I can't tell you how many videos I have watched on how to segment an IoT network on my Ubiquity PoE5 EdgeRouter and they all use VLAN's and they are way overly complicated. This was a breeze and works flawlessly. Thank you sir.
Agreed! Spent half my day trying to do just what this video shows and left most previous videos more confused then when I started without anything working. Thank you for this video without the complications of programing switches I don't have an making trunks I don't need!!!!
Searching all over TH-cam for what you provided in a straight forward approach. None of the lengthy jabber-jaw with unnecessary theory talk or complicated VLANs etc. Hang one AP off port 1 for IOT stuff and a second AP off port 2 for private stuff. Still able to control or monitor IOT devices with cell phone IP on private LAN. The simple and cut to the chase video!!
Thanks for the video. This helped me setup edgrouter x and vlans without spending on an additional switches. Passed on this video link to few of my friends. Excellent.
Hi Mike - excellent video! If I want to isolate multiple networks (IOT Network like yours but also a 2nd and 3rd isolated networks), after detaching eth2 and eth3 from switch0 and creating their DHCP servers, do I need different firewall rules than those created for the IOT Network or I can simply click "Add Interface" under "Ruleset Configuration for BlockIN"?
Thanks for help with setting up an IOT secured network. At one point in setting up the Firewall/NAT Group you listed Networks under the ProtectedNET group that this Firewall would see that you are protecting.. You included the two network IP's created plus you had a lab IP address that you included. I don't have a lab network, so I have just included the two networks created for the IoT and the non-IoT connections. Is there any other network should include?
Mike, I have what is hopefully an easy question. I have set up my ER-X per your video, and it is working how it should, thank you. I am wanting to add Unifi APs with an SSID for the main .0.XX (full access) subnet and another IOT SSID that points to the .10.XX subnet on Eth-1 (segregated). Is this as simple as assigning the IOT SSID to the .10.XX subnet? If the APs are on Eth-2 and Eth-3 (.0.XX) will the ER-X pass the traffic through to .10.XX on Eth-1? Thanks again.
If you you are using the two lan ports like in the video, you will need an an AP on each port with the Wifi SSID of choice. Because your AP is connected to a specific port it will take the IP range and segregation of the port you are on. You can also research creating a VLAN on one port which will allow you to create two different SSID's on one APs otherwise you will need two APs.
Hi! Quick question. I have both lan and wireless iot Devices. I have edgerouter x and 2 unifi ap. I don't want to use seperated ap for the iot Devices (and can't afford more ap at the moment). How do you advice me to connect both my lan and wireless iot deviced to an isolated netwok?
Thanks Mike. Glad I found your channel. How do I tell my wireless IoT items to connect through the IoT switches wireless AP, but not through the main network switches Wireless AP?
Attach your computer or laptop to each of the networks you setup, goto the command prompt and type ping and any address on the other network. It should type out and not return anything.
Hi I have a edge router X I am trying to use the basic wizard set up one LAN Internet connection on Vlan . How do I get the Internet just one one of my port with the Vlan?
So I actually did not cover VLANs in this video but process is mostly the same except that you assign one of the physical ports to VLAN by first creating the VLAN and creating the interface first. As I no longer have this router, I can't give you the exact steps but I am sure you can find something out there on creating VLANs on the edgerouter. Sorry I could not be more help but I have not used this in a while. Thanks for the question.
Mike .. after implementing a version of your setup, everything appears to be working well but without some kind of traffic monitoring/reporting capability, it's tough to know for sure. Do you have any thoughts/comments on whether there is any value in adding something like a Firewalla Red (or similar) hardware box to provide some monitoring? I believe they just plug in on the LAN side of an existing router but if they were plugged into a port of the EdgeRouter, I presume I'd need to customize that port so it could see all traffic from each of the two isolated ports .. or does that create a 'fault' in the isolation scheme? What sort of traffic monitoring do you prefer/suggest when you implement these setups? Tks ... Ian
Hi Mike, great video. I had a question. How would this concept work in a mesh network scenario? I have a mesh wifi network set up with 2 Asus Zenwifi XT8 units and one RT-AC68U. All of them are hardwired connected (ethernet backhaul) via MoCA adapters. I have attempted to isolate my IoT devices by creating a separate guest SSID and not allowing intranet access. This seems to do the job but isn't as elegant as what you show here. Would appreciate your thoughts on how to marry up the two. 😁
Great question. The only option you would have using a mesh would be to dedicate an access point to the IOT side. What you did will work fine as long as the isolation is there but you are limited to wireless devices. Thanks for the feedback.
In this specific firewall configuration, devices within the iot network aren’t able to communicate with others in the iot network? So when I want to setup for example an ioBroker station to connect everything, I need to allow communication between devices inside iot network am I right? Or is communication between all devices inside iot network already allowed? And if not could you tell the right setting to allow it?
Correct, they can't communicate. There are multiple ways to handle this. One is to just connect to the IOT temporarily and do your setup, or create a firewall rule that one way access from a device on your main LAN to the IOT network.
Do the switches need vlan support or will any normal switch fit for the setup? Not sure if u said anything about that. Due to the firewall settings which separate those networks any normal (non vlan tagging supporting) switch would fit for that, right? Thank you in advance
Fantastic video Mike! Great step-by-step tutorial. Don't think I could have figured out those steps myself. Couple of questions - (1) at 24:42 in the video, the diagram shows the IOT DHCP as 10.10.10.x .. should that be 10.0.0.x? (2) I'm going to use existing routers in place of your 'main switch' and 'IOT switch'. Can I just change the addresses of my two routers to 192.168.5.1 and 10.0.0.1 respectively and expect it to work without other modifications? Thank you
Yes, you are correct, it should be 10.0.0.X. Your existing router can be set to a static IP or let them get DHCP from the Edgerouter which will be in the correct range. Thanks for the feedback it is appreciated.
