IoT SSID on G3100
Observer1
Enthusiast - Level 3

When I associate devices with my Guest SSID on the G3100 (and extender), they are assigned IP addresses on a separate guest subnet (192.168.200.x, router is 192.168.200.1) and are isolated from my primary subnet.

When I associate devices with the newly supported IoT SSID on the G3100 (and extender), they are still assigned IP addresses on the primary subnet (192.168.1.x, router is 192.168.1.1) and are not isolated from my primary subnet.

If one of the objectives of an IoT "network" is to isolate IoT devices from my devices containing sensitive information, then associating IoT devices with my Guest SSID would appear to be a better choice.  Although this is counter-intuitive and exposes my guests to misbehavior by my IoT devices.  

Also, I did enjoy being able to review all my devices by SSID (Primary, Guest, and IoT).  And collapsing IoT and Guest loses something.

I'd appreciate hearing from others more experienced in networking.  I appreciate Verizon attempting to bring some network isolation features to the masses, but perhaps someone could explain why they would make this deliberate choice, since the newly supported IoT "network" reasonably suggested it would include some form of isolation.  (Going above my pay grade...  Why not create another subnet for the IoT SSID?  If IoT devices must directly communicate with one another, they should be able to, residing on their own subnet.  If an IoT device simply must be able to access a primary subnet device, then could a special route be created to accomplish that?)

16 Replies
Cang_Household
Community Leader
Community Leader

As stated in the updated G3100 user manual:

The IoT Network is designed to provide an easier setup experience for your Internet of Things (IoT) devices which benefit from connecting to the 2.4 GHz band while keeping your Primary Network settings unchanged. IoT devices and Primary devices can communicate with no firewall restrictions separating them.

The addition of the IoT SSID is for allowing legacy IoT devices to connect to the 2.4GHz without being interfered by the Self-Organizing Network mechanism on the normal 2.4GHz and two 5GHz. Before the creation of the IoT SSID, legacy IoT devices frequently disconnects when connected to the main wireless radios with SON enabled.

Guest network on the other hand is created for isolation. The newest firmware not only separates the Guest SSID into a separate subnet, but also separates between guest devices (to align with G1100's Guest Network feature).

If you need isolation, simply put your IoT devices onto the Guest Network.

Observer1
Enthusiast - Level 3

...The addition of the IoT SSID is for allowing legacy IoT devices to connect to the 2.4GHz without being interfered by the Self-Organizing Network mechanism on the normal 2.4GHz and two 5GHz. Before the creation of the IoT SSID, legacy IoT devices frequently disconnects when connected to the main wireless radios with SON enabled...


While moving IoT devices to a separate SSID may remove undesirable side-effects on SON-enabled networks, the security isolation objective is not met:

FBI Warning regarding IoT 

It seems to me that, until Verizon organizes the IoT SSID devices as a separate subnet (as it does in the case of the guest network), any user wishing to heed the FBI's advice should associate their IoT devices with their Guest SSID, disable SON, and disable the IoT SSID (because it is insecure).

The point I was trying to make is this:  Verizon may be misleading consumers into thinking they are addressing security recommendation by offering an IoT SSID.  If they have created a false sense of security, they have done consumers a serious disservice.

I was hoping someone would pick up on this concern and comment. 

Finally:

Guest network on the other hand is created for isolation. The newest firmware not only separates the Guest SSID into a separate subnet, but also separates between guest devices (to align with G1100's Guest Network feature).

I read elsewhere in the forums that the G3100 Guest isolation does not isolate devices from one another (as had been the case in earlier routers supplied by Verizon).  The guest subnet is simply isolated from the primary subnet.

Cang_Household
Community Leader
Community Leader

@Observer wrote:
While moving IoT devices to a separate SSID may remove undesirable side-effects on SON-enabled networks, the security isolation objective is not met.

