How to isolate IoT Devices in a red/green/blue/orange setup?

methusalix · 22 September 2022 22:31

I turn to the experienced ipfire users with the following problem: I have some Shelly devices for switching different power consumers. These are currently still integrated in my blue network (any access to RED is prevented). Since these IoT devices are not very secure when it comes to security, I would like to banish them to their own network segment (again without access to RED). At first I thought of ORANGE, but in the meantime the need has arisen to operate a Nextcloud installation there, whereby I am thinking of only allowing access here via OpenVPN. My question now: how can I implement a setup in which all network areas are in use and all IoT devices are to be isolated (and not allowed to phone home)?
Hardware is an APU4D4 with red/green/blue/orange with a WLAN AP in blue.

I am very grateful for food for thought, thx for any input

cfusco · 23 September 2022 08:58

How about a static address pool in OpenVPN in which you assign client specific policies? A book on OpenVPN, e.g. “OpenVPN cookbook” covers this kind of settings in a more compact way than searching the documentation.

My understanding is that from the certificate you get an identifier which receives a static IP address from a static pool, and then you can set up the firewall with policies specific for the subnet or even individual IPs.

disturbeddragon · 23 September 2022 10:39

The IoT devices can be added to a firewall group WUI → Firewall → Firewall Groups. Once add to the group you can make a single firewall rule to block access in any direction you like to/from those devices.

xperimental · 23 September 2022 10:47

For IoT devices I got myself a 7€ Mi Router 4A 100M with OpenWRT and kept it as a router with an SSID for IoT devices only. I put it into BLUE.

methusalix · 23 September 2022 21:13

@cfusco But any ip adress in OpenVPN will be assigned to the client which establishes the connection, won’t it? To my understanding it’s not possible to restrict the access to a specific target ip thru the OpenVPN client configuration?

@disturbeddragon I have already defined a group for those devices to make it easier to restrict the access to other networks. But if I have other devices - like my nextcloud server - in the same network segment too, I thought, that the network traffic within this network segment, in this case orange, will never pass the firewall rules? Or am I completely wrong?

@xperimental Thats an interesting idea. But wouldn’t the same apply as in my reply to @disturbeddragon regarding network traffic within the same network? Or do you mean to have for this extra ssid also an extra network segment (by running a dhcp server on this additional router)?

hvacguy · 23 September 2022 22:15

Than how do you plan to control them?
Hub in IOT zone?
If that is the case old router not connected at the WAN. Works.

Wan of router connected to ipfire. Add a few firewall rules done.

disturbeddragon · 23 September 2022 22:15

When you create the firewall group, don’t add an entire subnet. Add your IoT devices by IP so only those are affected by the block rules.
The devices can even be on different subnets and added to one group. That’s the beauty of adding by IP.

cfusco · 24 September 2022 11:01

I think you can, on the server side by using their certificate common name (CN) and the CCDs configuration files.

Excerpt From: Keijser, Jan Just. “OpenVPN Cookbook - Second Edition”

When a client connects to the server with its certificate and with the certificate’s common name client1, the OpenVPN server checks whether there is a corresponding client configuration file (also known as a CCD file) in the client-config-dir directory. If it exists, it is read in as an extra set of options for that particular client.
[…]
The client configuration file contains a single line, ifconfig-push 10.200.0.7 10.200.0.7, which instructs the OpenVPN server to push the client IP address 10.200.0.7 to this particular client.

Therefore, you can do what it is described here, meaning setting different policies for different clients. You could create CCDs for each IOT machine based on the common name in their certificate and give them a specific set of IP address. Then, you just write firewall rules specific for those IP address.

For example, if my client certificate is iOS.p12, with this command I can find the common name (CN) field

openssl x509 -subject -noout -in iOS.p12
Enter pass phrase for PKCS12 import pass phrase:
[...]
CN = iOS

then, I can create a file ccd/iOS which contains the following line:

ifconfig-push 10.1.4.37 10.1.4.37

and iOS appliance will get 10.1.4.37 as an IP address. You do that for all of your IOT machines. Then, as suggested by @disturbeddragon, you enter all those addresses in a group. That group becomes the Source field of a rule, or set of rules, of your IPFire web user interface firewall.

Assigning a specific IP address to a client can be done also simply by using IPFire Web User Interface when creating a client certificate, by taking advantage of using a pool of static IPs.

The use of CCDs is also documented in the wiki.

methusalix · 24 September 2022 21:20

@hvacguy , @disturbeddragon , @cfusco thnaks for your replies. I knew, one gets never too old to learn… hmm, you gave me something to do over the weekend

methusalix · 24 September 2022 21:24

My idea is to put one of my RPi’s with OpenHAB into that zone