@@MikeFaucher Tks Mike .. yes, everything came up and appears to be working fine. On the 'Crown Jewels' router, I used a new SSID and put the old one on the IOT router and that way I didn't have to re-add any IOT devices; they never saw a change. I had the impression that with your config, I should be able to connect to any of the three routers from a computer on the 'Crown Jewels' network in order to make config changes; do backups; load new firmware; etc but I don't seem to be able to log into the IOT router or the 'Y' router .. maybe I'm just not using the right addresses. I should be able to do that right?
@@NSX2398 The reason is that you are using a router instead of a switch, and it's "Internet" port is connecting to the ER-X LAN side. So you are being blocked by the IoT router, because to it, it appears you are connecting from the "untrusted" internet. There is also NAT, so you would have to have port-forwarding on the routers connected to the "LAN side" of the ER-X. In my opinion, you would be better off using switches instead of another router, if you want to be able to connect to your "IoT LAN" from the "Home LAN".
Hi there. Very nice video, it did help me very much. But i want to ask you if it possible to ad my TP link C1200 router in bridge mode to all my IOT. To the 10.0.0.1 network so all the wifi will run on the IOT network. I have a edgerouter x-SFP. ? 🙂
I have not used the C1200 but I believe it can. Doing a bit of searching I found this (th-cam.com/video/Cg_gGECGLiY/w-d-xo.html). The mode you want is called access point mode. Hope this helps.
Mike Faucher is it okay to connected the guest to my iOT 10.0.0.1/24 ? All my devices are connected to this? Accept my Game console and my laptop what I control everything from on 192.168.5.1? Thank you
@@LBUK. The best is to have your guest network on a separate VLAN or but it on the network that has you IOT but I would not put it on the network that has your main devices on it. I hope that helps.
Mike Faucher I forgot to mention this is for a home network, I don’t mind my friends (Guest) devices connected to my iOT 10.0.0.1/24 with my devices, Mobiles/Tablets/etc as long has they can’t get into my Router GUI and connect to my devices if that makes sense
@@LBUK. That will work for now but I would still look into a separate VLAN for your guest in the future. The other option is what type of access point you are using as ones like the Unifi have great isolation for the guest network built into the access point. Thanks for the discussion.
If I were buying something today, I would buy one of the Ubiquiti Unifi gateways. Much easier and more flexible. As for ADSL, I assume you can but I have not used ADSL in many years so I would need the modem model number.
@@MikeFaucher Thank you very much for your quick feedback. I am currently using a d-link dir-650in n300 300mbps wifi router to connect my two laptops, a synology nas and a raspberry P5. Could you suggest an Ubiquiti Unifi gateways model. But that is not expensive. cordially.
Greetings Mike; as someone who never owned EdgeRouter, but wishes to learn on as many network gear brands, I would like to ask you a question as you sure seem to know a lot. If I understand correctly first two "rulesets" basically block all inbound traffic into eth1 (into main network) from other networks that are in "protected group" that you created in the beginning of the video (so IoT network) AND ALSO allows all inbound traffic from other networks (WAN). Second two "rulesets" force network isolation between IoT and Main; AND ALSO mean DNS, DHCP passthrough. The thing I am not sure is, if the devices on IoT can talk to each other locally (so example: could motion sensor on 10.0.0.15 talk to light on 10.0.0.20) so the only locally blocked traffic is through the router (address 10.0.0.1 and beyond into MAIN network)? As I do not own ER-X (or any other EdgeRouter) hardware, I cannot test it myself; but would really like to check. I am more used to Netgear and Cisco workflow, that would only block traffic through router. Anyhow, thank you in advance and best regards!
Good question. Anything on the same subnet (10.0.0.XXX) would be able to communicate with each other and that is typically what you want. It would not be able to talk to another subnet such as 192.168.5.XXX. Hope that helps.
Great video. I tried this, but from my main LAN, I am unable to get to the AP connected to the IOT port. To access the AP, I had to be on the IOT network. What firewall rule should I add or reconfigure so that I can get to the AP @10.0.0.40? I can ping 10.0.0.1 from Main LAN, but no other leases.
One of tradeoffs with isolation. I set this up for someone they actually attach to the IOTLAN through the AP, do their maintenance and then connect back to their main network. Inconvenient but the safest way. You can create a firewall rule that has one way communication to the IOT network or a specific IP but if I recall it is tricky. I have moved this setup to my daughters house so unfortunately I can't give you step by step. As you are doing this for isolation, I would ask yourself if you really need to. Thanks and let me know what you end up with.
Now, I want to block guest client accessing the AP connected in the guest network. Say, clients in 10.1.1.1/24 cannot access 10.1.1.2:80 which is the Access point. Any tips on this?
I have a couple simple questions: 1) I assume at 13:25 where you were working on the firewall rules and said you were "adding your lab network because that's your default network" - the 192.168.0.0/24 is equivalent to the default ISP IP address range if the ER-X was put directly behind the ISP cable modem acting as the DMZ into the rest of your network? 2) There are places where defining IP ranges - ER-X requires an "x.x.x.1/24" definition and others where it wants a more typical CIDR block - "x.x.x.0/24". It's not clear to me why that is. It seems the Router OS wants some IP definitions as a bounded range and others as a normal CIDR block. That address ("192.168.0.0/24") came out of the blue for me (it wasn't part of your nice physical architecture explanation in the beginning). I ask because I'm at that step and making an educated guess how to translate my setup into yours. I started days ago and did a couple of things differently because I have the SPF model and used that 6th port as another switch port vs a fiber uplink and that's my Internet port (eth5), plus my LAN is 10.x vs 192.x like your example. Really well done, including the write-up (it would be good to put that link in the write-up below the video - although it made me go fishing on your blog and I snagged some info for later on upgrading my home lab servers to 10GB network).
To clarify at 13:25, that network is what the other two are feeding into not the ISP. This router was set up to connect to an existing LAN and not directly to the internet. I am not sure why it is looking for two structures. I would think it should be consistent. The 192.168.0.0/24 actually is part of my physical network because of the two LAN into one LAN which most people will not do. Hope that helps and thank for the question.
