Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
jlg21
Enthusiast - Level 3

I’m new to FIOS and to the G3100 router and am trying to configure a home local area network (LAN) that previously used Cox Communication.   If I put my Internet-of-Things (IoT) devices on the G3100 Wi-Fi guest subnet, will they be able to see each other?  And do they need to?

All I know now is that a computer connected to the default guest Wi-Fi subnet (192.168.200.x) can ping other devices on that subnet but cannot browse to the gateway.  So I know there are some barriers but not total isolation.  I don’t see anything in the G3100 management console that controls whether devices are isolated from each other, either on the primary or guest subnets.  If you know where those control are, please tell me.  But the question here is where to put IoT devices.

I think the FBI is right to ask all of us to isolate our IoT devices on a separate subnet from our communication devices.  Even if I didn’t agree with the FBI, I would probably follow its advice since it’s not just my safety involved. 

But I don’t see anything on the Verizon support web site or in the G3100 manual about the best way to do that.  And I’m not a network expert.  It seems like a huge management chore involving individual MAC addresses to isolate a subnet within the primary G3100 default subnet.  I don’t even know if it’s possible.  But it would be easy to put them into the G3100 guest Wi-Fi subnet.

The problem is that it's a lot of work reconnecting each device just to find out they won't work together.  IoT devices like Amazon Alexa smart speakers, Home Life SmartPlugs and Google Nest smart thermostats and smoke detectors need to communicate with one another to work properly.  I think that communication has to be within the LAN subnet, but I’m not sure.

I don’t think regular FIOS support or even priority support has people who can answer simple network questions like this. At least not people you can easily reach.  Luckily, I think the Repair Department does have a lot of people who understand networks.  But if someone here can answer my questions, it will save me having to fight my way through the crazy Verizon call routing gauntlet.

I know it takes some time and concentration to read and understand this post.  So thanks in advance for considering my question.

0 Likes
Reply
1 Solution
Seeker1437
Community Leader
Community Leader

@jlg2 wrote:
If I put my Internet-of-Things (IoT) devices on the G3100 Wi-Fi guest subnet, will they be able to see each other?

The Guest Wi-Fi is designed as a way to allow guests to visit you and connect to and use your internet without having to give them full access to the entirety of your home network.

 

It will isolate the non guest network traffic from guest network traffic. Devices within the same subnet will still be able to talk to each other unless the individual devices are configured not to allow this.

 

-- TL;DR --

Yes.

 


@jlg2 wrote:
And do they need to?

It really depends on the device on a case by case basis. From the things I read IoT traffic just needs to be isolated form normal home traffic but the rules on whether each IoT device should be isolated from other IoT devices is not described. I am pretty confident it is not needed.

 

-- TL;DR --

Yes.

View solution in original post

23 Replies
jlg21
Enthusiast - Level 3

Will IoT devices work on a G3100 home network.  The answer is, Yes. definitely.  This post tells you how to put all your Internet of Things (IoT) devices like Alexa, Nest, smart plugs, televisions, refrigerators, etc. on a separate subnet isolated from your communication devices. 

It’s easy.  You don’t need any network knowledge.  If you have 10 or 15 IoT devices in your home it will take about 30 to 40 minutes.  All your IoT devices will work just fine.  You’ll still have all the same controls you had before.  You won’t have to learn anything new.

If you’re reading this thread, you probably already know why this is important.  If you don't, I’ll explain later.  First, here’s how to do it:

Step 1: Ignore the previous postings on this thread that say it's impossible.  Those folks don’t know what they’re talking about.  Their jargon about WANs, routes, commercial access points, etc., etc. is pure pretense.

Step 2: Ignore Verizon tech support when the agent tells you it cannot be done.  Most of the folks providing tier 1 tech support there know less than the folks mentioned in step 1.

Step 3: Browse into your G3100 router management web page from a browser on any computer connected to the network.  The address is HTTP://192.168.1.1.  Your browser will warn you that the link is not secure.  If your connecting locally (from a computer connected to your home LAN), security is not an issue.

