I was wondering how well this would work out

[G+_Brandon M]

I was wondering how well this would work out. I was considering setting up a separate router for all of my IoTs inside an existing network. I wanted to put them on their own subnet to prevent devices from the parent network from touching them.

 

Later on I also want to build a firewall on the IoT network to monitor exactly what the IoTs are sending (probably will have issues with TLS, but we'll see).

 

So the question is if I set up a routerA(192.168.1.x) with routerB(192.168.2.x) on the network, unless I set up specific route paths devices on routerA can't talk to routerB and vice versa?

 

And will placing these devices on their own network screw up their functionality(I know it will probably break apps that require being on the same network).

[G+_Eddie Foy]

Q1 yes. You would need to set up static routes. Not a bad idea since you can limit which devices can talk to who. (works best with static IPs/DHCP reservations)

 

For #2 somewhat answered for #1. Your cell, tablet, pc, etc, won't be able to control them without the added routes, or without going out to the internet and back in (kludgey) Or jumping over to the IoT LAN.

 

This is why I think IoT needs a central server/gateway to handle requests, firewall, etc of these IoT items. The devices shouldn't talk to the internet, but to the server. Keeps the security and segmentation centralized and consistent. (My setup is basically that way on a flat LAN, but its older devices, 1/2 of which I rolled my own)

[G+_Brandon M]

I figured I wouldn't have to make a whole lot (if any) static routes since I'm hoping to control IoT devices through something like Alexa. But yeah I do agree IoT needs a third party gateway but the ones that I've seen from a security setting are horrible. One service, I forget which, allowed a user to send command to a device(an outlet I think) over the internet with only knowledge of the mac addr. Talk about RCE haha

[G+_David Wiggins]

Also, if you have cheap power and an unused PC or two, you could install pfSense on it as the router/firewall. Granted, I'm an unashamed pfS apologist, but it has great granular control and traffic monitoring capabilities, and the community in the forums is amazing. It can handle multiple subnets, and is what I use at home and work. It doesn't take much on the hardware side, so if cost is an issue and/or you have unused hardest lying around, you may want to try.