I want to separate all iot devices from other devices in home network

[curiousv]

Please advise what is the best way to separate all iot devices from other devices in home?
I have following

1. Docsis 3.0 Modem
2. tp link archer A7 router and another spare router which also have 2.5 and 5g bands
3. poe nvr
4. two poe ip camera
5. two non poe ip camera

If I need to buy other device(hardware) I dont mind but I would prefer to work with what I have
apart from poe nvr recording locally - at times I want to be able to view all iot devices remotely when I am away from home.

 

[TonyR]

A VLAN would probably be the most secure but you could "run what you brung" and use the Guest network feature in that TP-LINK Archer A7 router, un-check "Allow guests to access my local network", put all the IoT devices on that Guest network.

 

[TonyR]

The POE cams on the POE NVR are likely isolated from the Internet by the NVR's virtual server but not the non-POE cams....that could likely be worked out in the router as well.

 

[Ri22o]

As part of my moving from SmartThings to Hubitat for my home automations I needed to find a solution for my wireless devices (I was using SmartThings as my wireless mesh as well). I already had my Ubiquiti EdgeRouter-X set up with a segregated LAN for my work PC. I ended up patching this over to one of my rack mounted switches for anything that as wired but then I created a VLAN through the Ubiquiti APs (what I replaced the ST mesh with) and use this for any of my IoT devices. I used a VLAN tag to attached it to the ruleset that I already had in the ER-X and now anything on the IoT SSID or plugged into that specific switch can only see the internet and nothing else on the network.

 

[fenderman]

There are many ways to skin this cat. But I am assuming from the question itself that you want something easy. These 2 synology routers support vlan which will allow you to easily create isolated networks. Its as easy as clicking a check box to isolate the network. You can assign the 4 lan ports to specific networks and you can have isolated wifi networks. Plus they include various security measures like threat prevention (need to plug a usb drive in the back to store the definitions).

https://www.bhphotovideo.com/c/product/1705703-REG/synology_rt6600axtri_band_4x4_wi_fi_6.html/?ap=y&ap=y&smp=y&smp=y&lsft=BI%3A5451&gclid=CjwKCAjw7c2pBhAZEiwA88pOF0WtTGQNfl3xuWMdLxXJFTB9CPUE_g8f6IQ1k85JnmAkIiilZh5OLRoCfNcQAvD_BwE

https://www.bhphotovideo.com/c/product/1733036-REG/synology_wrx560_dual_band_wi_fi_6.html

 

[curiousv]

There are many ways to skin this cat. But I am assuming from the question itself that you want something easy. These 2 synology routers support vlan which will allow you to easily create isolated networks. Its as easy as clicking a check box to isolate the network. You can assign the 4 lan ports to specific networks and you can have isolated wifi networks. Plus they include various security measures like threat prevention (need to plug a usb drive in the back to store the definitions).

https://www.bhphotovideo.com/c/product/1705703-REG/synology_rt6600axtri_band_4x4_wi_fi_6.html/?ap=y&ap=y&smp=y&smp=y&lsft=BI%3A5451&gclid=CjwKCAjw7c2pBhAZEiwA88pOF0WtTGQNfl3xuWMdLxXJFTB9CPUE_g8f6IQ1k85JnmAkIiilZh5OLRoCfNcQAvD_BwE

https://www.bhphotovideo.com/c/product/1733036-REG/synology_wrx560_dual_band_wi_fi_6.html

Why do you suggest the routers you suggested ...my tplink openwrt flashed archer a7 is not good enough?

 

[fenderman]

Why do you suggest the routers you suggested ...my tplink openwrt flashed archer a7 is not good enough?

obviously not if you have to ask if it is.
open/ddwrt only supports vlan with certain processors...i dont think the archer supports that capability..spend a couple of bux your life will be easier and you will have a more secure setup all around.

 

[The Automation Guy]

TonyR has posted a very easy solution. I would suggest that you go down that road.

In an ideal setup, I would set up at least three different network subnets: main/trusted, IOT with internet access, and IOT without internet access. That is very hardware dependent however. Not only does your firewall/router need to support VLANs, but your wireless AP needs to be able to broadcast/support multiple wireless networks and VLAN tagging to ensure the traffic on each wireless network can be isolated via VLANs from the rest of the network traffic.

 

[OakleyFreak]

You can install a asus ax86u.
It allows for a guest network that is a vlan. I do this and have all iot devices on the vlan away from my main