Step 4: Log into the management web page.  The account name is "admin."  If you haven’t set your own password, the default password is written on the back of your router.  (If it is still set to the default password, you should seriously change it, in my opinion, but that’s a different issue.)

Step 5: From the Router’s management home web page, you’ll see six alternatives, Wan Status, Wi-Fi, Network, Parental Controls, Firewall and Advanced.  Click on Wi-Fi.

Step 6: You’ll see five tabs at the top of the Wi-Fi page.  Click on the one that says “Guest Network.”

Step 7: If you haven’t already done this, enable the guest network, give it an SSID name other than the name and password, both different from your primary network name and password.  And remember both the name and password.

Step 8: This is the hardest step of all and the one that will take the most time.  Go to each of your IoT devices remove it from the primary network and join it to the guest network. 

You’re done.  Now I’ll explain the effect of what you just did.  Then I’ll explain why it’s important that you did it.

By creating a guests network in the G3100 router, you created a new subnet.  Unless some geek who will never need to read this thread has changed the subnet around, your primary subnet by default is 192.168.1.xxx,  where xxx is some number between 1 and 254.  Each device on your network will have a different value for xxx.

The new guest network will be on a subnet 192.178.200.xxx.   Notice the 200 instead of a 1 in the third group.  The G3100 router will isolate the two from each other.  Both will use the same gateway (the path to Verizon and the Internet), but once a packet of information comes to your home the router will separate send it to whichever of the two subnets it belongs.

If you use the guest network for guests, they will not be able to use your printer if it is on your primary subnet where you can use it.  There are some easy ways around that, but that’s a different issue.  It has nothing to do with which subnet your IoT devices are connected to.

Now, why should you do this? The first reason that should satisfy most people is that the FBI considers this a matter of national security.  It has given numerous speeches around the country and issued lots of press releases urging people to do it. You can browse to www.fbi.gov and search for “router” or “subnet” to read them.   Why isn't Verizon warning its customers to do this?  I wish I knew.  

For annoying nerds like me who need a more detailed explanation.  Here it is: It’s pretty easy for hackers from anywhere in the world to come through the Internet to the Verizon network, from there to your unique public IP address.  There is nothing to stop them.  Anyone can do it.  I can do it, and I’m not a hacker.  From there they need only a little skill to connect to your IoT devices.  I don’t know how to do that, but they do.  IoT devices are notoriously insecure.  Once they connect to one of your IoT devices, I’m told they can probe your home network looking for vulnerabilities and sniff for passwords.  Again, that's above my pay grade.  But that's what the experts say they can do.

But if you put your IoT devices on a separate network, the hacker is **bleep** (out of luck).  He can still mess with your IoT devices.  He could do that regardless of the subnet the IoT devices were on.  But what the hacker wants is to see if he can get to all the credit card and personal information on your computer and smartphone.  If they're on the primary subnet and the IoT device is on the guest subnet, the hacker is at a dead end.  You win.  He loses.

And that’s why the FBI wants you to put your IoT devices on a separate subnet.

I did this earlier today (1/3/20).  All the devices work fine.  They communicate with each other just fine.  If you’re checking this right after that date, you might want to come back in a week.  If I discover a problem, I’ll come back and edit this post.  And I’ll say at the start of the post that it has been edited.  The devices I have connected to my home network include.  Three Amazon Alexa Dots, one Amazon Alexa Show, one Samsung smart television, one Google Nest thermostat, three Google Nest Protect (smoke detectors), four HomeLIfe Wi-Fi smartplugs. 

IoT devices are fairly standardized.  So if you have other devices, they’ll probably work just fine too.  But I can personally guarantee you won’t have any problem with devices I’m using.  Alexa can still turn my smartplugs on and off and change the thermostat setting or run a test on the smoke detectors.  (For the Amazon Alexa Show, I had to tell it to forget the primary Wi-Fi subnet after I connected it to the guest Wi-Fi subnet.)

There are two important reasons that the devices continue to work okay.  And one of those reasons directly contradicts what you may have wasted your time reading in the posts prior to this one in this thread.

