Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
jlg21
Enthusiast - Level 3

I’m new to FIOS and to the G3100 router and am trying to configure a home local area network (LAN) that previously used Cox Communication.   If I put my Internet-of-Things (IoT) devices on the G3100 Wi-Fi guest subnet, will they be able to see each other?  And do they need to?

All I know now is that a computer connected to the default guest Wi-Fi subnet (192.168.200.x) can ping other devices on that subnet but cannot browse to the gateway.  So I know there are some barriers but not total isolation.  I don’t see anything in the G3100 management console that controls whether devices are isolated from each other, either on the primary or guest subnets.  If you know where those control are, please tell me.  But the question here is where to put IoT devices.

I think the FBI is right to ask all of us to isolate our IoT devices on a separate subnet from our communication devices.  Even if I didn’t agree with the FBI, I would probably follow its advice since it’s not just my safety involved. 

But I don’t see anything on the Verizon support web site or in the G3100 manual about the best way to do that.  And I’m not a network expert.  It seems like a huge management chore involving individual MAC addresses to isolate a subnet within the primary G3100 default subnet.  I don’t even know if it’s possible.  But it would be easy to put them into the G3100 guest Wi-Fi subnet.

The problem is that it's a lot of work reconnecting each device just to find out they won't work together.  IoT devices like Amazon Alexa smart speakers, Home Life SmartPlugs and Google Nest smart thermostats and smoke detectors need to communicate with one another to work properly.  I think that communication has to be within the LAN subnet, but I’m not sure.

I don’t think regular FIOS support or even priority support has people who can answer simple network questions like this. At least not people you can easily reach.  Luckily, I think the Repair Department does have a lot of people who understand networks.  But if someone here can answer my questions, it will save me having to fight my way through the crazy Verizon call routing gauntlet.

I know it takes some time and concentration to read and understand this post.  So thanks in advance for considering my question.

0 Likes
1 Solution

Correct answers
Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
Seeker1437
Community Leader
Community Leader

@jlg2 wrote:
If I put my Internet-of-Things (IoT) devices on the G3100 Wi-Fi guest subnet, will they be able to see each other?

The Guest Wi-Fi is designed as a way to allow guests to visit you and connect to and use your internet without having to give them full access to the entirety of your home network.

 

It will isolate the non guest network traffic from guest network traffic. Devices within the same subnet will still be able to talk to each other unless the individual devices are configured not to allow this.

 

-- TL;DR --

Yes.

 


@jlg2 wrote:
And do they need to?

It really depends on the device on a case by case basis. From the things I read IoT traffic just needs to be isolated form normal home traffic but the rules on whether each IoT device should be isolated from other IoT devices is not described. I am pretty confident it is not needed.

 

-- TL;DR --

Yes.

View solution in original post

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
gs0b
Community Leader
Community Leader

These aren't simple questions.

By design, guest networks isolate devices from each other and the main network.  This is true on Verizon routers and non-Verizon consumer routers.  Devices on guest networks are allowed to reach the public internet, but nothing else.

Whether a particular IoT device needs to access other devices on the local network depends on the design of the device, not the router.  I suspect you're correct that many devices do want to talk over the LAN to a hub device, but I haven't done any work with home IoT networks.  You'll need to refer to the device's documentation or ask in the appropriate forums to be sure.  Or maybe another person will comment here.

If you really want to create a completely separate LAN, you'll need to add another router.  Depending on how it's connected into the main router, you'll need to adjust settings to keep it from having access to the main LAN.  A commercial grade router may be required here.

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
Cang_Household
Community Leader
Community Leader

You want to separate wireless devices and access control them. I guess the solution for you would be a managed access point. For example, Cisco 140/145AC, not cheap, and you need a PoE switch or injector to power them.

You can setup multiple WLANs and create custom Access Control Lists. You can allow them to communicate with each other while denying inter-VLAN routing to your main network and the Internet. You need some technical skills and budget to achieve this.

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
jlg21
Enthusiast - Level 3

Thanks, gs0b and Cang-Household, for taking time to reply.  I don’t understand some things about each reply and don’t agree with everything posted.

Gs0b’s reply sounds contradictory.  I probably don’t understand it correctly.  But it sounds like he says the G3100 completely isolates devices on a guest Wi-Fi subnet and that if you want to completely isolate devices you need a second router.

Also, I think he’s wrong about complete isolation on the G3100 guest Wi-Fi subnet.  I was able to ping other devices on the guest subnet.  I realize pings are different from packets that contain information, but if the nodes were completely isolated, I couldn't even ping other devices.

