Are VLANS incompatible for Home IOT media devices?

Networking & Firewalls
1

Before getting to my problem, I wanted to do a summary of my system.

My Unifi network consists of:

  1. 16 port and 8 port POE layer2 switch
  2. (3) AP-AC-PRO’s
  3. 24 port layer2 switch
  4. USG3P router (considering Netgate with Pfsense if it can help)

I have 4 VLANs (LAN, Iot, Camera and Guest). Camera and Guest are working great (thanks Tom for the videos) so this is limited to the LAN and IotVLAN.
My devices are:

  1. Roku Ultra (hardwired on IotVLAN)
  2. Sonos player\speakers (hardwired on IotVLAN)
  3. Phones and tablets that need to connect to Sonos and Roku (Wireless on IotVLAN)
  4. Alexa Echo dots (Wireless on IotVLAN)
  5. Synology NAS for storing personal files and media for DLNA server (hardwired on VLAN1)
  6. Notebooks and automation PC (hardwired on VLAN1)

After reading multiple posts and searches, the suggestion was to place all high risk devices in a separate IotVLAN while keeping the low risk devices in a management VLAN1. So that is what I did. Where I started running into problems is the when the VLAN1 devices (items 1-4) need to connect or provide services like DLNA across the two VLANs. As far as I can determine is the problem is with the broadcast data being blocked. This is no surprise sense VLANS are made to provide isolation but to get around this, you have to look for work arounds.

I have done the normal things like:
• Turned on mDNS
• Enable IGMP snooping
• Turned on UPnP (yuk)
• Enabled igmp-proxy through a JSON file.
• Through firewall rules, opened up the ports that Roku, DLNA and Sonos uses
Still, after all this, still cannot get the DLNA to work.
Firewall ports opened

I know there are posts out there with people having limited success but still make me ask the question, “Are IOT VLANS incompatible for Home media devices?” or am I missing something.
Would Pfsense be better at allowing media devices across VLANs?

2

Phone as IOT devices, so if you want your phone to talk control the Sonos they should be on the same network.

3

I had the phones and tablets on the management VLAN1 at the beginning before I was able to connect to the Sonos. I could easily move them over to VLAN1 now that that is fixed.

My real issue is my streaming devices (roku, Sonos) connecting to the DLNA servers. I have had very limited success with those.

With the USG not really supporting igmp-proxy, I was wondering if Netgate running Pfsense implements this better. I also have read that the pimd may help.
Just have not seen much feedback on this combination relating to DLNA.

4

If your media is on your NAS why don’t you use samba or FTP, seems to have fewer issues with streaming. Personally I don’t bother with DLNA doesn’t seem very secure.

5

It might work using Netgate and IGMP, but I would recommend the putting things that want to stream on the same network.

6

Let me take a stab at this from a general network engineering perspective.

“After reading multiple posts and searches, the suggestion was to place all high risk devices in a separate IotVLAN while keeping the low risk devices in a management VLAN1. So that is what I did. Where I started running into problems is the when the VLAN1 devices (items 1-4) need to connect or provide services like DLNA across the two VLANs. As far as I can determine is the problem is with the broadcast data being blocked. This is no surprise sense VLANS are made to provide isolation but to get around this, you have to look for work arounds.”

My guess is that you configured the VLANs on your Layer 2 switch, which is totally fine! A Layer 2 VLAN simply means that whatever ports and devices you add to that vlan will only be able to talk to other devices within that VLAN. Broadcast traffic stays within the VLAN, period. When you need to communicate from one VLAN to another, this is where you need to use your router. If your L2 switch has an uplink port, my guess is you have that port in VLAN 1, your management vlan, as untagged. Add your IoT VLAN number to the uplink port as tagged, and configure whatever the uplink connects to with the same VLAN ID, tagged, all the way up to the router itself, which will also have that VLAN configured on its downlink port.

We’re not done yet. You’ll want to configure the router such that traffic can route from VLAN 1 to your IoT VLAN and back, so you’ll want to add an ip address and gateway to both vlans (in the appropriate subnets, like if your IoT VLAN is VLAN 20, you can use 192.168.20.0/24, and your management VLAN can be in 192.168.1.0/24.) so that they can talk to each other. If an IoT device needs to talk to your DLNA server (however that works), and it’s in another network, the device should send the traffic to its default gateway, an ip owned by your router, and the router will decide based on its routing table and firewall policies/ACLs/policy-based routing whether to drop or forward the traffic, and do so.

Then you need to configure firewall rules (ACLs in enterprise gear) to allow the traffic you need, and prohibit the traffic you don’t want.

Now, if you had infinite budget, you could replace your main L2 switch with an L3 switch. Your router config would be very simple while your L3 switch config would be more complicated. But… You’d likely get better throughput depending on your hardware coupled with some network simplification.

Ideally though, as someone else said, it’s best to put the server and client in the same VLAN.