Looking for assistance with IOT segregation on Unifi APs and EdgeRouter-X

[Ri22o]

I am wanting to move away from my SmartThings mesh hubs for Wi-Fi and automation. The hubs are no longer available and I am wanting to increase my wireless coverage. They have also become a little less reliable for my automations since ST no longer supports WebCore.

This is my current network scheme:


One nice feature of the ST hubs was with one SSID I could assign different passwords for varying levels of access. If you entered PW1 when attempting to log on to My_Wifi it would give you full access, PW2 would treat you as a guest, and if you entered PW3 it would allow only internet access. Presently all of my IOT devices are on the main network, whether it be wired or wireless, with a few recently migrated to PW3 for only internet access. I also just started working from home and wanted my work PC to be segregated. I followed the steps in the video below to put rulesets in place to give the .10.XX subnet access to only the internet and nothing else on the network.

Going forward, and my question:

I am looking to go with Ubiquiti Unifi 6 Lite APs (no other Ubiquiti/Unifi equipment other than the ER-X) . During this change over process I am also wanting to segregate my IOT devices to internet only. For wired devices I plan to replace the desktop switch with a larger rack mount switch and patch the devices over to the .10.XX subnet. For the wireless devices, I am not sure how to accomplish what I am thinking. Ideally I would like to create an IOT SSID and point it to .10.XX and be done, but how possible is this with what I have already created/setup in the ER-X (from the video)? The APs would be on the Eth-2 and Eth-3 ports.

 

[The Automation Guy]

I didn't watch the video, but I think long story short you are going to have to learn about VLANs.

The Unify Wi-Fi APs (and comparable brands like the TP-Link EAP line) allow you to broadcast more than one SSID/network on the same wireless AP. You can also "tag" each unique wireless network/SSID with a unique VLAN tag so the traffic from that particular wireless network can be routed differently than traffic from the other wireless networks. It is quite easy to create an "IOT with Internet" wireless network and VLAN while also creating a different "IOT without Internet" and "Trusted Devices with Internet" wireless networks and VLANs as well. You'll need to create firewall rules in your firewall/router for each VLAN to ensure traffic is routed only where/how you want. All of the AP's VLANs will travel down the single wire from the AP to the switch. Your switch must at least be "VLAN aware" (if not a full "managed switch") so that it can forward that traffic with the VLAN tags intact to the router which reads the VLAN tag and routes the traffic appropriately. A regular "dumb" switch will drop the VLAN tag and all of the traffic will be mixed together breaking the VLAN segregation, so you can't use those in situations where the switch is going to see traffic from more than one VLAN. You can still use "dumb switches" if all of the devices connected to it are all in the same VLAN. You'll just need to setup the network port that the dumb switch is plugged into properly to assign the VLAN tag to all of the incoming traffic from that dumb switch because the switch itself will not tag the traffic as it leaves the switch.

In your specific case, if you want to be able to plug a basement AP into the basement switch, a first floor AP into the first floor switch, and a 2nd floor AP into the 2nd floor switch, then all three of those switches need to be VLAN aware or even better a fully managed switch. If you already have those network cables homerun back to the basement and can plug all three APs into the basement switch then only the basement switch needs to be VLAN aware. If you can plug them all directly into the EdgeRouter, then none of your switches have to be VLAN aware for the different wireless networks to route data correctly. However once you start learning about VLANs, you'll quickly realize how beneficial they are and will likely want to start using them on your wired devices as well. In that case, your switches will likely need to be VLAN aware except as noted above (where the devices plugged into a switch are all in the same VLAN).

Hopefully I answered your question (and not some tangent because I didn't understand your actual question)!

 

[kjinxx2]

Agreed w/ @The Automation Guy

I personally use PFSense paired w/ ubiquiti switches & access points.

I will say that for the most part having a separate IoT VLAN is very easy, but there are some steps you need to take w/ your firewall & router to ensure that your IoT devices are still permitted to broadcast their mDNS to your home lan subnet - otherwise you will not detect them while on a separate subnet. On PFSense I use Avahi to assist with that task. Some devices really don't play nice and I have to allow specific ports to communicate from my IoT VLAN to my Home VLAN. Sonos speakers are truly a pain and I plan on just moving them to my Home VLAN despite the security risks.