I respect gs0b’s opinion that my question is complicated, but we disagree.  I am not a network expert.  I’ve never worked in IT.  I’ve read a few user manuals.  That’s all.  But I think anyone with networking experience and familiarity with the G3100 could answer my two questions reflexively.  So I pray gs0b’s is wrong about the need to read dozens of IoT device manuals.  Getting a credible answer to my two questions would be a lot easier.  Especially if all I have to do is put the IoT devices on the guest subnet.

I also don’t think my questions were esoteric.  There have been hundreds of non-technical articles written about the danger IoT devices pose for American security. and about actual cases where the devices have been used to access communication devices on home networks.  The FBI has published numerous press releases and interviews urging people to separate their IoT devices from their communication devices.  I know Verizon must be concerned about this at some level, but I don’t see any information available to its customers on the support web site.  This is especially weird if all you have to do is click the enable box on the guest network to comply with the FBI's request.

I don’t understand Cang_Household’s advice about a managed access point.  I don’t know much about access points, but I think an access point, managed or otherwise, would lie on the same subnet as the G3100 router and would just relay Internet Protocol addresses from the G3100 to the AP’s connected devices.  Isn’t that what it means to be an “access point”?  Wouldn’t the AP have to be on the same subnet with the G3100 just to reach the FIOS gateway?  If the AP were managed, that might enable you to isolate devices on that AP from each other but wouldn’t they still have access to everything else on the subnet?

I also don’t understand what Cang_Household means by setting up multiple WLANs.  I believe Verizon only assigns one public IP to a home customer.    I already use the G3100 and a dynamic DNS host to port-forward certain packets to my desktop computer so I can access it from campus.  But I don’t think that’s the kind of WLAN Cang_Household is referring to.

0 Likes
Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
Cang_Household
Community Leader
Community Leader

@jlg2 wrote:
I was able to ping other devices on the guest subnet.

Thank you for this observation. Many of us don't have a G3100 router, so we can only give thoughts based on G1100 routers, or worse, from reading user manuals.


@jlg2 wrote:
I know Verizon must be concerned about this at some level, but I don’t see any information available to its customers on the support web site.

BHR 3 (Actiontec MI424WR) used to support VLANs. The VLAN support was dropped in BHR 4 (also known as the Quantum Gateway Router or Fios-G1100). The VLAN support was not added back in BHR 5 either (commonly known as Fios Router or Fios-G3100). The reason is twofold. 1) Average consumers do not use VLANs at home. 2) Correctly setting up VLANs require intermediate networking knowledge.


@jlg2 wrote:
I think an access point, managed or otherwise, would lie on the same subnet as the G3100 router

Unmanaged access points are layer 2 devices, which they would lie on the same subnet as the G3100. Managed access points, on the other hand, can have layer 2+ or layer 3 features. They can router traffic between multiple broadcast domains and "be" on multiple subnets at the same time. G3100, for example, is a layer 3 device. It is on your home subnet and the WAN subnet at the same time.


@jlg2 wrote:
Wouldn’t the AP have to be on the same subnet with the G3100 just to reach the FIOS gateway?

G3100 is the gateway in your home to reach the public Internet. A managed AP can have one network interface on the G3100's subnet, while having other interfaces on other subnets. It can route, not only switch within the same subnet.


@jlg2 wrote:
If the AP were managed, that might enable you to isolate devices on that AP from each other but wouldn’t they still have access to everything else on the subnet?

This is where access control comes into play. If you place all your personal devices on one subnet, while the IoTs on the other subnet, and deny access between these two subnets while allowing access to the WAN subnet, they can have Internet connection while remaining isolated from your personal devices.


@jlg2 wrote:
I believe Verizon only assigns one public IP to a home customer.

This is true, but how does this render you unable to create multiple WLANs? WLAN stands for Wireless Local Area Network. While you can only have one public IP address, nothing prevents you from creating multiple network segments inside your house. This is probably too complex to explain to you at once here.


@jlg2 wrote:

I can access it from campus.


Maybe you can consult your school's IT department for more clarifications.

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
Seeker1437
Community Leader
Community Leader

@jlg2 wrote:
If I put my Internet-of-Things (IoT) devices on the G3100 Wi-Fi guest subnet, will they be able to see each other?

The Guest Wi-Fi is designed as a way to allow guests to visit you and connect to and use your internet without having to give them full access to the entirety of your home network.

 

It will isolate the non guest network traffic from guest network traffic. Devices within the same subnet will still be able to talk to each other unless the individual devices are configured not to allow this.

 

-- TL;DR --

Yes.

 


@jlg2 wrote:
And do they need to?

It really depends on the device on a case by case basis. From the things I read IoT traffic just needs to be isolated form normal home traffic but the rules on whether each IoT device should be isolated from other IoT devices is not described. I am pretty confident it is not needed.

 

-- TL;DR --

Yes.