Hi Ian: I’m wanting to setup 3 maybe 4 VLANs. Here is the issue I’m not sure about. I have a Cisco Router SV260W default gateway of 192.168.123.254. I have an Ubuntu Webserver static on 192.168.123.104. I am forwarding ports 8083 and 8080 to that address as well for the Server. So would like to leave that setup alone if possible. I have the following Ubiquiti equipment. 24 port POE switch, an 8 port 60 watt switch, 4 of the 5 port mini flex switches. I’m wanting the following VLANs. One for IoT, one for guest wifi access and one for my main LAN like doing my video editing. I also have a cloud key gen. 2. Do I have to set the VLANs in the Cisco router and the the 24 port switch. I even thought of changing over to an Edgerouter X even. So looking for some ideas on implimenting.
Doing it without adding another jump such as the edge router is the simplest way so based on the equipment you have I would set up the VLANs using that. The main process will be to create the VLAN interfaces in your router, then assign the ports or your managed switch to use it. I am not familiar with that equipment so I can't really help much more but maybe someone else could inject some advice.
Mike Faucher I guess my main wonder is do I have to set the VLANs up in the Cisco router first? Or do I not worry about the router and set the up in the switch? If I set the address for the VLANs in the 172,*.*.* or 10.*.*.* range will having the router on 192,168.123.254 keep those ranges from coming through? I’ve always been told the only stupid question is the one you don’t ask.
@@dr.mikehughes9874 You have to setup the interface and DHCP in the router and then configure the switch. Although this is a different firewall, check out this video as it may help. th-cam.com/video/fjLQsXFm93M/w-d-xo.html
Excellent presentation. I have a couple of questions though. 99% of IoT devices are wifi only so we need access points to connect them to the Internet. So if we are to isolate them through a separate switch/cable/network, then we effectively dedicate access point(s) to servicing IoT devices only. I'll have to install double the number of APs at home to create a mesh to support both IoT and normal devices. Also the method we see here assumes we will be controlling these IoT devices through Internet Cloud only. But if we lose connection to the Internet, then we can no longer control our IoT's which is a pity, because nowadays a good number of them will fall back to control via the local network if they sense they have no Cloud connection. I think using VLANs and switches/APs that can support VLANs is a more efficient way to isolate IoT stuff. Most likely cheaper too in some cases.
VLANa are a much better way if you want to isolate and not duplicate APs. This is just a low cost way of doing it. Using a system (firewall, APs, Switches) is easier but more expensive. Thanks for the feedback.
Mike, Thanks for this video it was really a help to try to manage the Edgerouter. I'm pretty new to networking but have built a server etc but cannot get "eth 1" to come live. Eth 2/3/4 are fine. I have checked and checked. The only thing I can think of is that my service provider uses PPPOE with a VLAN of 835. Could this be affecting something I'm not aware of? I realise, of course, that PPPOE is a pretty limited service in US but here in Europe its very popular. \any assistance would be helpful. Thanks in advance
I was not aware of that. I am assuming that eht 1 is your WAN? Is set to DHCP or static? The issue is probably in the firewall rule that allows traffic but I am not sure what the solution would be without seeing the entire configuration. One thing that may worth a try is posting it on Reddit or reach out to the Ubiquiti for some things to try.
Hi, this setup worked really well until my ISP reset my modem. Now I'm not able to connect to the internet via the router at all. I see the IP address provided by the ISP on eth0, but no internet connection from my browser. Any advise would be greatly appreciated.
You are right and you can use either way. It is mostly personal preference and situation. Using this method may be easier for some and eliminate the need for managed switches. In the end, it is a personal choice. I use both in my network. Thanks for the feedback.
The primary advantage of not using vlans is that it is simpler. There are advantages of vlans and using the vlan-aware switch0 mode, especially if you are using a wifi access point that is vlan aware, and you want to have multiple SSIDs e.g. IoT and Home, and each of these SSIDs would be associated with a vlan. Then you can have dumb switches attached to a vlan access port for IoT and another for Home, and another trunk port connected to the vlan-aware access point. Under the hood, the ER-X uses high vlan ids to "remove a port from switch0". If you have an ER-X you can see this from the CLI with the command /sbin/switch vlan dump and look at vlan ids 4088-4094. There is quite a bit of info on the Ubiquiti forums under EdgeMAX tag.
Hi Mike, great video, I want to ask, if I want to allow devices on the IoT network (10.0.0.x) to access a particular service on the Main network, (e.g. a MQTT broker 192.168.5.x:1883 or a PLEX server), how do I go about opening up that connection? Many thanks.
You will have to create a specific rule just for that device, The rules we create in the video are global and block everything. As the firewall reads rules from top to bottom, putting a unique rule above should take precedence, Good luck.
Hi, i have edgerouter x with firmware 2.09. I use wan 1 and wan 2. Wan 2 is starlink. Normal speed in wan 2 is 200mbit of download and 20 of upload. With my ubiquiti router the speed came limited to 60/70 mbit in download, why ? I have enabled/disabled ipsec and hwnat but the problem is always the same. Thanks a lot for the help.
This sounds like possibly hardware configuration. There a few things I can think of. First is you may have configured the two WANs may conflict. Have you tried with just one connected? As the Edge router is capable of 800+, you may have a device on either LAN or WAN side that is causing the slowing up your entire connection, could even be a cable. I would start with a single device and WAN and start isolating the issue.
@@MikeFaucher yes i have tried only wan 2 whitout connect other device on Lan but the problem persist. If i understand good, hwnat is accelerating hardware setting but not work... I use a cable cat 5e and if i use this cable with directly with router starlink to my pc the speed test work good.
@@88eleaffar Not sure what else can be wrong. I would try a factor reset with one WAN connection to see if it is the Edgerouter. Definetly should not perform that slow. I no longer have to list my settings as I went to the UDM SE a while ago. Sorry I could not be more help.
I followed along but my IOT network is still able to ping my main router IP. Everything else is blocked though as expected. Any idea what might be wrong?
hi. this is very good and highly commendable tutorial. my only question is, with this configuration, would i be able to access my IoT devices from: within the home network: would my IoT apps (alexa/tuya/samsung/phillips) be able to discover my IoT devices on the IoT network? the phone or tablet where these apps are installed is supposed to connect to the home network and not to the IoT one. in that case, do i need to ask the apps to rediscover the devices (since they will have been moved from the home network to the IoT network)? outside: let's say i'm on travel and would need to check my IoT devices back home, would the aforementioned IoT apps be able to connect over the internet and establish connection with my IoT devices? thanks and keep safe.
