this post was submitted on 24 Nov 2023
5 points (85.7% liked)

Homelab

371 readers
9 users here now

Rules

founded 1 year ago
MODERATORS
 

So I fall pretty heavy on the paranoid side when it comes to all the Chinesium home automation and IoT devices. However, my wife wants me to put up some security cameras and if I’m going to do that then I might as well add all the other life conveniences that I want. I would love to keep everything 100% air gapped, but I know that would defeat the purpose of most stuff.

Here is a rough linear diagram of what I think I can do: Internet > pfSense > home network > IoT hub > IoT network

The important thing to note is that I want no traffic to make it from the ‘IoT network’ to the Internet. And the only traffic I want going from the ‘IoT hub’ to the ‘home network’ is a browser interface for the software I’m planning on using.

If I understand correctly, this is pretty easy to do with a firewall on the ‘IoT hub’. I should be able use separate NICs, completely lock down the ‘home network’ NIC, and just allow one application access to one port so that I can open my browser interface.

Is this about as secure as it gets? Or is there a better way?

top 6 comments
sorted by: hot top controversial new old
[–] whodatdair@lemm.ee 5 points 1 year ago* (last edited 1 year ago)

Home Assistant on a pi with a zigbee / zwave stick imho, no 802.11 devices.

Zigbee is an RF standard and I don’t think there’s licensing so the devices tend to be cheaper but more wild west-y, while zwave is a controlled standard and has the cost overhead associated with that. Both standards support nodes being repeaters on the network so a chain of devices can pass instructions to devices not necessarily in range of the base. Also because they’re established standards, zigbee/zwave devices will still be useful after the company that makes them goes under, unlike fly by night wifi crap.

If you insist on having it wifi based, look into ESP custom firmware flash-able devices - there are open source firmwares that you can know won’t be trying to make any shady calls home.

My solution to “iot devices be shady” is to run my own network connected base and then everything else is a dumb device that takes commands.

Oh and if you do go ha on a pi, buy a usb hdd adapter and boot from that - I’ve found sd cards to be unreliable.

[–] nickjjj@alien.top 4 points 1 year ago

I think you might be making this more complicated than it needs to be.

Your pfSense firewall has multiple ports, put them to good use. You probably already have pfSense interfaces labeled as WAN and LAN, create another pfSense interface named IoT and hang all your IoT devices off that (dedicated switch or just a VLAN on existing switch, doesn’t really matter)

For bonus points,if you still have another free port on the pfSense firewall, this might be a good time for a DMZ interface as well.

This option does consume a few more Ethernet ports than the “firewall on a stick” method that uses VLAN trunking, but is a bit simpler to manage for homelabbers that are not networking experts.

Now you have “just another interface” on your existing pfSense firewall, so you can assign firewall rules to the IoT network, doing stuff like blocking outgoing connections to the internet, while still allowing connections initiated from the LAN to reach the IoT network.

[–] XOIIO@alien.top 1 points 1 year ago

Hell, you can just get a second dumb switch, have a dedicated ethernet port on a boat computer running blue iris or something else and have absolutely zero overlap on your networks.

Only way to access the camera then is from that machine. Of course that means you need POE cams but those are better than wireless anyhow.

[–] flossraptor@alien.top 1 points 1 year ago

Even if you just make an alias in pfSense and block its traffic, you're fine.

[–] Least_Hospital_2428@alien.top 0 points 1 year ago (1 children)

I probably am making it more complicated than necessary. I’m pretty green to the network side of this and admittedly over concerned about IoT devices tunneling out and becoming spyware.

That being said, I like this approach. I have WAN & LAN, I’ll probably just add DMZ and IoT. I may add another physical layer between the pfSense IoT NIC and the IoT switch. It probably doesn’t add any security, but it should relieve some if the routing load from my current pfSense box. And it gives me a warm fuzzy feeling.

[–] evilspark21@alien.top 0 points 1 year ago

Just curious, what do you need a "DMZ" for?

Do you have a managed switch (one that you can use for VLANs)? I'd highly recommend using VLANs instead of another physical NIC, as you'll need to double up on switches and APs if you use a separate NIC