CR1000B - IoT Configuration questions

Question

Greetings All,

Going to try to make this quick and to the point.

I am trying to understand what the difference, from a strictly security standpoint, between the IoT network and the Primary or Guest network on the CR1000B.

- Reading the CR1000B owner manual it states that there is no firewall between the Primary and IoT networks

- The IP addressing range is the same on both the Primary and the IoT networks.

- I do not see a way to create a separate VLAN for the IoT network, is this possible to have this functionality on the CR1000B?  And if so, would it address my security concerns by placing IoT devices on 1 network and non IoT devices on another network?

So, my question, from a purely security point of view, what does enabling and attaching devices to the IoT network buy me?

If in fact, from a security point of view, there is no advantage of enabling and using the IoT network, would I be able to connect my Orbi router (RBR750)  and satellites (RBS750), and using the router function on the Orbi router, configure it in such a way that my  IoT device can go connect to  the "Orbi" network, with a different IP address subnet range and my other devices go on the CR1000B Primary or Guest network with a different IP address subnet range? So, for example, the CR1000B would have IP address range 192.168.1.0/25 and the Orbi network would have IP address Range 192.168.1.128/25?

Reason behind this whole concern is I just purchased a house that was equipped with a Ring doorbell, and though I do like the convivence, I want to ensure that I am not exposing my home computers to any additional "threats" just for the convince of the Ring doorbell.  In addition, I ordered a Wi-Fi enabled thermostat and garage door opener and I would also place them on my IoT network, but once again I would like to keep my home computers as free from "threats" as possible.

Also, what else should go on the IoT network, Smart TV's? Sonos Speakers? Pool automation?

Thanks in advance for any suggestions, directions, and insights that you can provide.

Kind regards,

Cang_Household · Accepted Answer

The IoT SSID was created for the sole purpose of accommodating devices that only have a 2.4GHz wireless controller, it does not intend to provide an isolated network. With the IoT SSID enabled, you could leave the Self-Organizing Network on the main wireless radios on.

To achieve network isolation, you need to use the Guest wireless network, which is also on 2.4GHz. Guest wireless network is on VLAN 10 and this VLAN is trunked to all ports of the router. This means you could extend this VLAN with a VLAN-aware switch to overcome the 10 device limitation. The 10 device limitation is not sure whether it comes from the dnsmasq DHCP server or the wireless radio's limited number of associations.