pardon typos, I'm probably using my fat thumbs on a tiny phone.

mav12
Posts: 67
Joined: Tue Nov 07, 2017 5:36 pm

Re: Advice for setting up home network with connected devices (security)

Post by mav12 » Fri Apr 26, 2019 8:50 pm

Personally, I have a router and a couple of switches, all connected by Ethernet cables. You can't beat security of a hard wired setup and there are health concerns with EMFs from WiFis. This is my personal opinion.

gtd98765
Posts: 454
Joined: Sun Jan 08, 2017 4:15 am

Re: Advice for setting up home network with connected devices (security)

Post by gtd98765 » Sat Apr 27, 2019 7:13 am

You could just buy a second cheap router and use it only for your IoT devices. Hook it up to your main router via ethernet. You can call the network anything you want. I don't know how to isolate this second router from your main network's devices though.

flyingcows
Posts: 36
Joined: Sat Apr 20, 2019 8:13 am

Re: Advice for setting up home network with connected devices (security)

Post by flyingcows » Sat Apr 27, 2019 7:26 am

Not sure what the options are on off the shelf options like Orbi, however I do know that you could reflash one of these devices with an open source firmware project like OpenWrt to give the ability to configure VLANs

https://openwrt.org/about

To accomplish something like this:

https://www.routersecurity.org/vlan.php

That said, only go down this rabbit hole if it's something you are personally interested in exploring. If you don't run any services on your network and the things on your network are just devices and computers that do not expose/share anything. IMO, I wouldn't recommend you invest your time here.

Instead, my recommendation would be to just use whatever off the shelf router offering you are comfortable with. Next, add a DNS blackhole like pi-hole to your network:

https://pi-hole.net/

You can just purchase a Raspberry pi , load this software, and connect it to your network via ethernet. You would configure the DNS in your routers DHCP configuration to use this device, so that all devices on your network will hit the pi-hole to resolve names. It can be configured to auto-update lists of known malware sites, and then any device on your network who attempts to resolve the IP for these names will get "blackholed" by the pi-hole and the malware will not be able to "phone home". Anther benefit is that you can use the pi-hole as ad-filter, which works in the same way: when your browser tries to retrieve ads the pi-hole will resolve all DNS lookups for Ads to a local HTTP server run on the pi-hole which instantly returns a 404 error. The end result is that a page full of ads will load much faster than it would even with a browser based ad blocker. This is because with the ad-blocker your computer is still fetching the ads over the internet, and the extension will then hide these. With pi-hole, you avoid the need to download the ads all together because your browser is told that the ad server is your pi-hole which instantly returns "not found" for all the ads. The pi-hole has a nice Web UI and you can see metrics, graphs, and reports for the activity as well.

After you get a pi-hole on your network, you could consider running a packet inspector package on your router as next step, but that is going to require you run custom router firmware.

Anyway, HTH.

Topic Author
Nearly A Moose
Posts: 1015
Joined: Fri Apr 22, 2016 5:28 pm

Re: Advice for setting up home network with connected devices (security)

Post by Nearly A Moose » Sun Apr 28, 2019 7:38 pm

flyingcows wrote:
Sat Apr 27, 2019 7:26 am
Not sure what the options are on off the shelf options like Orbi, however I do know that you could reflash one of these devices with an open source firmware project like OpenWrt to give the ability to configure VLANs

https://openwrt.org/about

To accomplish something like this:

https://www.routersecurity.org/vlan.php

That said, only go down this rabbit hole if it's something you are personally interested in exploring. If you don't run any services on your network and the things on your network are just devices and computers that do not expose/share anything. IMO, I wouldn't recommend you invest your time here.

