Securing Your Smart Home

Projects

This is a great video by the YouTube channel The Hookup.

In this video he explains how to set up VLANs and firewall rules for a Ubiquity Unifi set up.

I have a similar set up in my house and this has been on my back burner for a while.  His video has inspired me to just get it done.

Here is my plan going forward:

#1 Set up different VLANs for different types of devices (done)

I split my network up into the following VLANs (I am lazy so I matched my VLAN ID to the subnet).

LAN (all normal PCs / tablets and cameras)

VLAN 1 (default) – 192.168.1.0/24

Note: I have my cameras on this VLAN because I don’t want the streaming traffic

Guest (all guest devices)

VLAN 2 – 192.168.2.0/24

This is set up to use the built-in guest mode for networks in Unifi.

NoT (devices that do not need internet access)

VLAN 4 – 192.168.4.0/24

These are devices like my ESP Home sensors that will never need internet access.

IoT (devices that need cloud access, no LAN access**)

VLAN 5 – 192.168.5.0/24

These are the cloud devices, things that you are concerned might get a bad update and allow someone access to your LAN

These devices are:

  • Google Homes and Hubs
  • Chromecasts**
  • WeMo Swithces**
  • Roku**
  • Smart TVs**
  • Rachio
  • Ring Doorbells / Cameras / Chimes
  • MyQ Garage Doors
  • Nest

** note: some devices like Chromecasts need access to my Plex server, so there are firewall exceptions for this.

#2 Set up Wireless Network for each device type (done)

I already had different SSIDs set up for different reasons, but I reassigned them to the following roles:

  • LAN (default VLAN)
  • Guest
  • NoT
  • IoT

If you run into an issue where you need more than 4 SSIDs per AP, you can split the 2.4Ghz and 5Ghz into separate WLAN groups.  Because my NoT devices are only 2.4 Ghz, I can move my Guest network to 5 Ghz only and have an extra SSID.

#3 Move Devices to Appropirate Networks

This will take longer than expected.  I have to go device by device to move them to the new SSID or set up other managed switches with the new VLANs.

#4 Activate Firewall Rules and Test

Finally I will need to isolate the subnets and then make sure everything works.  A few trouble items are the items above with **, they will need extra firewall rules.

Bonus – Cameras

As stated in the video cameras are a different beast.  For my cameras, I want to only be accessable internal only.  But I don’t want all of that traffic passing through the firewall.  So instead of placing them in the NoT network, I will have them on the main LAN but with firewall rules blocking WAN traffic to and from them (with exception for GitHub for updates).

I will update this post with my thoughts as I finish the next few steps.