4.3 KiB
title, image, date, description, categories, draft
| title | image | date | description | categories | draft | |||
|---|---|---|---|---|---|---|---|---|
| The Smart Home Trap: Isolate or Be Owned | images/blog/blog-10.jpg | 2025-01-30 00:00:00 +0000 UTC | Your smart lightbulb doesn't need to talk to your NAS. Here's how and why to isolate IoT devices using VLANs, even in a small home network. |
|
false |
Smart homes are convenient. But with convenience comes risk. If your doorbell runs Linux, talks to Chinese cloud servers, and sits on the same network as your work laptop, you've got a problem. The fix? Segmentation. This post explores how to use VLANs and firewall rules to quarantine IoT devices and minimize lateral movement, even on a home budget.
Why Segmentation Matters
Most people treat their home network like a trust zone. All devices are equal. But they’re not. You wouldn’t let your robot vacuum log into your online banking, yet they live on the same flat LAN. That’s the fundamental issue.
IoT vendors prioritize cost and features, not security. Devices often ship with:
- Default credentials
- No software updates
- Open ports and broadcast protocols
- Aggressive telemetry to unknown hosts
A compromise is inevitable. The only question is: does that compromise stay local, or pivot deeper into your network?
VLANs 101
A VLAN (Virtual Local Area Network) logically segments traffic on the same physical infrastructure. Think of it as creating isolated “subnet bubbles” where traffic can be controlled and filtered.
VLANs let you:
- Group devices by function (IoT, work, guest)
- Apply granular rules between segments
- Limit broadcast traffic and discovery protocols
- Deny unnecessary cross-talk
And you don’t need enterprise gear to do this. Many consumer-grade routers and access points already support VLANs, especially if you install OpenWRT, OPNSense, or just Linux. Even some ISP-provided devices have basic VLAN tagging features tucked away in their advanced menus. You might not need new hardware at all, just better firmware.
Sample Home Setup
Let’s say you have a smart home with:
- A Nest thermostat
- A Samsung smart TV
- A couple of Tuya smart plugs
- A doorbell camera
- Your personal laptop and NAS
Step 1: Define VLANs
| VLAN ID | Purpose | Example Devices |
|---|---|---|
| 10 | LAN (trusted) | Laptop, NAS |
| 20 | IoT | Smart TV, plugs, doorbell |
| 30 | Guest WiFi | Friends’ phones |
Step 2: Assign Interfaces
Most routers allow you to map VLANs to interfaces or SSIDs. Use one SSID per VLAN for WiFi. Wire VLAN-tagged ports for wired devices.
Step 3: Firewall Rules
On VLAN 20 (IoT):
- Block → LAN (VLAN 10)
- Block → VLAN 20 (intra-IoT)
- Allow → DNS, NTP, and cloud endpoints
- Allow → Internet (443)
- Log → Any unknown destination
Optional: Use static DHCP leases and force DNS through Pi-hole for logging and filtering.
Real-World Examples
Case 1: Smart TV
Blocked LAN access. Within 5 minutes of boot, it tried to contact:
- Samsung cloud
- Akamai CDN
- Google DNS
- DoubleClick
- Random advertising domains
Video streaming still worked fine. Everything else was noise.
Case 2: IP Camera
On the LAN, it had access to the NAS and router UI. After VLAN isolation, its access was limited to outbound 443 and NTP. Still worked. Couldn’t snoop.
Caveats & Limitations
- Some IoT devices rely on MDNS or SSDP for pairing/setup. Consider temporarily whitelisting during setup, then blocking.
- Chromecast-style devices need special rules if you want casting from your main network.
- VLANs require managed switches or VLAN-aware APs.
- Guest VLANs may need bandwidth limits or isolation tweaks.
Still, the benefits far outweigh the complexity.
Final Thoughts
If you’ve ever installed a smart plug and noticed it phones home every few minutes, you're not alone. And if you haven't noticed, maybe you should.
Security in small networks doesn’t need to be complex. VLANs are one of the most powerful tools you can deploy for minimal cost. Set it up once. Sleep better forever.
Your lightbulb shouldn’t have access to your tax documents.
{{< notice tip >}}Looking for OpenWRT-compatible routers? Check the OpenWRT Table of Hardware for supported devices.{{< /notice >}}