So I fall pretty heavy on the paranoid side when it comes to all the Chinesium home automation and IoT devices. However, my wife wants me to put up some security cameras and if I’m going to do that then I might as well add all the other life conveniences that I want. I would love to keep everything 100% air gapped, but I know that would defeat the purpose of most stuff.
Here is a rough linear diagram of what I think I can do: Internet > pfSense > home network > IoT hub > IoT network
The important thing to note is that I want no traffic to make it from the ‘IoT network’ to the Internet. And the only traffic I want going from the ‘IoT hub’ to the ‘home network’ is a browser interface for the software I’m planning on using.
If I understand correctly, this is pretty easy to do with a firewall on the ‘IoT hub’. I should be able use separate NICs, completely lock down the ‘home network’ NIC, and just allow one application access to one port so that I can open my browser interface.
Is this about as secure as it gets? Or is there a better way?
Just curious, what do you need a “DMZ” for?
Do you have a managed switch (one that you can use for VLANs)? I’d highly recommend using VLANs instead of another physical NIC, as you’ll need to double up on switches and APs if you use a separate NIC