Instead, my recommendation would be to just use whatever off the shelf router offering you are comfortable with. Next, add a DNS blackhole like pi-hole to your network:

https://pi-hole.net/

You can just purchase a Raspberry pi , load this software, and connect it to your network via ethernet. You would configure the DNS in your routers DHCP configuration to use this device, so that all devices on your network will hit the pi-hole to resolve names. It can be configured to auto-update lists of known malware sites, and then any device on your network who attempts to resolve the IP for these names will get "blackholed" by the pi-hole and the malware will not be able to "phone home". Anther benefit is that you can use the pi-hole as ad-filter, which works in the same way: when your browser tries to retrieve ads the pi-hole will resolve all DNS lookups for Ads to a local HTTP server run on the pi-hole which instantly returns a 404 error. The end result is that a page full of ads will load much faster than it would even with a browser based ad blocker. This is because with the ad-blocker your computer is still fetching the ads over the internet, and the extension will then hide these. With pi-hole, you avoid the need to download the ads all together because your browser is told that the ad server is your pi-hole which instantly returns "not found" for all the ads. The pi-hole has a nice Web UI and you can see metrics, graphs, and reports for the activity as well.

After you get a pi-hole on your network, you could consider running a packet inspector package on your router as next step, but that is going to require you run custom router firmware.

Anyway, HTH.
Thanks, I'm going to check out the pi-hole doohicky. How much effort does it take to get it up and running, and does it require much ongoing maintenance? Do things tend to break when there are updates to it or my router firmware (or something else)?

I'm technically inclined enough to run something like OpenWRT with a lot of reviewing forums and guides, but I don't want the hassle at this stage. I want something that works, that I can set up once and generally be done with it.
Pardon typos, I'm probably using my fat thumbs on a tiny phone.

Cunobelinus
Posts: 217
Joined: Tue Dec 04, 2012 5:31 pm

Re: Advice for setting up home network with connected devices (security)

Post by Cunobelinus » Mon Apr 29, 2019 4:39 am

Pi-hole is super easy. If you have a very basic familiarity with the terminal/command line, it's just a copy/paste of a bash command that they have listed on their website. If you don't have a basic familiarity, then it's just "regular easy." If you're afraid of the command line, then I'm certain there's a image file you could download that has pihole pre-installed.

Buying the RasPi, plus micro-SD card, plus power supply runs maybe $35? It's been a few years. It's all configurable after it's up and running (10-15 minutes after booting up the RasPi) via any browser.

I have several up and running. I made some for friends and family.

Regarding the network setup, running non-critical devices on a guest network is a good idea because IoT security is usually lacking. If you try to do that while redirecting all DNS queries via your router to the pihole, then you'll run into issues though. The guest network is a separate subnet which is how it stays isolated from your regular network. Because you'll have your pihole on your regular network, that means anything connected to your guest network won't be able to resolve DNS queries (aka, won't work). There are workarounds, like trying to manually set the DNS settings in each of your devices (not always an option), or buying a second raspberry pi (it's a slippery slope when you start buying more), or just having an external DNS server like Cloudflare (1.1.1.1), Quad9 (9.9.9.9) or Google (8.8.8.8) listed in your router's DNS settings, but then your regular network might use one of those resolvers preferentially over the pihole (not the end of the world, but not the intent of having a pihole in the first place).

Separate network entirely is the easiest option, IMHO. Plus a second pihole for that network :happy I'm apparently not savvy enough to get a raspberry pi to reliably act as a wireless AP, despite the plethora of tutorials online that purport to work. That's my endgame though -- a dedicated RasPi/pihole/Wireless AP for the non-critical network devices.

A few years back, my so-called Smart TV would be rendered useless for 20-30 minutes every day while it tried to install updates. I'm all for keeping software updated, but the TV couldn't be used, and it would typically wait till you were halfway through a show before it would lock you out while trying (unsuccessfully) to install updates. Using a pihole, I blocked it's attempts to contact its servers and we've never had that issue again. It actually only ever successfully resolves DNS queries for Netflix and Amazon now, which is good enough for me.

(edit) I've used dd-wrt on an old WRT54G in the past and it was entirely reliable as a router, but I haven't used it in years now. It's been relegated to just a switch in my network now. I was trying to use that as a separate subnet for the non-critical network devices, but I haven't gotten around to making it work just yet.

Post Reply