Isolating IoT devices on Ubiquiti UniFi

calendar April 9, 2022 nav_categories Tech nav_categories Hardware nav_categories Networking nav_tags iot nav_tags wireless nav_tags vlan nav_tags ssid nav_tags firewall nav_tags unifi nav_tags ubiquity nav_tags udm nav_tags udm pro

These instructions/screenshots were from an UDM Pro running:

UniFi OS UDM Pro 1.11.0 UniFi Network Application 7.0.23

Why

From the FBI field office in Portland:

Your fridge and your laptop should not be on the same network.1

If those cheap "smart" lightbulbs you bought off Amazon get compromised because of an unpatched security flaw, the private information on other network devices could be at risk.

Keeping "smart" IoT devices segmented from the rest of your network is a good idea.

IoT

At some point today, you have most likely used something that would be considered an IoT.

What is IoT?

The Internet of Things (IoT) describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.2

What are IoT devices?

What I consider an IoT, or "smart" device:

  • Device is configured with an IP address
  • Runs something other than Windows, Linux, macOS, iOS, or Android
  • Caveat on Android devices, as Android seems to becoming more popular for IoT devices:
    • They don't store personal data (for example a TV)
    • They don't need access to any storage media (for example a Chromecast)

Use cases

You want to be able to use your mobile phone to adjust the temperature of your "smart" thermostat, but you want to prevent that thermostat from ever being able to access your mobile phone.

Desired behavior

Any device on the Trusted Network will be able to connect to any device on either the IoT.

However, devices on the IoT network can only respond to traffic sent from the Trusted Network, and can't initiate traffic to devices on the Trusted Network.

In a perfect world, we would have our network configured into micro-segments, so even devices on the Trusted Network would be further segments, such as mobile phones on one segment, Windows/Linux/macOS computers on another, etc. For the home network, this is overkill.

Create a network/SSID for the IoT devices

Create the IoT network

In the Classic UI:

UniFi OS --> Network --> Settings --> Networks --> + CREATE NEW NETWORK

  • Name: IoT
  • VLAN: 20 *
  • Gateway IP/Subnet: 192.168.10.1/24 *
    • Click UPDATE DHCP RANGE
  • IGMP Snooping: Enable, by checking the box
  • mDns: Enable, by checking the box

Creating the IoT network

Create the IoT wireless network

In the Classic UI:

UniFi OS --> Network --> Settings --> Wireless Networks --> + CREATE NEW NETWORK

  • Name: IoT
  • Security: WPA Personal
  • Security Key: SomeRandomString (use something else obviously)
  • Network: IoT (the one we created above)

Creating the IoT wireless network

Move IoT devices to use the new IoT wireless network

As most IoT devices are wireless, configure the IoT devices to use the new IoT SSID.

Test to make sure everything works ok, before we start locking anything down.

FYI, your Sonos speakers, Chromecast, and Apple AirPlay won't work, or work 100%...more on those in another posts. Well, except the Apple AirPlay, as I don't have/use anything that uses Apple AirPlay...

Create firewall rules to allow/block traffic

At this point, devices on the Trusted Network can communicate with devices on the IoT network, and the reverse is also true.

We need to create some firewall rules so devices on the IoT network can only reply to traffic from devices on the Trusted Network, and not initiate traffic to devices on the Trusted Network.

Create allow firewall rule for the Trusted Network --> IoT network

In the Classic UI:

UniFi OS --> Network --> Settings --> Routing & Firewall --> Firewall --> LAN IN --> + CREATE NEW RULE

  • Name: Allow Trusted Network --> IoT network
  • Rule Applied: Before predefined rules
  • Action: Accept
  • IPv4 Protocol: All
  • Advanced
    • Logging: Enable, by checking the box (turn this off later)
    • States: New, Established, Invalid, Related
  • Source
    • Source Type: Network
    • Network: Trusted Network
  • Destination
    • Destination Type: Network
    • Network: IoT

Creating the firewall rule to allow Trusted Network to IoT network

Create block firewall rules for the IoT --> Trusted Network

In the Classic UI:

UniFi OS --> Network --> Settings --> Routing & Firewall --> Firewall --> LAN IN --> + CREATE NEW RULE

  • Name: Block IoT network --> Trusted Network
  • Rule Applied: Before predefined rules
  • Action: Drop
  • IPv4 Protocol: All
  • Advanced
    • Logging: Enable, by checking the box
    • States: New, Invalid
  • Source
    • Source Type: Network
    • Network: IoT
  • Destination
    • Destination Type: Network
    • Network: Trusted Network

Creating the firewall rule to drop IoT to Trusted Network traffic

At this point, any device on your Trusted Network can send traffic with any device on the IoT, but devices on the IoT network are prevented from initiating traffic to devices on the Trusted Network.

Just make sure the Allow firewall rule is above the Block rule:

Correct order of firewall rules

Reference

Rob Pickering - Ubiquiti - Configure micro-segmentation for IoT devices https://robpickering.com/ubiquiti-configure-micro-segmentation-for-iot-devices/

Guide: Creating an Isolated Ubiquiti Unifi IoT Network https://vninja.net/2019/08/12/unifi-iot-networks/

  1. Tech Tuesday: Internet of Things (IoT) https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/tech-tuesday-internet-of-things-iot ↩︎

  2. Oracle - What is IoT? https://www.oracle.com/internet-of-things/what-is-iot/ ↩︎