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
gs0b
Community Leader
Community Leader

This is a complicated subject, as shown by your questions after reading multiple sources and getting detailed responses here.

The information I posted is not contradictory.  Guest networks are designed to allow devices to only access the internet.  That's the point - prevent devices from having access to ANY internal resources, even other devices on the guest network.

On a G1100, guest network devices can't even ping each other.  I've not tested a G3100, as I don't have one.  It is interesting that it's allowing pings to go through; that may have been done to enable network management, but it's a security risk.

If you want to create a network that is completely separate from the main network AND allows devices on that network to communicate with each other, that's not a guest network.  That's a separate network.  VLANs or separate WLANs are ways to do this.  Most consumer routers don't support creating these.  So, if you want to create one of these behind a consumer router such as the G3100, you've got to buy some more gear and learn how to configure it.  You'll also need to configure the G3100 to keep the network behind the the additional router separate from the main network.  Doable, but it takes networking knowledge and an understanding of the security risks of various settings.  Like I said, complex.

Should consumer router manufactures make it easier to setup IoT LANs separate from the main LAN?  Probably, for all the reasons you cite.  However, that won't happen until router vendors see it as a way to charge more for their devices or it becomes an expected feature.  Right now the business case is weak for most consumer routers to add these features.

As for your questions, here are the specific answers:

Q) Can devices on a guest network see each other?

A) No.  A true guest network should block communications between devices.

Q) Do IoT devices need to see each other?
A) It depends on the IoT device.  Some work exclusively through an associated cloud service, some talk only to a local hub, some talk to each other, and some use a variety of these methods.  There is no general answer.  Consult the documentation for a specific IoT system to learn how it works.

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
jlg21
Enthusiast - Level 3

Will IoT devices work on a G3100 home network.  The answer is, Yes. definitely.  This post tells you how to put all your Internet of Things (IoT) devices like Alexa, Nest, smart plugs, televisions, refrigerators, etc. on a separate subnet isolated from your communication devices. 

It’s easy.  You don’t need any network knowledge.  If you have 10 or 15 IoT devices in your home it will take about 30 to 40 minutes.  All your IoT devices will work just fine.  You’ll still have all the same controls you had before.  You won’t have to learn anything new.

If you’re reading this thread, you probably already know why this is important.  If you don't, I’ll explain later.  First, here’s how to do it:

Step 1: Ignore the previous postings on this thread that say it's impossible.  Those folks don’t know what they’re talking about.  Their jargon about WANs, routes, commercial access points, etc., etc. is pure pretense.

Step 2: Ignore Verizon tech support when the agent tells you it cannot be done.  Most of the folks providing tier 1 tech support there know less than the folks mentioned in step 1.

Step 3: Browse into your G3100 router management web page from a browser on any computer connected to the network.  The address is HTTP://192.168.1.1.  Your browser will warn you that the link is not secure.  If your connecting locally (from a computer connected to your home LAN), security is not an issue.

Step 4: Log into the management web page.  The account name is "admin."  If you haven’t set your own password, the default password is written on the back of your router.  (If it is still set to the default password, you should seriously change it, in my opinion, but that’s a different issue.)

Step 5: From the Router’s management home web page, you’ll see six alternatives, Wan Status, Wi-Fi, Network, Parental Controls, Firewall and Advanced.  Click on Wi-Fi.

Step 6: You’ll see five tabs at the top of the Wi-Fi page.  Click on the one that says “Guest Network.”

Step 7: If you haven’t already done this, enable the guest network, give it an SSID name other than the name and password, both different from your primary network name and password.  And remember both the name and password.

Step 8: This is the hardest step of all and the one that will take the most time.  Go to each of your IoT devices remove it from the primary network and join it to the guest network. 

You’re done.  Now I’ll explain the effect of what you just did.  Then I’ll explain why it’s important that you did it.

By creating a guests network in the G3100 router, you created a new subnet.  Unless some geek who will never need to read this thread has changed the subnet around, your primary subnet by default is 192.168.1.xxx,  where xxx is some number between 1 and 254.  Each device on your network will have a different value for xxx.

The new guest network will be on a subnet 192.178.200.xxx.   Notice the 200 instead of a 1 in the third group.  The G3100 router will isolate the two from each other.  Both will use the same gateway (the path to Verizon and the Internet), but once a packet of information comes to your home the router will separate send it to whichever of the two subnets it belongs.

If you use the guest network for guests, they will not be able to use your printer if it is on your primary subnet where you can use it.  There are some easy ways around that, but that’s a different issue.  It has nothing to do with which subnet your IoT devices are connected to.