The first reason is that within the new guest Wi-Fi subnet all the devices can see each other.  Just like the devices in your primary subnet can see each other.  So if the devices need to talk back and forth within the subnet, they will have no problem.

The other reason is that most of the devices I mentioned in my home communicate with each other through a central server in the cloud.  In other words, they don’t even need to see each other on the same subnet.  In fact you could put one Alexa dot on the primary subnet and another on the guest subnet and they would still be able to talk to each other, assuming a falling tree didn’t rip the FIOS lose from your house.

That’s all there is to say.

Seeker1437
Community Leader
Community Leader

If you have authoritative control over the DHCP server, you can create as many subnets as you'd like using it.

jlg21
Enthusiast - Level 3

I don't think you're right, Seeker1437.  But I hope I'm wrong.  If there's really a way for me to create a separate IoT subnet on the G3100, please tell me and everyone else how.  The DHCP management page has no option that I can see to create more than one non-guest subnet.

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Seeker1437 is right. Seeker1437 did not imply that this setting is available on G3100's DHCP server, but you do not need to use G3100's DHCP server. Any computer with Network Interface Cards can act as a DHCP server or even a router. You can disable G3100's DHCP server and setup your own DHCP server.

With your own DHCP server, you can create as many subnets as you want. G3100's Guest Network is not simply a subnet. It is like a VLAN. For security, you want your user devices and IoT on separate broadcast domains, not only on separate subnets.

jlg21
Enthusiast - Level 3

Thanks again, Cang_Household, for the 1/12/21 post about using Windows DHCP service.  I had not thought about that alternative.  Your post did not have enough info for me to understand how it would work though.

I understand how to provide DHCP service from Windows.  Or at least from the Pro and Education implementation of Windows.  But if you did that and disabled the router's DHCP service, how would the Windows computer rejoin the LAN?

In other words, you disable DHCP on the G3100 then you enable it on the Windows computer attached to the LAN.  I get that.  But then what?  What happens when the Windows computer, restarts?  It seems like there's a step missing here. 

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

DHCP stands for Dynamic Host Configuration Protocol. What is the opposite of dynamic? Static.


@jlg2 wrote:

But if you did that and disabled the router's DHCP service, how would the Windows computer rejoin the LAN?


Right now, the DHCP server on your Windows is disabled, and the G3100 is acting as a DHCP server. The same question would go to G3100. How does G3100 join the LAN in the first place? Who can G3100 ask to assign it a LAN IP address? G3100 asks itself? No, it does not have that authority. The answer is static configuration. You can assign any LAN IP address to any device you want, even multiple IPs on different subnets for the same device, as long as the IPs do not conflict with other devices. (G3100 does not create the LAN. Any two network cards can create a "LAN." LAN is only a name to designate a network). As long as a network interface can access other network interfaces, it is considered to be joined (no matter whether you want to route to there or switch to there.)

Again, a Windows DHCP sever may not be your solution. Subnetting through DHCP server only ensures layer 3 isolation. What you are looking for is layer 2 isolation. The Guest Network on G3100 is layer 2 isolated from the host network. Layer 2 isolation can be easily achieved using a commercial-grade access point or switch.

jlg21
Enthusiast - Level 3

The green solution I posted a couple of days ago needs a correction.  The G3100 will only allow 10 connections on the guest network according to the December 2019 post on this forum at https://forums.verizon.com/t5/Fios-Internet/Number-of-devices-on-guest-network/m-p/890676#M78681.  I found it because I could not make an 11th connection either.

I can only speculate on why Verizon put this limitation on the firmware.  I don't imagine it was because Verizon wanted its customers to be at greater risk from hackers.  In any case, you will not be able to secure your home network by using the guest network if you have more than 10 IoT (Internet of Things) devices.

Other than that, I know of no other problem with using the guest network to make your computer devices safe from hackers reaching them through your IoT devices.