Great question. The answer is mostly yes. You will most likely have to temporarily connect your phone or mobile device to the IOT network to perform the initial configuration but after that, it should work as most go through the internet as well as wifi. Some devices are more temperamental than others. The ones that might be an issue is something that pulls from another device locally such as a Roku pulling movies from a local Plex server, otherwise, you should be OK. I have my Alexa, google home, Rokus, and Samsung TVs on my IOT with no issues. Thanks for the question.
@@MikeFaucher thank you. come to think of it, i also have a plex server on my home network. what happens then to my roku/fire tv/apple tv devices if i move them to the IoT network? have you discovered a configuration with the edge-x router to maintain your plex server on the protected network while being accessible to streaming devices on the IoT network? moving the plex server to the IoT network isn't really advisable, because this will sever access by mobile devices (laptops/smartphones/tablets) on the protected network. my family will murder me if they'll lose access to plex. 😂
The document I was referring to was the blog post which goes through these steps, You can find it at thedocsworld.net/edgerouter-x-securing-yourself-from-iot-devices/. Sorry about the confusion and I have updated the video description to included it. Thanks for pointing it out.
Mostly no. Many iot devices do not communicate directly and bounce off a cloud service. There are always exceptions though. Alexa and google home work fine. Remember that this is the purpose of the isolation. If things can communicate directly they are not isolated. Great question.
Thank you so much for this video, this answers loads of questions. One or two still remains though... Is it possible to see wich of the wizards that are run, or can I just re-run the Wizard without destroying my settings that i have? I see that I can preserve my credentials if I run the "WAN + 2LAN2" option, but will it reset everything back to clean install or will my sets of ruels be there when it reboots?
I have not tried this when I was trying to preserve my settings but when I was experimenting I am pretty sure it reset everything. Great question and sorry I could not be more specific.
@@MikeFaucher As long as I don´t ask idiot questions I´m ok :) ... Thanks for your answer... I'll try to figure out how to create a IoT VLAN wireless some how and that way I won´t need to brick my Edgerouter. Creating the SSID with VLAN and DHCP isn´t that hard, its the firewall rules to get it to work I havn´t figured out yet :) ... It is the comunication over different VLANs (from PC and device network to IoT) where my talent ran out (haha). Just have to google it some more.
Thank You sir.. actually i am going to implemented ubnt system on our hotel so this will be very helpful at this time. If you can please upload a video regarding ubnt controller setup and guest portal. Thank You
Excellent video Mike on Edge-Router setup and also your videos regarding the QNAP QGD-1600P (All-in-one) NAS-with-managed-switch device. Have subscribed and suggesting my tech friends do the same on your channel. QUESTION -- (which may help other subscribers who follow your QNAP QGD videos) --- Similar to your goal in this video of isolating IoT devices from the rest of your local LAN, my goal is to isolate Netflix's ethernet data stream received by our Samsung TV over a 1-gB CenturyLink FttH internet link - from the rest of our local LAN network which will be behind a pfSense firewall running on my QNAP QGD-1600P in VirtualStation and connected using physical ports on the QGD-1600P managed switch. I am worried about overloading the VM pfSense firewall with both a torrent of NetFlix data packets sent to the Samsung TV and regular internet packets addressed to the computer devices on our local LAN. I do not worry about the health of the Samsung TV, but certainly do about the other devices on our LAN and want the pfSense to focus on protecting our local LAN devices not the Samsung. Some users have concerns that Samsung TV's phone home with logged traffic and usage patterns and are not to be trusted on a local LAN similar to concerns regarding other IoT devices. Your video has me thinking I might be able to connect the CenturyLink internet ONT's ethernet port (WAN, login with PPPoE), with a port on the Edge-Router-X and then a second port of the Edge-Router-X feeding the Samsung TV with Netflix packets and a third port of the Edge-Router-X feeding a port on the QGD-1600P configured as a WAN input to pfSense ... which protects the rest of our local LAN connected to the managed switch half of the QGD-1600P. SUMMARY: so the Edge-Router-X would perform the function of a splitter (switch with PPPoE login for the ONT) to feed a low security data stream to the Samsung TV ethernet port and a high security data stream thru the pfSense firewall running on the QGD-1600P safeguarding everything else on our local LAN. Does this sound reasonable-ish ? Thanks
I can't tell you how many videos I have watched on how to segment an IoT network on my Ubiquity PoE5 EdgeRouter and they all use VLAN's and they are way overly complicated. This was a breeze and works flawlessly. Thank you sir.
Awesome feedback and I am glad it helped. Thank you for the comment.
Agreed! Spent half my day trying to do just what this video shows and left most previous videos more confused then when I started without anything working. Thank you for this video without the complications of programing switches I don't have an making trunks I don't need!!!!
Searching all over TH-cam for what you provided in a straight forward approach. None of the lengthy jabber-jaw with unnecessary theory talk or complicated VLANs etc. Hang one AP off port 1 for IOT stuff and a second AP off port 2 for private stuff. Still able to control or monitor IOT devices with cell phone IP on private LAN. The simple and cut to the chase video!!
Awesome and thanks for the feedback. Glad you found it useful.
Thank you very much Mike! Straight forward configuration that works.
Glad it was helpful.
Thanks for the video. This helped me setup edgrouter x and vlans without spending on an additional switches. Passed on this video link to few of my friends. Excellent.
Great to hear and thank you for the comments as well as for sharing the video. Appreciate it.
Another great video. You described and showed things very clearly.
Thank you. Glad you liked it.
Hi Mike - excellent video!
If I want to isolate multiple networks (IOT Network like yours but also a 2nd and 3rd isolated networks), after detaching eth2 and eth3 from switch0 and creating their DHCP servers, do I need different firewall rules than those created for the IOT Network or I can simply click "Add Interface" under "Ruleset Configuration for BlockIN"?
You need a rule for each network to make sure that there is isolation and that you can reach your VLANs when you need to.
