2
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 19 Nov 2023
2 points (100.0% liked)
Home Networking
308 readers
1 users here now
A community to help people learn, install, set up or troubleshoot their home network equipment and solutions.
Rules
- Please stay on topic.
- Please use the search function to look for keywords related to what you want to ask before posting since most common issues have been answered.
- No Ads. This community is for support and discussion. Ads and self promotion are not welcome here.
- No product reviews or announcements. If you have a question about a product, be specific about what you want to know.
- Be civil. Don't be a jerk. Not being a jerk is surprisingly easy.
- No URL shorteners. URL shorteners tend to hide the real use of a link. For this reason, please use normal links, even if they're long.
- No affiliate links.
- No gatekeeping. With profession shall come professionalism. Extend help without judging others for their ignorance. The same goes for downvoting of comments or posts for "stupid questions" or not being as knowledgeable as others.
founded 2 years ago
MODERATORS
With all those "smart" devices (Including Internet of Crap), the rule of thumb is to put them on their own VLAN. Then put network filtering in place, such that nothing can talk out of this VLAN. And all you client devices that needs Internet access can then talk to them in the other VLAN.
You could allow specific destinations for them, but even DNS, it is better to just have a service exposed to them that only uses a hosts file to avoid VPN or exfiltration over DNS.
That is best practice. If you want to run a software update, you can open up, and update, and close down again.
Security is about being paranoid.
I had to do this with an NVR security camera system I got off Amazon. The NVR ~~is~~ was constantly sending data to servers in China. Using pfSense I put it on it's own VLAN and used firewall rules to stop it from reaching the internet. I also setup an OpenVPN server so i can access it remotely when away from home.