Hey guys,
I have some clients that I want to effectively air gap from the WAN. I use PFSense, and I have tried editing the firewall rules to achieve this, but it didn’t work. I’ve been building out a Home Assistant ecosystem in my apartment, and basically I want to ensure that none of the IoT devices can access the internet outside of my local network.
- Make an alias that contains all the IP addresses of your IoT devices (I named mine iot_crap). This likely means configuring static IPs on your devices, or perhaps dhcp reservations.
- Add an alias for your local network that you want to permit traffic to. I use all RFC1918 networks for simplicity.
- Add a rule on your LAN (or whatever network they are on) that Blocks traffic origination from your iot_crap with any destination that is NOT an RFC1918. This means checking the invert match box. Mine looks like this
The advantage of an iot network becomes clear here - you don’t have to manage the IPs of your iot devices, as you can simply block all devices on the iot network from accessing the WAN.
A troubleshooting issue I ran into - make sure that all your devices use a local time server, as they likely rely on a public (WAN) ntp server to keep time.
2 Likes