WingNews logo WingNews
top | item 35042738

(no title)

soebbing | 3 years ago

I actually thought about that for a minute when I set up my home network a while ago, but that seems to be a pretty hard (or at least inconvenient) problem.

Often I need to access a device from my local network (think: use my phone to control Wi-Fi LED Strips, Sonos speakers, etc.), which makes it impossible (I guess?) to separate these devices into their own network completely (if they aren't controlled by an online service in general). Or is it possible to allow access from my trusted network INTO the restricted network, but not the other way around?

Total network noob here, in case you haven't figured that out yet. :)

discuss

order

wyager|3 years ago

> Or is it possible to allow access from my trusted network INTO the restricted network

Yes, my home network works exactly like this. I have a vlan called "trusted" which can connect to any other vlan. One line in pf.conf.

My VLANs are something like: trusted, guest, media, cameras, printer, etc.

Many of these aren't allowed inbound or outbound connections (e.g. cameras and printer can only talk to things on their subnet).

Only downside is that stuff that works off broadcast packets (like bonjour) does not work across subnets.

kube-system|3 years ago

There are mDNS repeaters that can in some cases make bonjour work across different networks. In my experience I spend more time fighting with mDNS than I do enjoying it.

labcomputer|3 years ago

Each of the VLAN is (or can be) just another network from the router’s and firewall’s perspective. So you just have to set up appropriate firewall rules to allow traffic between the networks that you want to communicate.

You could, for example, allow only TCP traffic initiated by hosts in the “normal” VLAN to hosts the IoT VLAN. So IoT stuff can’t initiate outgoing connections to any other network, and can only receive TCP connections from one network.

You can also set up an MDNS reflector on your router if your IoT devices use that (e.g. HomeKit) to send data proactively back to “normal network” hosts.

throwaway742|3 years ago

>Or is it possible to allow access from my trusted network INTO the restricted network, but not the other way around?

Yes