In your FCC citation, they apparently simplifies the definition of IoT to "everything else in your home that connects to the world wide web." Users have the ability to disconnect any device on the network from the Internet through Firewall Access Control, long before the Guest wireless network and IoT network becomes a feature. Again, the Guest network is there for isolation. In fact, previous G3100 firmware and current G1100 firmware allows all wireless networks to be isolated through unbridging. In summary, there are at least 3 or more remedies available at customers' disposal to address FCC's concerns.


@Observer wrote:

Verizon may be misleading consumers into thinking they are addressing security recommendation by offering an IoT SSID.  If they have created a false sense of security, they have done consumers a serious disservice.


Verizon never advertised the creation of IoT is for the purpose of enhancing wireless network security. Customers should take a deeper look than just making assumptions based off a new SSID name. Furthermore, the updated G3100 manual clearly states the IoT wireless network is not isolated from the primary network. How do you secure your home network without understanding the operating mechanisms of your networking devices? The same argument would go for how do you secure your home without understanding the operating mechanisms of your alarm system?


@Observer wrote:

I read elsewhere in the forums that the G3100 Guest isolation does not isolate devices from one another (as had been the case in earlier routers supplied by Verizon).  The guest subnet is simply isolated from the primary subnet.


I believe the user made that statement is jlg2. As our CLs pointed out over there that jlg2 pivots his point based on G3100's guest network operates differently from that of G1100. Now G3100's guest network is very similar in mechanism to G1100's, the scenario suggested by jlg2 will not work.

Observer1
Enthusiast - Level 3
While moving IoT devices to a separate SSID may remove undesirable side-effects on SON-enabled networks, the security isolation objective is not met.

In your FCC citation, they apparently simplifies the definition of IoT to "everything else in your home that connects to the world wide web." Users have the ability to disconnect any device on the network from the Internet through Firewall Access Control, long before the Guest wireless network and IoT network becomes a feature. Again, the Guest network is there for isolation. In fact, previous G3100 firmware and current G1100 firmware allows all wireless networks to be isolated through unbridging. In summary, there are at least 3 or more remedies available at customers' disposal to address FCC's concerns.

In that citation the FBI, not the FCC, recommended isolating IoT devices from sensitive data in our home networks.  They did not recommend disconnecting the devices from the network was a solution, which you appear to be suggesting could have worked long before Verizon decided to support an isolated Guest subnet and its new IoT SSID.  I'm not sure how you envisioned the IoT devices would have worked though, disconnected from the Internet (the "I" in "IoT").

When someone writes "in summary", it usually follows detailed information that is then summarized.  Please share with the forum the "at 3 or more remedies available" to G3100 users that may be used to isolate their IoT devices.

Since you present yourself as an expert w.r.t. the G3100, would you mind also explaining how we users can configure the G3100 ethernet ports, such that all devices connected to that port would be on the isolated subnet(s).  (Using an earlier Verizon-supplied router that did not support 1Gb/s speeds, I was able to do this using VLANs and my own access points connected via ethernet.)

Thank you.

Observer1
Enthusiast - Level 3


@Observer wrote:

Verizon may be misleading consumers into thinking they are addressing security recommendation by offering an IoT SSID.  If they have created a false sense of security, they have done consumers a serious disservice.


Verizon never advertised the creation of IoT is for the purpose of enhancing wireless network security. Customers should take a deeper look than just making assumptions based off a new SSID name. Furthermore, the updated G3100 manual clearly states the IoT wireless network is not isolated from the primary network. How do you secure your home network without understanding the operating mechanisms of your networking devices? The same argument would go for how do you secure your home without understanding the operating mechanisms of your alarm system?


If you carefully read my original post, you will realize that you are restating things that I have either already stated, or posing a  straw man argument. While I appreciate you taking the time to respond to my queries, your desire to "explain" (in this thread and another) appears to sometimes cloud comprehension of the underlying issue raised.

