I’ve put this off long enough and finally today I decided to move my IOT devices (speaker, camera, lock) to their own VLAN.
What made me procrastinate wasn’t the creation/moving them to a VLAN, that’s easy enough with my Meraki network stack. All it takes is the creation of a new VLAN, a new SSID and VLAN tag it, and firewall rules to block it from accessing the rest of the network. What made me procrastinate was the thought that quite often the phone needs to be on the same network, can access the IOT device and I wasn’t about to switch my phone to using the IOT SSID everytime I needed to use IOT.
Turns out that’s not entirely true at all… the camera was happy being in its own VLAN with no access to my phone… the app just treated it like a remote device as if I was connecting to it when I wasn’t at home.
The lock was a little more finicky. I recall there was a setting for the Auto Unlock to recognize you were home based on your phone connecting to the home wifi. Turns out it now allows you to pick a different wifi than the SSID the lock is connected to.
Finally the speaker was what made me hesitate the most. And rightly so. As I moved all the IOT devices to their own subnet/VLAN, Spotify wasn’t able to detect/connect to the speaker unless I switched to the IOT SSID, or allowed IOT VLAN access to the rest of my LAN.
First I tried to write firewall rules to allow/deny traffic in the SSID. This had limited success. Then I took a step backwards by trying to write allow/deny rules in the ACL of the switch cuz that’s what the internet said. But this made no sense as I finally came to my senses and wrote the firewall rules in the… firewall.
I had three goals so I wrote three rules:
- I wanted every device regardless of their IOT to use my DNS servers (for now anyways, this may change when I add guest network).
- I wanted devices outside of the IOT network to be able to ping IOT devices (like Spotify on my phone to detect the speaker).
- I wanted IOT devices to not be able to ping anything outside of its VLAN.
I may need to tighten this down a bit more as I add more VLANs but for now this works as I intended. IOT is banished in its own VLAN. I can still access IOT devices. But they can’t initiate any traffic outside of its VLAN.