Thanks for help with setting up an IOT secured network. At one point in setting up the Firewall/NAT Group you listed Networks under the ProtectedNET group that this Firewall would see that you are protecting.. You included the two network IP's created plus you had a lab IP address that you included. I don't have a lab network, so I have just included the two networks created for the IoT and the non-IoT connections. Is there any other network should include?
Sounds like you have it covered and should be ok. Good luck.
Mike, I have what is hopefully an easy question.
I have set up my ER-X per your video, and it is working how it should, thank you. I am wanting to add Unifi APs with an SSID for the main .0.XX (full access) subnet and another IOT SSID that points to the .10.XX subnet on Eth-1 (segregated). Is this as simple as assigning the IOT SSID to the .10.XX subnet? If the APs are on Eth-2 and Eth-3 (.0.XX) will the ER-X pass the traffic through to .10.XX on Eth-1? Thanks again.
If you you are using the two lan ports like in the video, you will need an an AP on each port with the Wifi SSID of choice. Because your AP is connected to a specific port it will take the IP range and segregation of the port you are on. You can also research creating a VLAN on one port which will allow you to create two different SSID's on one APs otherwise you will need two APs.
Hi! Quick question. I have both lan and wireless iot Devices. I have edgerouter x and 2 unifi ap. I don't want to use seperated ap for the iot Devices (and can't afford more ap at the moment). How do you advice me to connect both my lan and wireless iot deviced to an isolated netwok?
If your APs support VLANS then I would look into that. More efficient.
Hi i just want to say thanks again for your video. I did follow it, and every things works perfekt.😀😃
Excellent. Thanks for the feedback.
Thanks Mike. Glad I found your channel. How do I tell my wireless IoT items to connect through the IoT switches wireless AP, but not through the main network switches Wireless AP?
Attach your computer or laptop to each of the networks you setup, goto the command prompt and type ping and any address on the other network. It should type out and not return anything.
Hi I have a edge router X I am trying to use the basic wizard set up one LAN Internet connection on Vlan . How do I get the Internet just one one of my port with the Vlan?
So I actually did not cover VLANs in this video but process is mostly the same except that you assign one of the physical ports to VLAN by first creating the VLAN and creating the interface first. As I no longer have this router, I can't give you the exact steps but I am sure you can find something out there on creating VLANs on the edgerouter. Sorry I could not be more help but I have not used this in a while. Thanks for the question.
Mike .. after implementing a version of your setup, everything appears to be working well but without some kind of traffic monitoring/reporting capability, it's tough to know for sure. Do you have any thoughts/comments on whether there is any value in adding something like a Firewalla Red (or similar) hardware box to provide some monitoring? I believe they just plug in on the LAN side of an existing router but if they were plugged into a port of the EdgeRouter, I presume I'd need to customize that port so it could see all traffic from each of the two isolated ports .. or does that create a 'fault' in the isolation scheme? What sort of traffic monitoring do you prefer/suggest when you implement these setups?
Tks ... Ian
Never tried a firewall a so can’t really comment but from what I read it should work. Sorry I could not add more.
@@MikeFaucher Tks Mike .. just thought I'd ask. The Red version is only $100 so I think I'll give it a try.
@@NSX2398 Good luck and let me know how it goes
Hi Mike, great video. I had a question. How would this concept work in a mesh network scenario? I have a mesh wifi network set up with 2 Asus Zenwifi XT8 units and one RT-AC68U. All of them are hardwired connected (ethernet backhaul) via MoCA adapters. I have attempted to isolate my IoT devices by creating a separate guest SSID and not allowing intranet access. This seems to do the job but isn't as elegant as what you show here.
Would appreciate your thoughts on how to marry up the two. 😁
Great question. The only option you would have using a mesh would be to dedicate an access point to the IOT side. What you did will work fine as long as the isolation is there but you are limited to wireless devices. Thanks for the feedback.
@@MikeFaucher 👍🏻Thank you!
In this specific firewall configuration, devices within the iot network aren’t able to communicate with others in the iot network?
So when I want to setup for example an ioBroker station to connect everything, I need to allow communication between devices inside iot network am I right? Or is communication between all devices inside iot network already allowed?
And if not could you tell the right setting to allow it?
Correct, they can't communicate. There are multiple ways to handle this. One is to just connect to the IOT temporarily and do your setup, or create a firewall rule that one way access from a device on your main LAN to the IOT network.
Do the switches need vlan support or will any normal switch fit for the setup? Not sure if u said anything about that.
Due to the firewall settings which separate those networks any normal (non vlan tagging supporting) switch would fit for that, right?
Thank you in advance
@@ChrisSch258 These do not have to use VLAN, and the ports can be configured any way you want. Great question.
Mike, Do I need to use 2 separate switches?
Thanks for the video that is easy to follow and more importantly, makes sense to a newbie like me.
Great to hear. Yes, you should use two low cost switches.
Fantastic video Mike! Great step-by-step tutorial. Don't think I could have figured out those steps myself. Couple of questions - (1) at 24:42 in the video, the diagram shows the IOT DHCP as 10.10.10.x .. should that be 10.0.0.x? (2) I'm going to use existing routers in place of your 'main switch' and 'IOT switch'. Can I just change the addresses of my two routers to 192.168.5.1 and 10.0.0.1 respectively and expect it to work without other modifications? Thank you
Yes, you are correct, it should be 10.0.0.X. Your existing router can be set to a static IP or let them get DHCP from the Edgerouter which will be in the correct range. Thanks for the feedback it is appreciated.
@@MikeFaucher Tks Mike .. yes, everything came up and appears to be working fine. On the 'Crown Jewels' router, I used a new SSID and put the old one on the IOT router and that way I didn't have to re-add any IOT devices; they never saw a change. I had the impression that with your config, I should be able to connect to any of the three routers from a computer on the 'Crown Jewels' network in order to make config changes; do backups; load new firmware; etc but I don't seem to be able to log into the IOT router or the 'Y' router .. maybe I'm just not using the right addresses. I should be able to do that right?