When we get into a discussion of human factors, and how consumers behave, we should think through the inferences of design and product decisions.  I doubt as many as 1% of G3100 users read the manual.  Instead, they use the UI and infer and assume.  If they have ever heard -- somewhere -- of the need to isolate IoT devices, and discover that the G3100 offers a dedicated IoT SSID, it would be quite reasonable to assume it was for the purpose of isolation (and not to address some geeky, SON-related radio inefficiencies).  I jumped to that conclusion myself.  However, after some experimentation, I realized that no isolation was included.  That is why I posted my note.  I wanted to alert those who read forums to beware, and perhaps (long shot) entice Verizon to consider including isolation as a feature of a separate SSID for IoT devices.

gs0b
Community Leader
Community Leader

Creating a dedicated "IoT" network and expecting users to know it's just a separate 2.4Ghz radio is like calling ADAS features "Auto Pilot" and expecting drivers to know they have to keep their hands on the wheel at all times.

Bottom line is folk who want to create a truly isolated network for IoT devices can't do it with Verizon hardware.

Observer1
Enthusiast - Level 3

@gs0b wrote:

Creating a dedicated "IoT" network and expecting users to know it's just a separate 2.4Ghz radio is like calling ADAS features "Auto Pilot" and expecting drivers to know they have to keep their hands on the wheel at all times.

Bottom line is folk who want to create a truly isolated network for IoT devices can't do it with Verizon hardware.


I agree that it's misleading and confusing.  But we should expect awareness to slowly improve that IoT devices should be isolated, and Verizon dangling that new IoT SSID (that doesn't isolate) in front of naive users will make things worse.

Simply putting it on a separate subnet would provide some isolation, at least, and would presumably be trivial to implement, with side-effects that could be mitigated.  And then Verizon could have trumpeted it as part of their new routers, thereby influencing and educating the public to do more than the "nothing" they are in the process of cementing under the guise of "use this special IoT SSID" for your IoT devices.

I created an isolated VLAN with earlier Verizon gear and a managed switch, but frankly it's a bit fiddly for home use.  And my old gear didn't handle the new 1Gb/s speeds I now enjoy.  I'd accept the limitations of merely isolating the traffic on a separate subnet in exchange for the ease of trivial and "standard" config.  For now, I guess I'll stick my IoT devices on the guest network and disable SON (and the misleading IoT SSID).

Cang_Household
Community Leader
Community Leader

Our CLs proposed long ago to bring back the VLAN feature included in the BHR3. VLAN feature did not make it to the BHR4 (Quantum Gateway Router, or G1100), and is still missing on BHR5 (G3100).

Speaking as a customer myself, bringing back the VLANs and expand the Firewall features will solve the IoT issue/dilemma once for all. Let's see whether our customers can influence the engineering to embark this tough VLAN upgrade journey.

jlg21
Enthusiast - Level 3

In the disagreement between Observer and Cang_Household, I agree with Observer.  His use of "misleading" may be a vague in that Verizon is not technically lying.   But in my opinion, when a user sees a special SSID is designed for IoT devices, it's reasonable to assume that it meets FBI security standards for home users.  Sure, Cang_Household is right that for sketchy equipment makers, the user should dig deeper.  But a lot of folks don't expect Verizon to be that sketchy.  So it's probably fair for Observer to use the word misleading.

0 Likes
Reply
jlg21
Enthusiast - Level 3

Is the Guest network still limited to 10 connections?  If so, using it to comply with FBI security guidelines is only useful for user who don't have many IoT devices and guests.

0 Likes
Reply
Observer1
Enthusiast - Level 3

No.  I posted several months ago that I did not observe this limitation (it must have been removed in a firmware update before my first usage).

This made the guest network the preferred choice for associating IoT devices, since they are on a separate subnet and VLAN, and thereby isolated from devices on the main network.  (Your real guests will have to coexist with IoT devices, but that's the best the product will do until it has been fixed to properly isolate the IoT network.)

IMO, the IoT network is useless because it does not provide the FBI-recommended isolation.

I also posted information about the hardcoded guest network VLAN ID (undocumented), which can be used to connect wired IoT devices to this router/extender (same VLAN/subnet isolation).

