IoT Network Segmentation Guide – Part 1: Design

The next logical step in the Homelab journey is to learn about networking and network security. Coincidentally, this is one of the topics that translates really well to the world of OT security and therefore it makes sense to dedicate its own post.

If we look at Robert M.Lee’s “Sliding Scale of Cybersecurity” one can see that architecture is generally portrayed as one of the most cost-effective passive security measures.


Sliding Scale - Robert M.Lee
Sliding Scale – Robert M.Lee

While I agree with that statement in general, I think it is only applicable for new setups, as the cost of analyzing communication flows in an existing environment, changing the network infrastructure, and applying a proper segmentation is something quite expensive in terms of resource consumption for planning, factory downtime, and general implementation costs. Therefore I greatly recommend not to fall into the temptation of postponing this step (however tempting it may be), and design a proper layout in the early stages of a project (Industrial or otherwise).

With this in mind, I used the Purdue architecture as a starting point for the segmentation design but took a lot of “artistic licenses” for the sake of operation simplification, and in order to accommodate certain hardware limitations (which is a very realistic situation in real projects). You will see later that the final setup looks nothing like Purdue. However but having high standards as a reference usually results in a better product than otherwise. The game plan is as follows:

  1. Identify assets
  2. Identify physical connectivity capabilities
    1. Wireless type
      1. 5GHz: more speed for the endpoints
      2. 2.4GHz: more penetration and coverage
    2. Ethernet type
  3. Identify communication flows
    1. To internal resources
    2. To the Internet
  4. Identify additional requirements, in my case:
    1. Use my own local DNS server with filtering capabilities (privacy and security)
    2. Route traffic from as many networks as possible through a VPN (privacy)
  5. Group assets into functionally similar families, for me:
    1. Internal resources: NAS, hypervisor, networking equipment
    2. Trusted wireless devices that require access to internal resources: PCs, phone, tablets, etc.
    3. Devices that require clean Internet connectivity and do not need to access internal resources: work laptop, work phone, Fire TV Stick, etc.
    4. IoT devices that require Internet connectivity
    5. IoT devices that do not require Internet connectivity

After all those considerations, we would end with something like this:

VLANDescriptionConnectivityCharacteristicsDNS FilteringVPN Routing resourcesWired
Wi-fi: SSID 1
1GbYesNo devicesWired
Wi-fi: SSID 2
5GHz (preferred)
YesYes Internet accessWi-fi: SSID 35GHz (preferred)
NoNo IoTWi-fi: SSID 42.4GHzYesNot Applicable IoTWi-fi: SSID 52.4GHzYesYes


However, at this point, the real world kicks in because:

  • I do not want to have 5 different SSIDs and passwords at home and, even if I wanted, my router/AP (Unifi Dream Machine) only supports a maximum of 4 SSIDs
  • I will limit internal resources to wired connectivity for performance
  • All IoT devices will be assigned to the same subnet, but devices that do not need Internet connectivity will have that capacity disabled via firewall rules later on

With all those considerations, this is the final setup:

VLANDescriptionConnectivityCharacteristicsDNS FilteringVPN Routing resourcesWired1GbYesNo devicesWired
Wi-fi: SSID 1
5GHz (preferred)
YesYes Internet accessWi-fi: SSID 25GHz (preferred)
NoNo IoTWi-fi: SSID 32.4GHzYesNot Applicable
Cloud IoT2.4GHzYes


With the design finished, it is time to implement it in the UDR:

(Arriba) SSIDs Disponibles – (Abajo) VLANs Disponibles

Once all devices are connected to the assigned networks, the basis for segmentation are set, but it is very important to realize that at this point there is no real segmentation going on, as Unifi equipment sets the default firewall rules for inter VLAN communications to Allow.

Therefore, in following posts, I will discuss how to:

Stay tuned for further updates!