This entry is an expansion of topics I covered back in April - "Internet of Things" Isolated Networks and Guest Wireless Access Point Security. More specifically I will be describing my (home) network configuration under pfSense, however, the same methodology can be applied to an Ubiquity EdgeRouter X like I have in my office at work. I currently don't have any "IoT" devices at my workplace, so I welcome offers to buy me an Internet-enabled fridge for further testing.
My pfSense firewall at home has four "interfaces" - network connections to it: WAN (Wide Area Network) through a bridged modem to the Internet, my LAN (Local Area Network) which has most of the systems and devices for me and my family, an "Administrative" network without a Wireless Access Point (WAP) for administering all of that network infrastructure and firewall, and a "DMZ" network (the same concept as wartime, where you have devices and systems that shouldn't be in contact with those on your LAN) that is locked down by filtering outbound ports and limited in bandwidth.
In particular, I am going to describe my DMZ interface and the Wireless Access Points I use for "guest wireless" and IoT devices. Each authenticates with a "PPPoE" username and password to the DMZ interface of my pfSense firewall through their "WAN" interface. Management through their "LAN" interfaces (including wirelessly) is turned off, wireless clients are isolated, uPNP functionality turned off (as it also is for the DMZ and "ADMIN" interfaces on my pfSense firewall), and on the IoT WAP, the "SSID" (wireless network name) is not broadcast.
When the Wireless Access Points authenticate to the pfSense PPPoE service (I recommend allowing more than one username and password session to be active at a time) they are assigned an IP address on the DMZ interface. Since that network is not allowed to access other networks from the firewall (with the exception of the "WAN" Internet, but heavily port filtered) an IoT device can't be used to attack systems on the LAN(s) or even the "guest" network. They are "isolated" to only link their data to the Internet where you retrieve it.
In my home network, I have a Honeywell thermostat (offers to buy me Nest thermostats and security/smoke detectors are also appreciated) that "phones home" to the Honeywell network to report its current conditions. Then I use an app from my cell phone that connects (whether I am actually at home or elsewhere) to retrieve that data. There is never a direct link from the thermostat to my phone, so it is an excellent IoT device to be isolated.
The Ubiquity EdgeRouter X also has a PPPOE server that can be set to any LAN interface, so the same concept could be used there as well. I re-purpose DSL modems (specifically the VisionNet wireless units, although other brands can have the same functionality) to be used as WAPs, so their "LAN" is just as isolated as it would be to another modem on the same ISP. That is my solution, comment below and stay tuned for other topics!