0 Likes
Reply
jlg21
Enthusiast - Level 3

About Observer's post on the connection limitation to the "Guest" subnet 192.168.200.xxx.  Did I understand correctly that there is no longer a 10-connection limit on the Guest subnet?  If so, then most folks should disregard my recommendation about getting a separate Wi-Fi router and, as Observer posted, just use the guest subnet for IoT devices that should not have access to your communication devices.

A separate router would still be an advantage in a situation like mine where I occasionally have multiple guests with multiple devices who need a separate subnet that does not isolate all their devices from one another.  This is a separate issue from IoT security. 

In my opinion, Verizon could solve all these problems by modifying the firmware so that users could create their own subnets to suit their situations.
 

0 Likes
Reply
NewtoFiOSBB
Enthusiast - Level 3

I've so lost my IT expertise as I've aged. Can someone just tell me straight up what I should do? I've always kept the guest wifi disabled. When the IoT option arrived and 5 ghz became two  and your original 2.4 still there obvi I just started dividing all my wifi connected devices and just my Hue Bridge connected by Ethernet wire - amongst all four of them 😜 leaving guest mode disabled. Never really used SON I compete with one competent neighbor for the two worlds of 5Ghz channels and have DFS enabled. Ended up here because I realized my stupid you were Roku can't see my five gigahertz ssids...read it's because I have DFS enabled but should be able to see if your higher channels connection is above channel 149. 

I'm now just one person in a three story 1500 sq ft house. I stupidly put a few things on the IoT after naming and enabling it. Could one of you much savvier IT people just tell me what to do? Lol sounds like disable IoT and just put my bulbs and dumb Alexa's that  ever answer me right but I've had too long to get rid of, back across the 2.4 and two 5's? Is there any real benefit or point to enabling the Guest network I've never used and loading it up with my IoT's which btw I'm not even sure everything that is applicable in that category and I only have freaking 16-18 devices connected in total in the first place lol just for reference! My Roku is on 2.4 and want it in 5 as I use it a lot and gives me some issues some times.

Thanks so much for direction in advance guys!!! Take care!

0 Likes
Reply
anderson30
Newbie

I can confirm it's possible to connect more than 10 devices wirelessly to the Guest network, I'm currently using that as a workaround to isolate network traffic to IoT devices.

0 Likes
Reply
jlg21
Enthusiast - Level 3

Regarding Observer's original post, I think given the low cost of Wi-Fi routers, the easiest way to follow FBI recommendations for security of home networks is to buy an inexpensive separate Wi-Fi router. 

You can set it up as your IoT network and connect it to the G3100 by wired ethernet.  You should take care that the separate Wi-Fi router is set up as a router, as opposed to an access point, since many inexpensive devices give the user a choice.   To avoid confusion, you should make sure it's not on the default 192.168.1.xxx subnet that the G3100 uses for Primary and IoT.  Since I don't know much about radio interference, I'd put some distance between the two Wi-Fi stations just to be safe.

0 Likes
Reply
Observer1
Enthusiast - Level 3

@jlg2 wrote:

Regarding Observer's original post, I think given the low cost of Wi-Fi routers, the easiest way to follow FBI recommendations for security of home networks is to buy an inexpensive separate Wi-Fi router.


Yes, you can do that.  However, you could more easily just use the Guest network, which is isolated on its own VLAN (and its own subnet).  There is no 10 device limit (contrary to earlier reports).  The only downside is that your visitors (guests) will have to temporarily be on the same network as the IoT devices.  I'm OK with that compromise because I don't have to go through the hassle of setting up multiple parallel Access Points for the IoT devices.  I let the G3100 plus extender handle all the household WiFi needs (>500Mb/s speeds) on two networks:  Main and Guest.  I disabled SON and the IoT SSID.  I can then enjoy a single dashboard to view/manage all my devices using my FIOS connection, whether hardwired or via WiFi, and whether on Guest or Main network. 

Also, for those willing to handle some "fiddle factor", you can also connect properly isolated IoT devices on the G3100 Guest network via Ethernet if you have a smart switch that supports VLANs.