Complete IOT security and access solution Orbi 6 Pro
Skipping all the tech talk, I just want to know how to configure the system to achieve this using default Netgear VLANS
10: Admin
20: Employee
30: IOT
40: Guest
1) Employee network can reach all devices on IOT VLAN.
2) No IOT device can initiate contact with any other VLAN.
3) No IOT device may communicate with any other device on the IOT VLAN.
4) The only access to the Admin network is through its login.
I want the IOT devices totally isolated so no hack of any IOT device, or it's related cloud servers, can be used to access anything other than that IOT device, yet they are accessible to serve employees without having to go through their respective cloud servers. So if there was no internet connection, all IOT devices that support local access would be accessible and working to the extent they do not require a network connection to perform their function..
Bonus points if you can configure the system to enable VPN access to the Employee VLAN and thus to the IOT devices.
Re: Complete IOT security and access solution Orbi 6 Pro
Hello Boatguy54
And welcome to the NETGEAR Community! 🙂
Forgive me if I need to clarify the IOT VLAN part. So the IOT VLAN should be accessible by employees but the same IOT devices should not have communication between IOT devices themselves in the IOT VLAN?
Re: Complete IOT security and access solution Orbi 6 Pro
Hello Boatguy54
Since all IOT are wireless, you can prevent them from reaching each other through client isolation feature of our access point. For access between emplyee and IOT you will need to apply access list or ACL between the two VLANs. You may check the link below for an example of ACL configuration. How many ports do you need for wired devices for employees VLAN?
Re: Complete IOT security and access solution Orbi 6 Pro
My assumption is that network and client isolation will be enabled for the IOT VLAN, and that the ACL rules will override that setting. Is that correct?
I think I understand the ACL concept, but I'm confused by the example's use of the same subnet and mask for source and destination. I was thinking the source would be the employee VLAN and the destination the IOT VLAN.
Don't I need a rule that will allow broadcast of device availability (printers, etc.) from the IOT VLAN to reach the employee VLAN?
Re: Complete IOT security and access solution Orbi 6 Pro
On the Orbi Pro 6 router (#SXR80), I do not see an IP ACL option. I see MAC ACL and device ACL which seems like just more MAC. I don't see any way to create the rules you describe.
I apologize I was pertaining about a switch that you might possibly have. That way you will be able to have a dedicated access and restrictions for each subnet or broadcast domain.
