Network Segmentation with eero?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

battleborn

Member
Jan 6, 2021
6
0
I've heard Steve mention on several occasions how important it is to segment your network in order to at least get the most vulnerable IoT devices off of the segment that contains your critical devices (pc's/phones/etc.). Does anyone know how that can be accomplished if you're using the eero mesh router? I've attached a diagram of my home network and since everything is essentially being fed by the eero there is no isolation between devices. I love the performance of the eero but I think their security support is lacking, for example I can't even create vlans for the different devices. Any ideals? Curious how folks are implementing cybersecurity in the home network environment.


NetworkDiagramv2.JPG
 

AlanD

Well-known member
Sep 18, 2020
224
73
Rutland UK
I think if you changed the DGS-2208 switch at the top left to a router you should be able to separate the networks. That would leave all the IOT devices in the top right on the Eero wifi, and put all the devices in Home Office and Family Room into a different subnet. You would then need a wifi access point on either the router or the other DGS-2208 to allow connections from the wifi printer in the office, plus the two PC's shown top right.
 

battleborn

Member
Jan 6, 2021
6
0
Hi Alan, thanks for the quick reply. So I think if I connect a router in place of the switch I need to place the eero into bridge mode and supposedly that breaks the security features of the eero, however that's still a good possibility that I will look into. I was also thinking, would it be a good idea to create a guest network for the publicly accessible IoT devices like ring doorbell, nest cams, etc. I think the whole point of the guest network is that it's isolated from the rest of the network?
 

battleborn

Member
Jan 6, 2021
6
0
Thanks, yes that helped a lot. Another thing I was wondering and perhaps it's more of a question for Cox communications but I just noticed that my cablemodem (SB8200) has 2 ethernet ports, I was wondering if I could connect my wired IoT devices (smart TV, thermostat gateway, etc.) directly this is assuming Cox will provide another IP address.

Regarding the router I need to purchase, I've heard Steve recommend the UI Edgerouter X which I can buy for $49, any reason to get anything better?
 

AlanD

Well-known member
Sep 18, 2020
224
73
Rutland UK
Using the second ethernet port is definitely a question for Cox ( check for any extra charges as well).

Regarding routers, I am UK based, so the choices here may be different. It depends also if you want to run the supplier's software, or install something like DD-WRT which you can manage yourself.
 

MichaelRSorg

Well-known member
Nov 1, 2020
76
7
RouterSecurity.org
You have a mis-match of expectations. Eero is meant for consumers and thus hides technical complexity and config options. It is not the right platform for network segmentation.

That said, a cheap and easy way to isolate important devices is to use a second router as I discuss here. No need for Bridge Mode on the Eero.
https://www.michaelhorowitz.com/second.router.for.wfh.php

Guest Wifi is indeed a good thing. However, all Guest networks are not created the same. Some are very isolated, others not-so-much and some have configurable isolation. You will need to research just how isolated an Eero Guest network really is.

And there are two aspects to network isolation, not just one. Within an isolated network segment, can the devices see each other? Sometimes you want this, sometimes you do not.

For real segmentation with VLANs consider Peplink, pfSense or OPNsense. That is, make one of those systems your primary router and use the Eero just as an AP. As for the Edgerouter X try to see the user interface. Some routers are meant to be used by computer experts, other are for consumers. Make sure you have the techie background to deal with the Edgerouter X. Also, it may not have the horsepower you need.
 

battleborn

Member
Jan 6, 2021
6
0
Thanks Michael. So I was able to setup the edgerouter as described with an IOT Network (10.0.0.1 on eth1) that can't communicate with any of the other network segments and a private network for my critical pc/nas/etc. (172.16.0.1 on eth2) with the Eero providing the internet connectivity (192.168.0.1). Everything seems to be working ok except for the fact that if I connect a laptop to eth1, I'm able to ping the eero at 192.168.0.1 which according to my firewall rules I should not be able to do. I'm going to go through all the settings again, I'll reach out to ubiquiti tomorrow if I can't find anything. So long as I can get that resolved, this does seem like a really cheap way to isolate the networks.
 

PHolder

Well-known member
Sep 16, 2020
719
2
353
Ontario, Canada
I connect a laptop to eth1, I'm able to ping the eero at 192.168.0.1 which according to my firewall rules I should not be able to do.
You set up your IoT network so that it could access the Internet, and the Eero "is" its internet, so I'm not surprised you can ping a device on your path to the Internet. You may configure your firewall to reject unsolicited incoming ICMP, but I suspect it will allow back a response that originated inside your network.
 

battleborn

Member
Jan 6, 2021
6
0
Looks like it was my firewall rules. My eero was actually at 192.168.4.1 not .0.1 so my firewall rules 192.168.0.0/24 was excluding that range, when I switched to /16 it's now properly blocked.
 

battleborn

Member
Jan 6, 2021
6
0