Segmenting my IoT & Alexa Devices from my Main Network - How do you Test for Blocked Access?

Currently reading
Segmenting my IoT & Alexa Devices from my Main Network - How do you Test for Blocked Access?

123
17
NAS
DS920+ DS215J,
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
After upgrading to 1.3 for my 2600 + 2200's, I have begun "Segmenting" by setting up a separate network and enacting Firewall rules per Sinology's "Block Access Between two Networks (How can I block access between two local networks while allowing communication among certain devices? - Synology Bilgi Merkezi) See Attached grab
I had been delaying this as I had thought if I place all my IoT devices on a separate network, I would need to switch networks on my Android Phone each time I wished to access the APP for the respective devices. If my phone is on my "Main" Network "1", then I should not have access to the devices if they (and the APP) are assigned to Network "2".... I thought it a small price to pay for Security and expected the need to switch Networks when needed on my mobile. But that does not seem to be the case. With 50+ Devices, I just changed an Alexa and two Power outlets so far over to the new network as a test. And I find they are accessible from Network 1 on my Mobile... This of course makes it easy to access the APPs, but I'm unsure why access is available while my mobile is on one network and the devices are on another.. And does anyone know of a simple test to insure that if access is gained through an IoT device here, they cannot penetrate to my main network.

Network Firewall Rule for IoT Network Denial.jpg
 
Have you disabled the default IPv4 and IPv6 inter-VLAN rules?

The firewall rules are written in the direction from initiating device to target device. So you can have a rule to allow a device on main VLAN accessing every and anything on IOT VLAN, and another rule to allow very specific access from IOT VLAN to a server on the main VLAN. If you wanted.

The test of the IOT VLAN would be to connect a device to it wirelessly and see if you can access out of the VLAN.
 
Hello fredbert...

I'm trying to follow along..... All I added was the two rules as suggested from Synology and is shown above. In the new Network I added, under "Edit Local Network".... IPv4 DHCP is "On"... while IPv6 is disabled.
"Enable Network Isolation" is ticked. I thought this alone was what prevented access.
I've now disabled IPv4..... And was happy to find everything still works.
Would you explain (my misunderstanding) as to why my Mobile can be on one network, and still control devices on another?
I assumed if each was network separated, I would need to toggle the networks back and forth..... Unless I still need more Rules to add other than the two Firewall rules now in place.

Your patience is as always appreciated.....
 
Do you have these rules that were added to support inter-VLAN communication? And if you do, are they enable and above your own inter-VALN rules?
1665067529345.png


These default rules, when enabled (which they are by default), were added by Synology. For VLANs that have the 'isolation' setting disabled they will allow inter-VLAN communication with other un-isolated VLANs.
1665067709169.png


If you want to ensure there is no communication to/from a particular VLAN then you enable the isolation setting, this takes precedence over any firewall rules.

If you want some communications between some VLANs then the isolation setting needs to be disabled on all these VLANs. You then create specific firewall rules from the devices in one VLAN that need to access devices in another VLAN (or VLANs). For example your Mac needs web portal access on IOT devices, Mac on 'IP' on main LAN (source) can access IOT VLAN for HTTPS. Here it's best to reserve IP addresses in DHCP for devices that you want to have specific access, or you create an admin VLAN for devices you use for managing others.

I would always end the firewall policy with an any/any/any/any Deny, but you would have to convert your automatically created port forwarding rules to manually created equivalents. If you don't then I would err on the side of caution and add firewall rules that deny IOT out and IOT in. Seeing as the four ending rules only say WAN-to-xyz, which excludes LAN-to-xyz.
 
Last edited:
Yes... These 2 Rules are at the top of the stack, and ticked as you listed.

And neither has ISOLATION enabled..... As mentioned, the sole purpose of this exercise is to limit entry to my Primary Network should a bad actor gain access from an IoT device. Since there is no one set of steps available to put this in place, semi-techies like myself do struggle to insure its done properly. I'll need to learn more about VLAN and better understand what needs access before proceeding to prevent backwards incompatibility.

Thanks for your advice....
 
How I tested all My Firewall rules:

Configured rule and saved it..
Removed device indicated in rule from LAN.
Configured laptop with IP indicated in firewall rule.
See if I could do what the Firewall rule blocks. Look for ‘Hits’. Success???
Change IP on laptop to what it was before; Return device in rule back to LAN…

SMILE😁
 
Yes... These 2 Rules are at the top of the stack, and ticked as you listed.

And neither has ISOLATION enabled.....
In which case you have the VLANs and firewall configured to permit any VLAN to VLAN communications. Those default firewall rules need to be disabled and you add the ones you need to ensure that IOT VLAN has the minimum access into your main VLAN (main LAN).

With isolation enabled on a VLAN then the router will not permit other VLANs to communicate with it, nor it to other VLANs. But it will permit Internet communications to/from the isolated VLAN. It's a hard block on inter-VLAN communications.

With isolation disabled you still need the firewall rules to specify what is allowed between the VLANs. The default rules allow any and all traffic between the different VLANs: it's a starting point but you have to then implement your own rules based on what you use the VLANs for and how risky they are to each other. Then disable or delete the default rules.
 
How I tested all My Firewall rules:

Configured rule and saved it..
Removed device indicated in rule from LAN.
Configured laptop with IP indicated in firewall rule.
See if I could do what the Firewall rule blocks. Look for ‘Hits’. Success???
Change IP on laptop to what it was before; Return device in rule back to LAN…

SMILE😁

Jan... Thank you for the test suggestion.... I opened a spare Laptop, connected to the isolated (hopefully) IoT Network, turned ALL Network discovery on and attempted to MAP the Network Drives. My thought here that this would at least give some indication if I had basically provided some walls between. Interestingly the only device to appear is an old Samsung network camera.... which I've moved to this IoT Network. Nothing else is appearing. I'm still looking for some basic PEN Tests that I could run to see if I'm as Isolated as I can achieve. Additional Firewalls rules are a bit challenging for me, and you know how easy it is to go too far with all the options available within the Synology OS.
 
Jan... I completed moving all my IoT devices over to the segmented Network, and reinstalled Threat Prevention and only ticked my "computer" devices... not any of the IoT at this point. Before this change, the Malicious Events were always incredibly busy, to the point I began ignoring all but the "severe" alerts.. otherwise I would drown. Thus far, no "Events" are showing.... though its only been 15 minutes.
 
Jan... I completed moving all my IoT devices over to the segmented Network, and reinstalled Threat Prevention and only ticked my "computer" devices... not any of the IoT at this point. Before this change, the Malicious Events were always incredibly busy, to the point I began ignoring all but the "severe" alerts.. otherwise I would drown. Thus far, no "Events" are showing.... though its only been 15 minutes.
-- post merged: --

So how do you "MOVE" devices from the primary to the IOT Network??? I'm stumped. thx
 
When I test a firewall rule…. I take the device indicated off line, and assign that IP to a laptop…. And then try things with that laptop that the rule blocks.
Assuming it works…. Rules on Router show “Hits”, Remove and restore laptop IP, and re-connect device back on LAN. Yes it is a ‘home grown’ solution, but that’s what I do!
 
When I test a firewall rule…. I take the device indicated off line, and assign that IP to a laptop…. And then try things with that laptop that the rule blocks.
Practical way to ensure basic protection is in place. Kudos!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Ok I've got my shiny new RT6600ax router set up and running with about 30 devices. I've read some articles...
Replies
0
Views
1,335
first there isn’t Guest network, it’s just a VLAN labeled or virtual SSID by name Guest network. better...
Replies
5
Views
3,787

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top