0 Likes
Reply
Observer1
Enthusiast - Level 3

@jlg2 wrote:

The green solution I posted a couple of days ago needs a correction.  The G3100 will only allow 10 connections on the guest network according to the December 2019 post on this forum at https://forums.verizon.com/t5/Fios-Internet/Number-of-devices-on-guest-network/m-p/890676#M78681.  I found it because I could not make an 11th connection either.

I can only speculate on why Verizon put this limitation on the firmware.  I don't imagine it was because Verizon wanted its customers to be at greater risk from hackers.  In any case, you will not be able to secure your home network by using the guest network if you have more than 10 IoT (Internet of Things) devices.

See my latest post in the forum regarding "caps" on Guest network.  I was able to add 11 devices in devices with latest firmware (August 2021).  Also, I offered a workaround if caps are still present in the latest firmware.

0 Likes
Reply
Observer1
Enthusiast - Level 3

@jlg2 wrote:

The green solution I posted a couple of days ago needs a correction.  The G3100 will only allow 10 connections on the guest network according to the December 2019 post on this forum at https://forums.verizon.com/t5/Fios-Internet/Number-of-devices-on-guest-network/m-p/890676#M78681.  I found it because I could not make an 11th connection either.

I can now report successfully seeing 20 devices on my Guest network (G3100+E3200), so the 10-device limitation (undocumented) appears to have been removed from a later firmware release.

Note that the Guest network traffic is isolated on its own VLAN with its own subnet addresses.  This makes it suitable for IoT devices.  

Unfortunately, the relatively new IoT network supported by the G3100/E3200) is NOT isolated from the primary network.  Therefore, hacked IoT devices on the IoT network will have access to all traffic/devices on the primary network (although, ironically, none of the traffic/devices on the Guest Network).  

Without the previously-reported, 10-device limit on the Guest network, it appears to be the preferred network for IoT devices when using G3100/E3200 until Verizon properly implements an isolated IoT network.  In the meantime, don't make incorrect assumption that the G3100/E3200 IoT network is isolated, and meets FBI recommendation to isolate IoT devices from your primary network.

0 Likes
Reply
Observer1
Enthusiast - Level 3

...The G3100 will only allow 10 connections on the guest network according to the December 2019 post on this forum at https://forums.verizon.com/t5/Fios-Internet/Number-of-devices-on-guest-network/m-p/890676#M78681.  I found it because I could not make an 11th connection either.

I can only speculate on why Verizon put this limitation on the firmware.  I don't imagine it was because Verizon wanted its customers to be at greater risk from hackers.  In any case, you will not be able to secure your home network by using the guest network if you have more than 10 IoT (Internet of Things) devices.

I am a little late to this thread, having only recently installed a G3100/E3200 combo.  I was keen to try out the isolated guest network, and surprised to learn that the DHCP server is only handing out 10 addresses.  (I have also posted my opinion that the new IoT SSID, which is not isolated, is inappropriate for IoT devices.)

I have a couple of suggestions that might work.  If so, they would allow one to use dozens of IoT devices on the guest network:

  • manually configure static addresses in IoT devices where you can (xxx.xxx.200.y, where y>11)
  • configure a second DHCP server to hand out dynamic addresses above the range handled by the G3100's DHCP server.  I.e., the range xxx.xxx.200.y-254.  The second DHCP server could be connected:
    • via WiFi on the guest network, or
    • via ethernet once we know the VLAN ID of the guest network
0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Thank you for the clarification. I was wondering how do you connect more than 10 devices. The limitation is to ensure quality of service. Only the 2.4Ghz band will be created with another SSID and a wireless network. Since the 2.4Ghz only has a 2 x 2 (is this right? others please confirm) antenna configuration, you want to save resources for the host's wireless network.

Another thought: your solution is quite contingent on the fact that G3100's Guest Network operates differently from G1100's Guest Network. G1100 not only separates Guest devices from the main networks, but also isolates each Guest devices from each other. The latter feature is not supported by G3100. G3100 seems to allow access between devices on the Guest network. Since this may constitute a security risk between Guest devices, Arcadyan may push a future firmware update that isolates each device from each other on the Guest Network. At that time, devices on the Guest network cannot communicate between each other.