@@NSX2398 The reason is that you are using a router instead of a switch, and it's "Internet" port is connecting to the ER-X LAN side. So you are being blocked by the IoT router, because to it, it appears you are connecting from the "untrusted" internet. There is also NAT, so you would have to have port-forwarding on the routers connected to the "LAN side" of the ER-X. In my opinion, you would be better off using switches instead of another router, if you want to be able to connect to your "IoT LAN" from the "Home LAN".
Hi there. Very nice video, it did help me very much. But i want to ask you if it possible to ad my TP link C1200 router in bridge mode to all my IOT. To the 10.0.0.1 network so all the wifi will run on the IOT network. I have a edgerouter x-SFP. ? 🙂
I have not used the C1200 but I believe it can. Doing a bit of searching I found this (th-cam.com/video/Cg_gGECGLiY/w-d-xo.html). The mode you want is called access point mode. Hope this helps.
Excellent Stuff, I have now separated networks! Keep up the good work 😃
Thank you and glad it worked out. I appreciate the feedback.
Mike Faucher is it okay to connected the guest to my iOT 10.0.0.1/24 ? All my devices are connected to this? Accept my Game console and my laptop what I control everything from on 192.168.5.1? Thank you
@@LBUK. The best is to have your guest network on a separate VLAN or but it on the network that has you IOT but I would not put it on the network that has your main devices on it. I hope that helps.
Mike Faucher I forgot to mention this is for a home network, I don’t mind my friends (Guest) devices connected to my iOT 10.0.0.1/24 with my devices, Mobiles/Tablets/etc as long has they can’t get into my Router GUI and connect to my devices if that makes sense
@@LBUK. That will work for now but I would still look into a separate VLAN for your guest in the future. The other option is what type of access point you are using as ones like the Unifi have great isolation for the guest network built into the access point. Thanks for the discussion.
Are firewall rule sets needed when vlan is setup
For everything to work correctly, yes.
Hello Sir , is it possible to connect ADSL Modem into EdgeRouter X SFP ? and which can be better EdgeRouter X Or EdgeRouter X SFP ? Thank's
If I were buying something today, I would buy one of the Ubiquiti Unifi gateways. Much easier and more flexible. As for ADSL, I assume you can but I have not used ADSL in many years so I would need the modem model number.
@@MikeFaucher Thank you very much for your quick feedback. I am currently using a d-link dir-650in n300 300mbps wifi router to connect my two laptops, a synology nas and a raspberry P5.
Could you suggest an Ubiquiti Unifi gateways model. But that is not expensive. cordially.
Great video. I would like to see you zoom in on what you working on in the screen.
Thanks for the idea! Appreciated it.
Greetings Mike;
as someone who never owned EdgeRouter, but wishes to learn on as many network gear brands, I would like to ask you a question as you sure seem to know a lot.
If I understand correctly first two "rulesets" basically block all inbound traffic into eth1 (into main network) from other networks that are in "protected group" that you created in the beginning of the video (so IoT network) AND ALSO allows all inbound traffic from other networks (WAN).
Second two "rulesets" force network isolation between IoT and Main; AND ALSO mean DNS, DHCP passthrough.
The thing I am not sure is, if the devices on IoT can talk to each other locally (so example: could motion sensor on 10.0.0.15 talk to light on 10.0.0.20) so the only locally blocked traffic is through the router (address 10.0.0.1 and beyond into MAIN network)?
As I do not own ER-X (or any other EdgeRouter) hardware, I cannot test it myself; but would really like to check.
I am more used to Netgear and Cisco workflow, that would only block traffic through router.
Anyhow, thank you in advance and best regards!
Good question. Anything on the same subnet (10.0.0.XXX) would be able to communicate with each other and that is typically what you want. It would not be able to talk to another subnet such as 192.168.5.XXX. Hope that helps.
Great video. I tried this, but from my main LAN, I am unable to get to the AP connected to the IOT port. To access the AP, I had to be on the IOT network. What firewall rule should I add or reconfigure so that I can get to the AP @10.0.0.40? I can ping 10.0.0.1 from Main LAN, but no other leases.
Help appreciated
One of tradeoffs with isolation. I set this up for someone they actually attach to the IOTLAN through the AP, do their maintenance and then connect back to their main network. Inconvenient but the safest way. You can create a firewall rule that has one way communication to the IOT network or a specific IP but if I recall it is tricky. I have moved this setup to my daughters house so unfortunately I can't give you step by step. As you are doing this for isolation, I would ask yourself if you really need to. Thanks and let me know what you end up with.
Hey Mike, was able to resolve this by adding a small firewall rule addition in the guestIN.
Now, I want to block guest client accessing the AP connected in the guest network. Say, clients in 10.1.1.1/24 cannot access 10.1.1.2:80 which is the Access point. Any tips on this?
@@invictuslegend4405 Awesome. Thanks for letting me know.
I have a couple simple questions:
1) I assume at 13:25 where you were working on the firewall rules and said you were "adding your lab network because that's your default network" - the 192.168.0.0/24 is equivalent to the default ISP IP address range if the ER-X was put directly behind the ISP cable modem acting as the DMZ into the rest of your network?
2) There are places where defining IP ranges - ER-X requires an "x.x.x.1/24" definition and others where it wants a more typical CIDR block - "x.x.x.0/24". It's not clear to me why that is. It seems the Router OS wants some IP definitions as a bounded range and others as a normal CIDR block.
That address ("192.168.0.0/24") came out of the blue for me (it wasn't part of your nice physical architecture explanation in the beginning). I ask because I'm at that step and making an educated guess how to translate my setup into yours. I started days ago and did a couple of things differently because I have the SPF model and used that 6th port as another switch port vs a fiber uplink and that's my Internet port (eth5), plus my LAN is 10.x vs 192.x like your example.
Really well done, including the write-up (it would be good to put that link in the write-up below the video - although it made me go fishing on your blog and I snagged some info for later on upgrading my home lab servers to 10GB network).
To clarify at 13:25, that network is what the other two are feeding into not the ISP. This router was set up to connect to an existing LAN and not directly to the internet. I am not sure why it is looking for two structures. I would think it should be consistent.
