Recommendation on a way to isolate "unsafe" IoT devices

I have some bulbs which I want to isolate from my network.
Any recommendations on a tool or method to do that?

I usually use the “guest” network, but my router died. and I’m using the ISP router for now, that has no “guest” mode.

normally people use vlans to segregate potentially unsafe iots away from your trusted devices.

typically there are 3 vlans people usually setup. private vlan, guest vlan, and the iot vlan.

example, you have a private vlan with trusted devices, and another for iot.

how you configure vlan is different slightly depending on the hardware you are setting up vlan management. example, netgear, ubiquiti, pfsense, microtik, in the vlan management ui, they are all configured slightly differently. but the general rules for vlan is constant, it’s just how they configure in their ui might be different from the other. so best follow guides specific to the hardware you are trying to configure vlans on.

just be aware, improperly configured vlans are susceptible to whats called vlan hopping.

it’s possible to allow devices from the private vlan to communicate to the iot, but not the other way around

why do that? it’s so you can say turn off an iot light, but the iot won’t be able to reach you to do stuff in the event it got compromised. i think lawrence used avahi mdns in pfsense to do this.

there are a lot of iot devices where security updates are very lax. they just want to sell you the hardware but don’t spend much on patching these devices to keep them secure. And this is the primary reason why iot’s should be put on an untrusted vlan because of that.

even smart tvs, are at risk. it was later they added a malware scanner, though i’m doubtful it was ever enough. so even your uhdtv you should add to the iot vlan as well i’m afraid :sweat_smile:


This really isn’t a TrueNAS question; it’s a network setup question. And you’ll likely need a somewhat more advanced router than your ISP gave you to implement it.


VLANs are an obvious answer, especially if the the iOT devices are using the cloud for storage. Apple took this to a higher level in its guest network, where guest devices could not “see” or communicate with other “guest” network devices (i.e. full isolation). Some vendors like Ubiquiti allow admins to enable isolation on their APs as well.

Another option is to put fences around certain devices at the router level. For example, my Sonos devices cannot communicate with or any of its sub-domains because they would be bricked by a firmware-update. It’s pretty simply a matter of blocking certain device ranges (all my Sonos devices use DHCP to be assigned a specific IP address) from being able to access certain domain names (i.e. black-holing w/a REGEX in pi-hole).

Then there are devices on my LAN that despite being told to be good little kids try repeatedly to contact the mothership (i.e. Dahua cameras). Those are simply completely cut off from the internet. I could put them on a VLAN, I suppose.

1 Like

Probably the easiest way to do this, and one that doesn’t involve a new router (but may involve new WiFi access points[1]) would be using Unifi APs and their controller to set up a guest network. That doesn’t have anything to do with your router, but Unifi’s defaults will isolate devices on guest networks from each other and from your LAN. I don’t know, but I suspect TPLink’s Omada system can do the same thing. Both Unifi and Omada require controller software, and both of those are available as apps on TrueNAS SCALE.

A better way would be to put them on a separate VLAN–better because this gives you more control over what those devices can access. But this is going to need a better router than your ISP gives you.

  1. and having the access points as separate devices from your router is a good idea anyway ↩︎

1 Like

I totally agree (BTW, isn’t Ubiqiuti the maker of UniFi?). Xfinity “sharing” bandwidth with any tom, dick, and harry xfinity customer coming along is bad enough given the ongoing issues in my neighborhood re: constricted bandwidth.

Worse, call my totally unconvinced that if some miscreant uses your router to do something illegal that it won’t be traced back to your home, even if Comcast can later exonerate you by certifying it was a external xfinity customer, not the customer inside the home that did something illegal. Nope, no thank you. I have enough excitment in my life with multiple tweens / teenagers, I don’t need any more.

Yes–I was just wanting to make clear that you don’t need to use their router in order to do this.

I have that shut off completely in my modem, but maybe I can do that because I’m on a business plan with them.

It can be done with the residential customers also. Just as the built-in gateway and WiFi can be shut off. I renamed the built-in network WiFi name to alert me to whenever Comcast may have reset the router WiFi settings.