Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define Subnet(s) for Scanning to increase IT Security (IoT devices should be in firewalled seperated subnet) #39

Closed
at24106 opened this issue Jan 22, 2019 · 4 comments
Closed

Define Subnet(s) for Scanning to increase IT Security (IoT devices should be in firewalled seperated subnet) #39

at24106 opened this issue Jan 22, 2019 · 4 comments

Comments

@at24106
Copy link

at24106 commented Jan 22, 2019

Dear,

I'd like to put the devices in a separated IoT network segement (IP range/VLAN) to prevent any negative impact of these. The challange is that the iobroker is in another network segment than the devices and so it scans only it's own subnet - means the devices will not be found.

I'd like to rise the feature request, to be able to define the subnet(s) where broadlink devices can be so that the scanning is extended to all defined subnets. This will increase IT security dramatically because I can put the Broadlink devices in a separted network with limited firewall access.

Thanks a lot!

Rainer
@frankjoke
Copy link
Collaborator

I will keep an eye on it how to change subnet when I work on some other changes to broadlink2 and radar adapters.

@at24106
Copy link
Author

at24106 commented Jan 22, 2019

Thanks a lot!

@frankjoke
Copy link
Collaborator

By the way, I tested a bit on my networks and there is one outcome: The device which manages the broadlink devices need to be on same submet than the devices themself.

For that I found two prossibilities on my FritzBox with one of my test-raspi's:
I put the wireless broadlink devices to Guest network and have one Raspi which is connected to normal network via Lan and to Guest network on wireless.

If you run there broadlink2 you will get devices on the guest network and on the normal network.

You can make guest network to handle no UDP traffic in which way you can prevent the devices talking to their servers in China.

In any case, I can program broadlink only to use certain interfaces, which need to be wireless or wired IPv4 networks. so however you want to generate the Virtuallö network make sure that the iobroker instance where broadlink2 runs on is also included.

p.s.: Made myself my own router with an old raspi and a USB lan-adapter as well an USB-Wlan-Stick (Theis Raspi did not have wlan).

I can now test (and capture network with wireshark) in my specific environment and no data goes out to normal network.

@at24106
Copy link
Author

at24106 commented Mar 18, 2019

Hello frankjoke,

thanks for your comprehensive solution description - and yes this is a valid solution. I thought it might be routeable ... which would allow to keep iobroker in DMZ ... and open only a firewall hole for this port which is then in another subnet <DMZ ... with iobroker> <firewall with pinhole for udp/port to iobroker ip> . For that it approach it requires to define another subnet to scan (instead of the local one which is used now).

Again, thanks for trying.

Best wishes, Rainer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@frankjoke @at24106