The 192.168.0.0/24 actually is part of my physical network because of the two LAN into one LAN which most people will not do. Hope that helps and thank for the question.
Hi Ian: I’m wanting to setup 3 maybe 4 VLANs. Here is the issue I’m not sure about. I have a Cisco Router SV260W default gateway of 192.168.123.254. I have an Ubuntu Webserver static on 192.168.123.104. I am forwarding ports 8083 and 8080 to that address as well for the Server. So would like to leave that setup alone if possible. I have the following Ubiquiti equipment. 24 port POE switch, an 8 port 60 watt switch, 4 of the 5 port mini flex switches. I’m wanting the following VLANs. One for IoT, one for guest wifi access and one for my main LAN like doing my video editing. I also have a cloud key gen. 2. Do I have to set the VLANs in the Cisco router and the the 24 port switch. I even thought of changing over to an Edgerouter X even. So looking for some ideas on implimenting.
Doing it without adding another jump such as the edge router is the simplest way so based on the equipment you have I would set up the VLANs using that. The main process will be to create the VLAN interfaces in your router, then assign the ports or your managed switch to use it. I am not familiar with that equipment so I can't really help much more but maybe someone else could inject some advice.
Mike Faucher I guess my main wonder is do I have to set the VLANs up in the Cisco router first? Or do I not worry about the router and set the up in the switch? If I set the address for the VLANs in the 172,*.*.* or 10.*.*.* range will having the router on 192,168.123.254 keep those ranges from coming through? I’ve always been told the only stupid question is the one you don’t ask.
@@dr.mikehughes9874 You have to setup the interface and DHCP in the router and then configure the switch. Although this is a different firewall, check out this video as it may help. th-cam.com/video/fjLQsXFm93M/w-d-xo.html
You really helped me alot
Glad to hear it. Thanks for the feedback.
Excellent presentation. I have a couple of questions though. 99% of IoT devices are wifi only so we need access points to connect them to the Internet. So if we are to isolate them through a separate switch/cable/network, then we effectively dedicate access point(s) to servicing IoT devices only. I'll have to install double the number of APs at home to create a mesh to support both IoT and normal devices.
Also the method we see here assumes we will be controlling these IoT devices through Internet Cloud only. But if we lose connection to the Internet, then we can no longer control our IoT's which is a pity, because nowadays a good number of them will fall back to control via the local network if they sense they have no Cloud connection.
I think using VLANs and switches/APs that can support VLANs is a more efficient way to isolate IoT stuff. Most likely cheaper too in some cases.
VLANa are a much better way if you want to isolate and not duplicate APs. This is just a low cost way of doing it. Using a system (firewall, APs, Switches) is easier but more expensive. Thanks for the feedback.
Mike, Thanks for this video it was really a help to try to manage the Edgerouter. I'm pretty new to networking but have built a server etc but cannot get "eth 1" to come live. Eth 2/3/4 are fine. I have checked and checked. The only thing I can think of is that my service provider uses PPPOE with a VLAN of 835. Could this be affecting something I'm not aware of? I realise, of course, that PPPOE is a pretty limited service in US but here in Europe its very popular. \any assistance would be helpful. Thanks in advance
I was not aware of that. I am assuming that eht 1 is your WAN? Is set to DHCP or static? The issue is probably in the firewall rule that allows traffic but I am not sure what the solution would be without seeing the entire configuration. One thing that may worth a try is posting it on Reddit or reach out to the Ubiquiti for some things to try.
Hi, this setup worked really well until my ISP reset my modem. Now I'm not able to connect to the internet via the router at all. I see the IP address provided by the ISP on eth0, but no internet connection from my browser. Any advise would be greatly appreciated.
Normally it should have not affected it. Did you try to reboot the router?
Very strange. Not sure what advice to give you on this one without seeing your exact setup.
Whats the advantage in doing it like this over using VLAN? I was thinking to do this with vlanning instead but now I'm not so sure.
You are right and you can use either way. It is mostly personal preference and situation. Using this method may be easier for some and eliminate the need for managed switches. In the end, it is a personal choice. I use both in my network. Thanks for the feedback.
@@MikeFaucher Thank you, your video and reply are very informative to me.
@@demasa Glad to hear and thanks for the feedback.
The primary advantage of not using vlans is that it is simpler. There are advantages of vlans and using the vlan-aware switch0 mode, especially if you are using a wifi access point that is vlan aware, and you want to have multiple SSIDs e.g. IoT and Home, and each of these SSIDs would be associated with a vlan. Then you can have dumb switches attached to a vlan access port for IoT and another for Home, and another trunk port connected to the vlan-aware access point. Under the hood, the ER-X uses high vlan ids to "remove a port from switch0". If you have an ER-X you can see this from the CLI with the command /sbin/switch vlan dump and look at vlan ids 4088-4094. There is quite a bit of info on the Ubiquiti forums under EdgeMAX tag.
Hi Mike, great video, I want to ask, if I want to allow devices on the IoT network (10.0.0.x) to access a particular service on the Main network, (e.g. a MQTT broker 192.168.5.x:1883 or a PLEX server), how do I go about opening up that connection? Many thanks.
You will have to create a specific rule just for that device, The rules we create in the video are global and block everything. As the firewall reads rules from top to bottom, putting a unique rule above should take precedence, Good luck.
What is the purpose of the "Accept Established" with "accept" action rule if it's already defined on BlockIN as a default accept action?
The BlockIN is is just a grouping where the Accept Established is a specific rule. Thanks for the question.
Beautiful, Thank You Sir!
Thank you for the feedback. I appreciate it.
Hi, i have edgerouter x with firmware 2.09. I use wan 1 and wan 2. Wan 2 is starlink. Normal speed in wan 2 is 200mbit of download and 20 of upload. With my ubiquiti router the speed came limited to 60/70 mbit in download, why ?
I have enabled/disabled ipsec and hwnat but the problem is always the same.
Thanks a lot for the help.
This sounds like possibly hardware configuration. There a few things I can think of. First is you may have configured the two WANs may conflict. Have you tried with just one connected? As the Edge router is capable of 800+, you may have a device on either LAN or WAN side that is causing the slowing up your entire connection, could even be a cable. I would start with a single device and WAN and start isolating the issue.
