Network Segmentation with eero?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

battleborn

Member
Jan 6, 2021
6
0
I've heard Steve mention on several occasions how important it is to segment your network in order to at least get the most vulnerable IoT devices off of the segment that contains your critical devices (pc's/phones/etc.). Does anyone know how that can be accomplished if you're using the eero mesh router? I've attached a diagram of my home network and since everything is essentially being fed by the eero there is no isolation between devices. I love the performance of the eero but I think their security support is lacking, for example I can't even create vlans for the different devices. Any ideals? Curious how folks are implementing cybersecurity in the home network environment.


NetworkDiagramv2.JPG
 
I think if you changed the DGS-2208 switch at the top left to a router you should be able to separate the networks. That would leave all the IOT devices in the top right on the Eero wifi, and put all the devices in Home Office and Family Room into a different subnet. You would then need a wifi access point on either the router or the other DGS-2208 to allow connections from the wifi printer in the office, plus the two PC's shown top right.
 
Hi Alan, thanks for the quick reply. So I think if I connect a router in place of the switch I need to place the eero into bridge mode and supposedly that breaks the security features of the eero, however that's still a good possibility that I will look into. I was also thinking, would it be a good idea to create a guest network for the publicly accessible IoT devices like ring doorbell, nest cams, etc. I think the whole point of the guest network is that it's isolated from the rest of the network?
 
Thanks, yes that helped a lot. Another thing I was wondering and perhaps it's more of a question for Cox communications but I just noticed that my cablemodem (SB8200) has 2 ethernet ports, I was wondering if I could connect my wired IoT devices (smart TV, thermostat gateway, etc.) directly this is assuming Cox will provide another IP address.

Regarding the router I need to purchase, I've heard Steve recommend the UI Edgerouter X which I can buy for $49, any reason to get anything better?
 
Using the second ethernet port is definitely a question for Cox ( check for any extra charges as well).

Regarding routers, I am UK based, so the choices here may be different. It depends also if you want to run the supplier's software, or install something like DD-WRT which you can manage yourself.
 
You have a mis-match of expectations. Eero is meant for consumers and thus hides technical complexity and config options. It is not the right platform for network segmentation.

That said, a cheap and easy way to isolate important devices is to use a second router as I discuss here. No need for Bridge Mode on the Eero.
https://www.michaelhorowitz.com/second.router.for.wfh.php

Guest Wifi is indeed a good thing. However, all Guest networks are not created the same. Some are very isolated, others not-so-much and some have configurable isolation. You will need to research just how isolated an Eero Guest network really is.

And there are two aspects to network isolation, not just one. Within an isolated network segment, can the devices see each other? Sometimes you want this, sometimes you do not.

For real segmentation with VLANs consider Peplink, pfSense or OPNsense. That is, make one of those systems your primary router and use the Eero just as an AP. As for the Edgerouter X try to see the user interface. Some routers are meant to be used by computer experts, other are for consumers. Make sure you have the techie background to deal with the Edgerouter X. Also, it may not have the horsepower you need.
 
Thanks Michael. So I was able to setup the edgerouter as described with an IOT Network (10.0.0.1 on eth1) that can't communicate with any of the other network segments and a private network for my critical pc/nas/etc. (172.16.0.1 on eth2) with the Eero providing the internet connectivity (192.168.0.1). Everything seems to be working ok except for the fact that if I connect a laptop to eth1, I'm able to ping the eero at 192.168.0.1 which according to my firewall rules I should not be able to do. I'm going to go through all the settings again, I'll reach out to ubiquiti tomorrow if I can't find anything. So long as I can get that resolved, this does seem like a really cheap way to isolate the networks.
 
I connect a laptop to eth1, I'm able to ping the eero at 192.168.0.1 which according to my firewall rules I should not be able to do.
You set up your IoT network so that it could access the Internet, and the Eero "is" its internet, so I'm not surprised you can ping a device on your path to the Internet. You may configure your firewall to reject unsolicited incoming ICMP, but I suspect it will allow back a response that originated inside your network.
 
Looks like it was my firewall rules. My eero was actually at 192.168.4.1 not .0.1 so my firewall rules 192.168.0.0/24 was excluding that range, when I switched to /16 it's now properly blocked.