Now, why should you do this? The first reason that should satisfy most people is that the FBI considers this a matter of national security.  It has given numerous speeches around the country and issued lots of press releases urging people to do it. You can browse to www.fbi.gov and search for “router” or “subnet” to read them.   Why isn't Verizon warning its customers to do this?  I wish I knew.  

For annoying nerds like me who need a more detailed explanation.  Here it is: It’s pretty easy for hackers from anywhere in the world to come through the Internet to the Verizon network, from there to your unique public IP address.  There is nothing to stop them.  Anyone can do it.  I can do it, and I’m not a hacker.  From there they need only a little skill to connect to your IoT devices.  I don’t know how to do that, but they do.  IoT devices are notoriously insecure.  Once they connect to one of your IoT devices, I’m told they can probe your home network looking for vulnerabilities and sniff for passwords.  Again, that's above my pay grade.  But that's what the experts say they can do.

But if you put your IoT devices on a separate network, the hacker is **bleep** (out of luck).  He can still mess with your IoT devices.  He could do that regardless of the subnet the IoT devices were on.  But what the hacker wants is to see if he can get to all the credit card and personal information on your computer and smartphone.  If they're on the primary subnet and the IoT device is on the guest subnet, the hacker is at a dead end.  You win.  He loses.

And that’s why the FBI wants you to put your IoT devices on a separate subnet.

I did this earlier today (1/3/20).  All the devices work fine.  They communicate with each other just fine.  If you’re checking this right after that date, you might want to come back in a week.  If I discover a problem, I’ll come back and edit this post.  And I’ll say at the start of the post that it has been edited.  The devices I have connected to my home network include.  Three Amazon Alexa Dots, one Amazon Alexa Show, one Samsung smart television, one Google Nest thermostat, three Google Nest Protect (smoke detectors), four HomeLIfe Wi-Fi smartplugs. 

IoT devices are fairly standardized.  So if you have other devices, they’ll probably work just fine too.  But I can personally guarantee you won’t have any problem with devices I’m using.  Alexa can still turn my smartplugs on and off and change the thermostat setting or run a test on the smoke detectors.  (For the Amazon Alexa Show, I had to tell it to forget the primary Wi-Fi subnet after I connected it to the guest Wi-Fi subnet.)

There are two important reasons that the devices continue to work okay.  And one of those reasons directly contradicts what you may have wasted your time reading in the posts prior to this one in this thread.

The first reason is that within the new guest Wi-Fi subnet all the devices can see each other.  Just like the devices in your primary subnet can see each other.  So if the devices need to talk back and forth within the subnet, they will have no problem.

The other reason is that most of the devices I mentioned in my home communicate with each other through a central server in the cloud.  In other words, they don’t even need to see each other on the same subnet.  In fact you could put one Alexa dot on the primary subnet and another on the guest subnet and they would still be able to talk to each other, assuming a falling tree didn’t rip the FIOS lose from your house.

That’s all there is to say.

Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
jlg21
Enthusiast - Level 3

The green solution I posted a couple of days ago needs a correction.  The G3100 will only allow 10 connections on the guest network according to the December 2019 post on this forum at https://forums.verizon.com/t5/Fios-Internet/Number-of-devices-on-guest-network/m-p/890676#M78681.  I found it because I could not make an 11th connection either.

I can only speculate on why Verizon put this limitation on the firmware.  I don't imagine it was because Verizon wanted its customers to be at greater risk from hackers.  In any case, you will not be able to secure your home network by using the guest network if you have more than 10 IoT (Internet of Things) devices.

Other than that, I know of no other problem with using the guest network to make your computer devices safe from hackers reaching them through your IoT devices.

0 Likes
Re: Will IoT devices work properly in the G3100 guest Wi-Fi subnet?
Cang_Household
Community Leader
Community Leader

Thank you for the clarification. I was wondering how do you connect more than 10 devices. The limitation is to ensure quality of service. Only the 2.4Ghz band will be created with another SSID and a wireless network. Since the 2.4Ghz only has a 2 x 2 (is this right? others please confirm) antenna configuration, you want to save resources for the host's wireless network.

Another thought: your solution is quite contingent on the fact that G3100's Guest Network operates differently from G1100's Guest Network. G1100 not only separates Guest devices from the main networks, but also isolates each Guest devices from each other. The latter feature is not supported by G3100. G3100 seems to allow access between devices on the Guest network. Since this may constitute a security risk between Guest devices, Arcadyan may push a future firmware update that isolates each device from each other on the Guest Network. At that time, devices on the Guest network cannot communicate between each other.


@jlg2 wrote:

IoT devices like Amazon Alexa smart speakers, Home Life SmartPlugs and Google Nest smart thermostats and smoke detectors need to communicate with one another to work properly.


So, your situation may not work in the future. I would still recommend a commercial-grade managed access point or commercial-grade router for creating multiple subnets.