@jlg2 wrote:

IoT devices like Amazon Alexa smart speakers, Home Life SmartPlugs and Google Nest smart thermostats and smoke detectors need to communicate with one another to work properly.


So, your situation may not work in the future. I would still recommend a commercial-grade managed access point or commercial-grade router for creating multiple subnets.

jlg21
Enthusiast - Level 3

Hi, Cang_Household.

I'm only familiar with Windows and iPhone, but I don't see a security benefit to isolating devices from each other.  Some guest users might very well need to communicate within their subnet.

What the firmware publisher really should do in my opinion is provide for three subnets in the router's management console -- a personal subnet, a guest subnet and an IoT subnet.   That would satisfy my needs.  But I don't see why it would be hard to update the firmware to allow users who need them to create as many subnets as they want within the last two octets.

The FBI's recommendation that IoT devices should be on their own separate subnet away from our computers and smartphones is noncontroversial, as far as I know.  The recommendations are not for the NSA and CIA.  They are for everyday folks like you and me.  Consumer router makers should make it easy instead of impossible for users to follow these noncontroversial best practices.

Along those same lines, IoT makers should also be more open about what security protocols their devices follow.  But that's an issue for another community.

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

@jlg2 wrote:

I'm only familiar with Windows and iPhone, but I don't see a security benefit to isolating devices from each other.  Some guest users might very well need to communicate within their subnet.


You isolate your devices from guests' for security. Why guests do not want to isolate their devices from each other?

Regarding your IoT subnetting. I have answered you above. You actually want VLANs, not only subnetting.

BHR 3 (Actiontec MI424WR) used to support VLANs. The VLAN support was dropped in BHR 4 (also known as the Quantum Gateway Router or Fios-G1100). The VLAN support was not added back in BHR 5 either (commonly known as Fios Router or Fios-G3100). The reason is twofold. 1) Average consumers do not use VLANs at home. 2) Correctly setting up VLANs require intermediate networking knowledge.


jlg21
Enthusiast - Level 3

Good point, Cang_Household, about isolating users on a guest network.  You're right, guests would be exposed to a less private network. 

On the other hand, most of my guests would prefer access to communicate across their private network.  You can usually increase security by decreasing capability.

I suppose the perfect solution would be for both older and newer versions of the Verizon router to be updated so that they provide an option for the router manager to choose whether he wants the addresses isolated from each other on the guest network.  Some people might even want that on their primary network.

I still think the perfect solution is for the firmware to be changed so that it easily provides three networks that are simply labeled, primary, guest and IoT, o that any fool like me can configure a secure home LAN for himself and his guests.

Failing that, the easiest thing for Verizon to do is remove the 10-connection limit on the guest network.

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

@jlg2 wrote:

You can usually increase security by decreasing capability.


Not necessarily. Commercial access points and switches can achieve selective access control. You can control how much network A can access network B. For instance, if you only want the media server on network A to be accessible on network B, you can configure that in seconds.


@jlg2 wrote:

I suppose the perfect solution would be for both older and newer versions of the Verizon router to be updated so that they provide an option for the router manager to choose whether he wants the addresses isolated from each other on the guest network.  Some people might even want that on their primary network.


Major revisions to the firmware are costly and technically difficult. Considering different parts of a Verizon home network comes from at least two different vendors, they must all work together to ensure a smooth implementation. Not to mention the associated cost and lengthy approval process.

darbeeny
Newbie

The latest g3100 firmware, 3.1.0.14, has a separate IoT subnet

0 Likes
Reply
Cang_Household
Community Leader
Community Leader

Thank you for the information.

Addendum: users should now be able to leave the SON on while connecting all IoTs to the separate SSID.

Cang_Household
Community Leader
Community Leader

You want to separate wireless devices and access control them. I guess the solution for you would be a managed access point. For example, Cisco 140/145AC, not cheap, and you need a PoE switch or injector to power them.

You can setup multiple WLANs and create custom Access Control Lists. You can allow them to communicate with each other while denying inter-VLAN routing to your main network and the Internet. You need some technical skills and budget to achieve this.

jlg21
Enthusiast - Level 3

Thanks, gs0b and Cang-Household, for taking time to reply.  I don’t understand some things about each reply and don’t agree with everything posted.