@@MikeFaucher yes i have tried only wan 2 whitout connect other device on Lan but the problem persist. If i understand good, hwnat is accelerating hardware setting but not work...
I use a cable cat 5e and if i use this cable with directly with router starlink to my pc the speed test work good.
@@88eleaffar Not sure what else can be wrong. I would try a factor reset with one WAN connection to see if it is the Edgerouter. Definetly should not perform that slow. I no longer have to list my settings as I went to the UDM SE a while ago. Sorry I could not be more help.
Thanks Mike
Thanks for the feedback!
I followed along but my IOT network is still able to ping my main router IP. Everything else is blocked though as expected. Any idea what might be wrong?
Without knowing your exact configuration it is hard to tell but the issue will most likely be in your firewall rules.
hi. this is very good and highly commendable tutorial. my only question is, with this configuration, would i be able to access my IoT devices from:
within the home network:
would my IoT apps (alexa/tuya/samsung/phillips) be able to discover my IoT devices on the IoT network? the phone or tablet where these apps are installed is supposed to connect to the home network and not to the IoT one. in that case, do i need to ask the apps to rediscover the devices (since they will have been moved from the home network to the IoT network)?
outside:
let's say i'm on travel and would need to check my IoT devices back home, would the aforementioned IoT apps be able to connect over the internet and establish connection with my IoT devices?
thanks and keep safe.
Great question. The answer is mostly yes. You will most likely have to temporarily connect your phone or mobile device to the IOT network to perform the initial configuration but after that, it should work as most go through the internet as well as wifi. Some devices are more temperamental than others. The ones that might be an issue is something that pulls from another device locally such as a Roku pulling movies from a local Plex server, otherwise, you should be OK. I have my Alexa, google home, Rokus, and Samsung TVs on my IOT with no issues. Thanks for the question.
@@MikeFaucher thank you. come to think of it, i also have a plex server on my home network. what happens then to my roku/fire tv/apple tv devices if i move them to the IoT network? have you discovered a configuration with the edge-x router to maintain your plex server on the protected network while being accessible to streaming devices on the IoT network?
moving the plex server to the IoT network isn't really advisable, because this will sever access by mobile devices (laptops/smartphones/tablets) on the protected network. my family will murder me if they'll lose access to plex. 😂
Great video! You stated that we could download the document on your website, but I can't find that website.
The document I was referring to was the blog post which goes through these steps, You can find it at thedocsworld.net/edgerouter-x-securing-yourself-from-iot-devices/. Sorry about the confusion and I have updated the video description to included it. Thanks for pointing it out.
Wouldn’t this stop things like google home from being able to control other smart devices like a Phillips hue?
Mostly no. Many iot devices do not communicate directly and bounce off a cloud service. There are always exceptions though. Alexa and google home work fine. Remember that this is the purpose of the isolation. If things can communicate directly they are not isolated. Great question.
Thank you so much for this video, this answers loads of questions. One or two still remains though... Is it possible to see wich of the wizards that are run, or can I just re-run the Wizard without destroying my settings that i have? I see that I can preserve my credentials if I run the "WAN + 2LAN2" option, but will it reset everything back to clean install or will my sets of ruels be there when it reboots?
I have not tried this when I was trying to preserve my settings but when I was experimenting I am pretty sure it reset everything. Great question and sorry I could not be more specific.
@@MikeFaucher As long as I don´t ask idiot questions I´m ok :) ... Thanks for your answer... I'll try to figure out how to create a IoT VLAN wireless some how and that way I won´t need to brick my Edgerouter. Creating the SSID with VLAN and DHCP isn´t that hard, its the firewall rules to get it to work I havn´t figured out yet :) ... It is the comunication over different VLANs (from PC and device network to IoT) where my talent ran out (haha). Just have to google it some more.
Thank You sir.. actually i am going to implemented ubnt system on our hotel so this will be very helpful at this time. If you can please upload a video regarding ubnt controller setup and guest portal. Thank You
The controller review is actually on my agenda to start soon. Thanks for the feedback.
excelente video, ill be hoping soon the controller :)
Angel Rocha Thank you for the feedback. Stay safe.
Excellent video Mike on Edge-Router setup and also your videos regarding the QNAP QGD-1600P (All-in-one) NAS-with-managed-switch device. Have subscribed and suggesting my tech friends do the same on your channel.
QUESTION -- (which may help other subscribers who follow your QNAP QGD videos) --- Similar to your goal in this video of isolating IoT devices from the rest of your local LAN, my goal is to isolate Netflix's ethernet data stream received by our Samsung TV over a 1-gB CenturyLink FttH internet link - from the rest of our local LAN network which will be behind a pfSense firewall running on my QNAP QGD-1600P in VirtualStation and connected using physical ports on the QGD-1600P managed switch.
I am worried about overloading the VM pfSense firewall with both a torrent of NetFlix data packets sent to the Samsung TV and regular internet packets addressed to the computer devices on our local LAN. I do not worry about the health of the Samsung TV, but certainly do about the other devices on our LAN and want the pfSense to focus on protecting our local LAN devices not the Samsung. Some users have concerns that Samsung TV's phone home with logged traffic and usage patterns and are not to be trusted on a local LAN similar to concerns regarding other IoT devices.
Your video has me thinking I might be able to connect the CenturyLink internet ONT's ethernet port (WAN, login with PPPoE), with a port on the Edge-Router-X and then a second port of the Edge-Router-X feeding the Samsung TV with Netflix packets and a third port of the Edge-Router-X feeding a port on the QGD-1600P configured as a WAN input to pfSense ... which protects the rest of our local LAN connected to the managed switch half of the QGD-1600P.
SUMMARY: so the Edge-Router-X would perform the function of a splitter (switch with PPPoE login for the ONT) to feed a low security data stream to the Samsung TV ethernet port and a high security data stream thru the pfSense firewall running on the QGD-1600P safeguarding everything else on our local LAN. Does this sound reasonable-ish ?
Thanks
Wait till he hears about VLANS 😂
Thanks.