| 18 Jan 2023 |
|  @thelosmos1010:matrix.org joined the room. | 04:10:38 |
| @thelosmos1010:matrix.org left the room. | 04:10:51 |
 @seanjohnstontips:matrix.org | Redacted or Malformed Event | 05:13:22 |
 Warped | Redacted or Malformed Event | 05:45:58 |
|  AtypicalKernel banned @seanjohnstontips:matrix.org (Spammer). | 05:51:26 |
|  drgif joined the room. | 13:22:49 |
 Hank | They must have been doing a true full spectrum operation on Matrix. That scammer showed up in some obscure meditation room I subscribe to lol | 15:30:11 |
|  hbarsquared joined the room. | 22:36:13 |
| 19 Jan 2023 |
|  DaveM joined the room. | 16:04:14 |
| DaveM changed their display name from David Massey to DaveM. | 16:07:10 |
| DaveM set a profile picture. | 16:15:41 |
| 20 Jan 2023 |
|  mrwacky joined the room. | 23:58:53 |
| 22 Jan 2023 |
|  chaz042 joined the room. | 21:31:46 |
|  morack19 joined the room. | 22:58:43 |
| 24 Jan 2023 |
|  datagoose joined the room. | 18:12:55 |
| 25 Jan 2023 |
|  defolos joined the room. | 07:14:30 |
 Andreas | Hey do,
I am considering to implement a smart home with all the different thingymajobs and alike. Since I don't really trust them with potential spyware and security issues, I want to run them on their own subnet. My current router is an Linksys 1900 ACS (v2) with DD-WRT.
I am considering two options.
- Acquire a 2nd router. Place the secure subnet as a leg on the insecure router, intended for personal devices, LAN, etc.
- Acquire a new with complete subnet support, such that I can achieve the same thing, but with one router instead of nesting two.
My terminology is as follows
insecure - smart devices, server, smart tv, phones and stuff
secure - LAN devices, PC's, trusted devices.
Any recommendations? Thanks!
| 08:15:12 |
 @pepin:globohomo.co | Why not just create a new vlan and setup second wireless SSID? | 08:18:43 |
| Andreas | Unsure if the smart stuff will work, since I am unsure if network isolation works, eg. the smart devices are allowed to connect to home assistant | 08:24:56 |
| @pepin:globohomo.co | Dd-wrt has a firewall | 08:26:12 |
| Andreas | A firewall for external to internal connections. Therefore, internal traffic can just run loose and connect to anything. That's why I'd want to isolate the networks for trusted and untrusted devices. | 08:32:03 |
| Warped | If you don't trust VLANs and firewalls to work, then the only solution is 2 internet lines. Otherwise, you need to trust something. Nothing is 100%. If someone wants to get in, they will. A provider modem/router with 2 routers plugged in, for secure and insecure, will give you all the isolation you need without much setup. Added benefits are that you can have 2 WiFi channels, so they can't interfere with each other. | 08:39:51 |
| Warped | (I always turn off the internet provider's WiFi, or get them to) | 08:41:43 |
| Andreas | In reply to @warped:linuxdelta.com
If you don't trust VLANs and firewalls to work, then the only solution is 2 internet lines. Otherwise, you need to trust something. Nothing is 100%. If someone wants to get in, they will. A provider modem/router with 2 routers plugged in, for secure and insecure, will give you all the isolation you need without much setup. Added benefits are that you can have 2 WiFi channels, so they can't interfere with each other. Thanks. This were the answer I were looking for. May have been unclear in my question.
As my ISP, I have the option of setting up my own router, and that is what I did. Therefore, I were looking for an option of separating the devices into trusted and untrusted categories by connecting them to different wireless networks.
As for my understanding of dd-wrt, yes, it has a firewall, but I don't know how it will work for wireless devices connected attempting to connect to a machine on my LAN.
And agreed, nothing is 100%, but I can still take my steps and isolate devices I trust versus those I don't (PCs versus IoT fluff)
| 09:05:47 |
| datagoose changed their profile picture. | 18:35:29 |
| 26 Jan 2023 |
 adevries | Andreas: Steve Gibson from the Security Now podcast has suggested in the past a 3 router setup. You've got one router for the WAN and then 2 routers downstream from that one where 1 is for the LAN and secure devices and the other is for all the IoT stuff. That way you have 2 completely separated LANs and they know nothing about each other | 14:55:38 |
| AtypicalKernel | In reply to @splintter:matrix.org
Hey do,
I am considering to implement a smart home with all the different thingymajobs and alike. Since I don't really trust them with potential spyware and security issues, I want to run them on their own subnet. My current router is an Linksys 1900 ACS (v2) with DD-WRT.
I am considering two options.
- Acquire a 2nd router. Place the secure subnet as a leg on the insecure router, intended for personal devices, LAN, etc.
- Acquire a new with complete subnet support, such that I can achieve the same thing, but with one router instead of nesting two.
My terminology is as follows
insecure - smart devices, server, smart tv, phones and stuff
secure - LAN devices, PC's, trusted devices.
Any recommendations? Thanks!
Personally I have always used vlans and firewalls, also I would separate slightly further into the following VLANs
-
Admin (router/switch config, IPMI/iDrac/etc, PAW)
-
Hostile - no internet access + restricted vlan3 access (IOT, Smart TV)
-
Server/Services
-
Trusted Devices - full internet access, full access to vlan 3, stateful access into vlan 2
-
Untrusted - Internet and as needed restricted access to vlan 2 and 3
-
Guest - Internet access only
| 15:35:06 |
| AtypicalKernel | * Personally I have always used vlans and firewalls, also I would separate slightly further into the following VLANs
1 Admin (router/switch config, IPMI/iDrac/etc, PAW)
2 Hostile - no internet access + restricted vlan3 access (IOT, Smart TV)
3 Server/Services
4 Trusted Devices - full internet access, full access to vlan 3, stateful access into vlan 2
5 Untrusted - Internet and as needed restricted access to vlan 2 and 3
6 Guest - Internet access only | 15:36:33 |
| AtypicalKernel | I follow the concept of least privilege, if something doesn't need to talk to something it doesn't.
Also I think in threat modeling terms, so not so much trusted/untrusted but more what bad behavior do I expect and gow to mitigate said bad behavior | 15:40:54 |
| AtypicalKernel | I also just realized I used an uncommon acronym
"PAW" stands for "privileged access workstation"
Also if you want to be technical there are supposed to be multiple PAWs (users/identity, network configuration, data storage/management, server admin) | 15:44:26 |
