#Michael Posted February 2, 2015 Share Posted February 2, 2015 Here is what I am attempting to do...I still don't know if it will work: 1. Setup my house for automation 1a. wifi enabled thermostats and bluetooth enabled lights 1b. future devices 2. Home automation devices need to be completely segmented from the rest of my home network and never be able to touch or communicate with my computer equipment 3. I have 1 switch that the moto SB 6120 connects to to provide the IP address to both of the routers. 4. An apple airport extreme basestation provides internet access and ip addresses to all of my computer equipment using the 192.168.1.x range 5. A netgear N750 provides internet access and ip address to the home automation equipment using the 10.0.1.x range I thought this would be pretty straight forward but it doesn't seem to be working. Neither router can get the IP address from the modem. On top of that when I connect to the apple AP, I get an IP from the netgear. I am not sure what I am doing wrong. Will this setup just not work? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 2, 2015 MVC Share Posted February 2, 2015 Well does your isp give you 2 IPs? That is not going to work unless both your routers got public IP from your isp. Why does your home stuff need to be isolated? My nest is just on my wifi network, now wifi is isolated from other segment in my case because I run pfsense as router/firewall and have multiple segments. lan, wlan, wlanguest, dmz.. But why do you think you need to isolate them? Simple easy way to do it is like this.. Not completely full proof, but automation systems are normally dumb and would have to know your other network to be able to talk to it.. So with nat nothing on 192.168.1.0/24 would be able to start a conversation with anything on 192.168.2.0/24, if on 192.168.2.0/24 you could talk to 192.168.1.0/24 since router would nat it and look like can from your 192.168.1.0/24 IP that router has on that network. If you disable nat, and didn't setup routing - 192.168.2.0/24 would not know how to get to 192.168.1.0/24 nor would 192.168.1.0/24 know how to get to 192.168.2.0/24 But the no brainer way to do this is just use a router that supports guest wifi. You put your stuff on the guest wifi, it can only talk to internet, you have your normal stuff on your normal wifi.. But your way yeah never going to work.. Unless you put another router in front to get your 1 IP from your isp and then nat it.. Like this There are lots of ways to skin this cat.. But to be honest why do you think it is such a requirement.. You worried about your automation equipment being hacked? But here airport has guest feature http://support.apple.com/en-us/HT3477 Just use that and put your home automation on that network - unless you need wired access as well to this isolated network? Link to comment Share on other sites More sharing options...
#Michael Posted February 2, 2015 Author Share Posted February 2, 2015 Well does your isp give you 2 IPs? That is not going to work unless both your routers got public IP from your isp. Why does your home stuff need to be isolated? My nest is just on my wifi network, now wifi is isolated from other segment in my case because I run pfsense as router/firewall and have multiple segments. lan, wlan, wlanguest, dmz.. But why do you think you need to isolate them? Simple easy way to do it is like this.. Not completely full proof, but automation systems are normally dumb and would have to know your other network to be able to talk to it.. wifiisolated.png So with nat nothing on 192.168.1.0/24 would be able to start a conversation with anything on 192.168.2.0/24, if on 192.168.2.0/24 you could talk to 192.168.1.0/24 since router would nat it and look like can from your 192.168.1.0/24 IP that router has on that network. If you disable nat, and didn't setup routing - 192.168.2.0/24 would not know how to get to 192.168.1.0/24 nor would 192.168.1.0/24 know how to get to 192.168.2.0/24 But the no brainer way to do this is just use a router that supports guest wifi. You put your stuff on the guest wifi, it can only talk to internet, you have your normal stuff on your normal wifi.. But your way yeah never going to work.. Unless you put another router in front to get your 1 IP from your isp and then nat it.. Like this 2diffrentnetworks.png There are lots of ways to skin this cat.. But to be honest why do you think it is such a requirement.. You worried about your automation equipment being hacked? But here airport has guest feature http://support.apple.com/en-us/HT3477 Just use that and put your home automation on that network - unless you need wired access as well to this isolated network? You sir gave me a lot to think about and helped solve this quite quickly. Am I worried about the home automation equipment being hacked...no but this is really just to keep everything segmented and organized. Now that you have given all of this to think about...the guest wifi seems like the most logical and the easiest way to go. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 2, 2015 MVC Share Posted February 2, 2015 Depends on how far you want to take it What is your switch does it support vlans? You can get really fancy if you so desire. But in general yes guest network is simple solution.. Depends on how anal you want to get with org To me if its wifi and its on the wifi segment its organized enough heheheeh I have nest thermostat and harmony hub (remote control) that are both on my wifi network. Oh and while I wouldn't consider it automation my chromecast as well on that wifi segment 192.168.2.0/24 in my case. For keeping it simple I also put my printer on that segment so that wifi devices can use the airprint easy. While segmentation has lots of advantages, and can allow for greater security there are many aspects to doing it that can break things users are not aware of.. For example your chromecast needs to be on same broadcast domain, if you segment that out on guest for example you wouldn't be able to use it - unless you were also on the guest. Airprint makes it very easy to print something from your iphone or ipad - but if printer is on another segment, good luck.. I put my dvrs also o that segment even though they are wired, but if want to control them with ipad software its easier if they can broadcast for them.. You can setup manual IP, etc. But wifi to me is isolation network anyway. While I applaud you in wanting to segment, keep in mind you might run into stuff not working because it uses broadcast or multicast that you were not aware of, etc. Link to comment Share on other sites More sharing options...
#Michael Posted February 2, 2015 Author Share Posted February 2, 2015 Depends on how far you want to take it What is your switch does it support vlans? You can get really fancy if you so desire. But in general yes guest network is simple solution.. Depends on how anal you want to get with org To me if its wifi and its on the wifi segment its organized enough heheheeh I have nest thermostat and harmony hub (remote control) that are both on my wifi network. Oh and while I wouldn't consider it automation my chromecast as well on that wifi segment 192.168.2.0/24 in my case. For keeping it simple I also put my printer on that segment so that wifi devices can use the airprint easy. While segmentation has lots of advantages, and can allow for greater security there are many aspects to doing it that can break things users are not aware of.. For example your chromecast needs to be on same broadcast domain, if you segment that out on guest for example you wouldn't be able to use it - unless you were also on the guest. Airprint makes it very easy to print something from your iphone or ipad - but if printer is on another segment, good luck.. I put my dvrs also o that segment even though they are wired, but if want to control them with ipad software its easier if they can broadcast for them.. You can setup manual IP, etc. But wifi to me is isolation network anyway. While I applaud you in wanting to segment, keep in mind you might run into stuff not working because it uses broadcast or multicast that you were not aware of, etc. Definitely a lot to go over and re-think. My switch is a basic netgear gs108 unmanaged switch, so no vlans. Do I like being anal and organized...yes. Do I like being anal and organized to the point where it hinders productivity...no I may remove the 2nd router entirely and just use the apple airport for my needs...I do love that thing. I could use the guest network as the segmentation and put all of the home automation on that. It would greatly simplify everything. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 2, 2015 MVC Share Posted February 2, 2015 Yup simple easy = done.. KISS is always the best choice Link to comment Share on other sites More sharing options...
Recommended Posts