To mitigate the risks of IoT devices on your home network, Steve Gibson, the creator of ShieldsUP!, proposed a “Three Dumb Router” configuration to isolate the insecure IoT devices from your normal LAN, where the more valuable and more secure devices such as PCs and NAS storage reside. Since the devices stay in their own isolated networks, you stop the hacker from getting to you home PC or NAS even if your IoT device(s) get hacked.
The setup was discussed in length in episode 545 of Security Now, and well documented on PC Perspective.
That’s the best way to go if you happen to have some dumb routers laying around and don’t want to invest in more expensive smart routers.
However, if you use the pcWRT router, we are going to show you below how to achieve network isolation and put more granular controls on IoT devices without additional hardware.
You can optionally check the “Enable WiFi client isolation” checkbox, which blocks communication between devices connected to the guest network. This brings the additional benefit that a compromised IoT device cannot infect another IoT device connected to the guest network.
If your IoT device connects by wire, then you can put one of the Ethernet ports on the back of the router on VLAN and connect the IoT device to that port.
You can choose the Guest VLAN or X1, X2, X3. However, if you want to isolate the IoT devices from each other (i.e., checked “Enable WiFi client isolation” in Wireless Settings), you need to choose X1, X2, or X3.
Or you may intentionally omit some vendor domains if you suspect that the vendor is spying on you. For example, if you want to watch Netflix on your Samsung smart TV but don’t want Samsung and their third parties to hear your conversations, you can white list the Netflix domains only.
An additional advantage of using a white list is, even if your IoT device gets hacked, it cannot communicate back to the hacker’s C&C server.