Gs0b’s reply sounds contradictory.  I probably don’t understand it correctly.  But it sounds like he says the G3100 completely isolates devices on a guest Wi-Fi subnet and that if you want to completely isolate devices you need a second router.

Also, I think he’s wrong about complete isolation on the G3100 guest Wi-Fi subnet.  I was able to ping other devices on the guest subnet.  I realize pings are different from packets that contain information, but if the nodes were completely isolated, I couldn't even ping other devices.

I respect gs0b’s opinion that my question is complicated, but we disagree.  I am not a network expert.  I’ve never worked in IT.  I’ve read a few user manuals.  That’s all.  But I think anyone with networking experience and familiarity with the G3100 could answer my two questions reflexively.  So I pray gs0b’s is wrong about the need to read dozens of IoT device manuals.  Getting a credible answer to my two questions would be a lot easier.  Especially if all I have to do is put the IoT devices on the guest subnet.

I also don’t think my questions were esoteric.  There have been hundreds of non-technical articles written about the danger IoT devices pose for American security. and about actual cases where the devices have been used to access communication devices on home networks.  The FBI has published numerous press releases and interviews urging people to separate their IoT devices from their communication devices.  I know Verizon must be concerned about this at some level, but I don’t see any information available to its customers on the support web site.  This is especially weird if all you have to do is click the enable box on the guest network to comply with the FBI's request.

I don’t understand Cang_Household’s advice about a managed access point.  I don’t know much about access points, but I think an access point, managed or otherwise, would lie on the same subnet as the G3100 router and would just relay Internet Protocol addresses from the G3100 to the AP’s connected devices.  Isn’t that what it means to be an “access point”?  Wouldn’t the AP have to be on the same subnet with the G3100 just to reach the FIOS gateway?  If the AP were managed, that might enable you to isolate devices on that AP from each other but wouldn’t they still have access to everything else on the subnet?

I also don’t understand what Cang_Household means by setting up multiple WLANs.  I believe Verizon only assigns one public IP to a home customer.    I already use the G3100 and a dynamic DNS host to port-forward certain packets to my desktop computer so I can access it from campus.  But I don’t think that’s the kind of WLAN Cang_Household is referring to.

0 Likes
Reply
gs0b
Community Leader
Community Leader

This is a complicated subject, as shown by your questions after reading multiple sources and getting detailed responses here.

The information I posted is not contradictory.  Guest networks are designed to allow devices to only access the internet.  That's the point - prevent devices from having access to ANY internal resources, even other devices on the guest network.

On a G1100, guest network devices can't even ping each other.  I've not tested a G3100, as I don't have one.  It is interesting that it's allowing pings to go through; that may have been done to enable network management, but it's a security risk.

If you want to create a network that is completely separate from the main network AND allows devices on that network to communicate with each other, that's not a guest network.  That's a separate network.  VLANs or separate WLANs are ways to do this.  Most consumer routers don't support creating these.  So, if you want to create one of these behind a consumer router such as the G3100, you've got to buy some more gear and learn how to configure it.  You'll also need to configure the G3100 to keep the network behind the the additional router separate from the main network.  Doable, but it takes networking knowledge and an understanding of the security risks of various settings.  Like I said, complex.

Should consumer router manufactures make it easier to setup IoT LANs separate from the main LAN?  Probably, for all the reasons you cite.  However, that won't happen until router vendors see it as a way to charge more for their devices or it becomes an expected feature.  Right now the business case is weak for most consumer routers to add these features.

As for your questions, here are the specific answers:

Q) Can devices on a guest network see each other?

A) No.  A true guest network should block communications between devices.

Q) Do IoT devices need to see each other?
A) It depends on the IoT device.  Some work exclusively through an associated cloud service, some talk only to a local hub, some talk to each other, and some use a variety of these methods.  There is no general answer.  Consult the documentation for a specific IoT system to learn how it works.