1

I segmented my home network into 2 separate subnets LAN/IoT so that IoT devices cannot attack my PCs and smartphones if compromised.

Personal devices get assigned IPs in the range 10.1.1.1 - 10.1.1.254

IoT devices get assigned IPs in the range 10.2.2.1 - 10.2.2.254

Some mobile apps (for instance "Daikin Online Controller") discover the IoT devices by scanning the subnet they're in, looking for IPs that answer on specific ports to specific messages. In this example a specific HTTP GET on port 80.

It is now obvious that such method won't work if my personal device is not in the same subnet as the IoT devices it's looking for. It will only scan from 10.1.1.1 to 10.1.1.254 and will never interrogate a device whose address is (for instance) 10.2.2.50

What's the smartest way of implementing a "proxy" that when interrogated by the app on port 80 through the "LAN" subnet routes the packet to the "IoT" subnet?

My setup uses a VMWare esxi environment running pfSense and a FreshTomato home router that acts as managed switch and access point so I have plenty of options. I can set up a dedicated virtual machine if it needs be, or set up some script in the Tomato router or in pfSense.

Is this even a good idea? How else could I solve this?

Improve this question

1 Answer 1

Reset to default
1

This sounds like regular DNAT that pfSense already has in the Port Forwards section. The only difference is that the "Interface" field should not be set to 'WAN' in your case – it's the 10.1.1.0/24 LAN interface.

However, if the app needs port 80 or 443 (which are already occupied by pfSense web UI) you will probably want to add a second IP address on that interface, and make sure that the DNAT rule matches only that address as the "Destination".

You could either add a real secondary address (aka "IP alias"), or you could use Proxy ARP – I think either would work, and pfSense has both options under Virtual IP Addresses.

Note that this will only work with apps which make unicast connections – it won't help with forwarding multicast or broadcast discovery packets.

Improve this answer
3
  • Yes, this might work... I have 5 air conditioners, I could manually add 5 virtual IPs in the LAN network with rules that port translate to the IoT network (if I understood your answer correctly)
    – mfloris
    Commented Dec 31, 2020 at 20:42
  • I made it work using an unused port. I was able to connect a TCP client through the IP Alias in network "LAN" and reach the TCP server in the other network. I am however unable to do that with port 80, it's like every IP in the subnet points back to the pfSense interface
    – mfloris
    Commented Jan 1, 2021 at 10:30
  • That's a bit odd, firewall rules should take priority over regular listens. Unless maybe there is a hidden "webConfigurator" rule that's even higher priority?
    – grawity_u1686
    Commented Jan 2, 2021 at 7:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .