Review Index:

Steve Gibson's Three Router Solution to IOT Insecurity

Subject: General Tech
Manufacturer: Various

More stuff to know about

Router Setup

Give the router power; plug the Ethernet cable into the blue uplink port and the other end into your cable modem. Basic stuff. Connect another Ethernet cable from your desktop or laptop into one of the available yellow LAN ports on the router. Directly to the left of the AC adapter port on the unit is a power button, give it a good push to power on the router. For those of us super-hardcore who like to use static IP addresses with our machines and or devices, make SURE to disable this feature on the PC you are using to configure these routers. If your IP address isn’t in the “192.168.1.x” address space, you’ll be scratching your head trying to figure out why you can’t reach the web control panel of the router. Speaking of which! – point your browser to once you have everything connected.

View Full Size

Advance to the next screen (press GO) and choose a password for the border router. Don’t skimp on the password – set a good one and write it down or input it into your password manager of choice.

View Full Size

Advance to the next screen, set a wireless password and keep clicking next until you arrive at the Network Map.

View Full Size

View Full Size

Let’s do some basic due diligence by adjusting some security and network settings.

Disable WPS: Browse to the “Wireless” category on the left, select “WPS” from the sub-tabs in the right-hand pane and click the green ON/OFF slider to disable this feature.

View Full Size

Disable Wireless: This is a border router strictly designed to pipe traffic to and from our internal routers. There is NO reason to have wireless capabilities enabled here. Navigate to the “Professional” subtab located inside the same “Wireless” category we are currently in. Select the “No” radio box under the “Enable Radio” line item. Make sure to click “Apply” after making this change!

View Full Size

Disable uPnP: I realize that XBOX and a number of other devices use uPnP to enable forwarding of packets to and from the game system. I am erring on the side of caution and I want to lock this system down before opening things up. It’s up to you whether you are comfortable with devices opening ports using this protocol or not. I would rather manually configure things and not allow an automated process to control my routers. Select the “WAN” category on the left-hand pane. Then select “No” under the “Enable UPnP” line item. “Apply” to save your changes.

View Full Size

Configure Network Addressing: IMPORTANT! You can quickly run into an IP address conflict if you don’t manually adjust the default IP addresses used on the LAN for each of the routers you setup. A router is designed to route traffic from one subnet to another. If you configure two routers attached to each other with the same IP addressing schemes, you will quickly find yourself dealing with intermittent network problems. To avoid this we will design a simple addressing scheme and configure it. This is a LOT easier than it sounds. Here’s how we will design this.

“Border” – 10.10.1.x

 “IOT” – 10.10.2.x

“Secure” – 10.10.3.x

Why 10.10.x? This paragraph discusses the thought process that was engaged to arrive at the IP subnet to be used in this article. Skip ahead to the next paragraph if you are simply interested in the setup of the system. A considerable amount of thought and consideration went into the final decision on which private subnet should be used in this guide. It might seem obvious to simply use the popular and more recognizable “192.168.x.x” that we are so accustomed to seeing. Let’s consider the three possible subnets we can use and why they should or shouldn’t be used.

1.    192.168.x.x – This is, of course, the most common default subnet and it’s by far the most recognizable – even to the beginner. However, this subnet has a number of drawbacks associated with its usage in this particular configuration.

1.    Internet Service Providers who position their subscribers behind a private IP address generally will use this subnet on their Cable or DSL modems. Since you cannot guess which numeral will be used in the third octet (192.168.#), you have to hope that the number you choose will not conflict with your “border” router’s address.

2.    Even if we were able to reliably determine the majority of what ISPs use as the third numeral, we are over-complicating the guide to setup this configuration because we need to explain how to determine if your ISP has given you a private IP address. This adds an unnecessary step to the guide.

3.    It’s helpful to “reserve” or mentally label this subnet as the “this router isn’t setup yet or it has been reset by accident” subnet. This is purely a matter of opinion, but it is easy to identify a router that has not yet been configured when its web control panel is still using the 192.168.x subnet.

2.    172.16-31.x.X – Although it’s all but non-existent in home settings, this private subnet is also available for use. It might be a good choice, but I believe our third choice gives us much more flexibility in terms of using numbers for labeling purposes.

3.    10.x.x.x – This subnet gives us the most freedom in terms of how we choose to number our internal network. We have the full range of 0-255 on the second and third octet available to us.

What if you are not able to change your private IP address from 192.168.x to something different because your router does not give you this function? Many years ago when router firmware was much more limited in its capability, this was much more common-place. If you find yourself in this situation, feel free to use the 192.168.x subnet with the caveats mentioned above taken into consideration of course. In the end, it’s strictly all a matter of personal preference. The goal of this guide is to give you a few clear steps that you can easily follow that involve the least amount of steps possible so you can get up and running. With all of that out of the way, let’s configure the IP address of these routers.

Navigate to the “LAN” category on the left-hand pane. Type in the appropriate IP Address into the box labeled “IP Address”. To determine which address should be entered, refer to the list below. If you’re currently configuring the “Border” router, for example, use the address listed next to “Border” in the list below. Click “Apply” when done. Allow the router to reconfigure its IP address. You will be prompted to login again.

“Border” –

 “IOT” –

“Secure” –

View Full Size

Rename The Wireless Network: If you are currently setting up your “IOT” or “Secure” router, navigate to the “Wireless” category and change the “SSID” to something you will easily recognize. For example, I named my IOT router “Home – IOT” and my Secure router “Home – Secure”. This way you can determine which network does what when you try to connect a device for the first time to one of those wireless networks. In either case, make sure to click “Apply” when done.

View Full Size

At this juncture you have two options – you can continue to fiddle with the other advanced settings on the router or move on to the next router. I highly recommend you setup all three routers first before fixing something that isn’t broken (not yet anyway).

For those of you who program, it’s time to invoke the “while” loop. While you still have routers in line to be setup, scroll back up to the “Router Setup” section and repeat this process until all three routers are configured – with one VERY important exception! You definitely do NOT want to disable the wireless radio on the second and third routers!

Pro Tip: Each time you’re ready to begin setting up a new router, leave all your cables (both Ethernet cables and the power cord) in place! Simply power off the finished router, unplug each cable gently in preparation for the next router. Place the finished router aside in a “finished pile” and reattach the cables to your next router on deck.

Pro Tip: Print this guide or save it as a PDF while configuring your routers. It will allow you to work offline while you are plugging and unplugging things and interrupting your Internet connection. You could also use a separate device that takes advantage of a different wired or wireless network. It’s up to you!

Once you have successfully completed configuring all three routers, locate three Ethernet cables and unpack the three included power adapters. Connect the “IOT” and “Secure” routers to the “Border” router.

1.    Begin by plugging in an Ethernet cable into the WAN port (blue) of the IOT router.

2.    Repeat this process with a second cable with the Secure router.

3.    Connect both of the Ethernet cables into the LAN ports (yellow) of the Border router.

4.    Ensure each power button on each router is in the OFF position.

5.    Connect an AC adapter to each router and plug them into an open power outlet.

My personal anecdotal evidence suggest it is better to plug in your network equipment starting from the cable modem, waiting about 10-15 seconds and then gradually moving inward.

1.    Power cycle your cable or DSL modem by unplugging and re-plugging it into its power source. Wait until all the LED indicators return to their normal state.

2.    Power on your Border router. Wait until the network activity LED is blinking.

3.    Power on both the IOT and Secure routers.

You have successfully setup Steve’s three-router solution! You can now begin to connect all of your IOT or “Internet-Enabled” devices to the IOT router, connect your “private” or most valuable electronic assets such as your main PCs, laptops, mobile devices and network storage devices to the Secure router.

View Full Size


Achievements: By forcing our network traffic through separate channels (IOT & Secure), we vastly improve the security of our local network devices. As mentioned above, we still have to deal with the threat of infected devices on the IOT router infecting or hijacking other IOT devices. In future we might be able to address this issue by applying some sort of software layer of protection (i.e. VLAN per device), but at least we have a solid platform on which to build upon. Remember, the primary goal and or achievement here is putting a theory into actual practice instead of just discussing how we can remedy this new and growing security threat. A side benefit of implementing this network topology is our change in behavior when it comes to connecting new devices to our network. Instead of passively blending everything in with our other devices and hoping everything will behave, we can now easily make an active decision about each device on its very first connection. We only have two choices, either the device is insecure and needs zero access to our secure network or the device is of high value and should be protected inside our secure network. We all realize the decision may not be as binary as that with each and every device, but at least now we are actively engaged in the mental process of protecting our most valuable network devices.

Return On Investment: If you implement this router configuration by purchasing brand new units and if you use the same models listed in the walkthrough, you will end up spending approximately $120 (at the time of this writing). We could go over an infinite number of variations and adjustments to lower or raise that price. Obviously if you use units you already have, the total build cost will lower dramatically. Here’s an important factor to keep in mind if you intend to build out this configuration with used equipment. Most likely you don’t have two exactly identical router models or even the same brand of routers all at the same residence or place of business. The probability that you have three of the same router is even smaller still. There isn’t anything inherently incorrect about using three completely different router models to accomplish this setup. However, I believe you will find that managing three completely different GUI interfaces as well as the difference in available settings can drive you to insanity. I would highly recommend using three identical router models to simplify the troubleshooting process – even if the total cost ends up being higher. All of this being said, the return on our investment of time and money manifests itself in an intangible way at first. In fact, at first blush, we have added more complexity to our home network, but the benefits we receive, in terms of lowering the total amount of attack vectors, is well worth our investment.

Our main goal with this network design adjustment was to somehow address the IOT security threat in our local SOHO router environments by developing a proof-of-concept. It certainly isn’t the cheapest or most efficient way to setup a network, but it provides us with a platform on which to build and advance our approach to a secure home network.

Editor's Note: It should be mentioned that while this method is the most secure, if you have a router that can use DD-WRT there is a feature called "AP Isolation" that can perform a similar function.

The wireless bridge builds a bridging table consisting of a table of "heard" (or sniffed) MAC addresses that appear on various ports. Think of the router having just 3 available ports; Wireless, Ethernet switch, and router port. If the destination MAC address of a port is shows up in the MAC address table as sitting on a specific port, only that port gets the traffic. Broadcasts, which have no destination MAC address are sent to all ports.

When this feature is enabled the software builds a logical rule (or filter) for these MAC addresses and ports that says:

"If the packet originates on the wireless port, it can only send and receive packets that are destined or originate from the router port or ethernet switch port."

Not a very complex rule, but one which totally prevents wireless client to client traffic. Not even broadcasts will go from wireless client to client.

While there is always a chance that this firmware-based rule could be disabled or broken, it's a great option for those of you looking for a more simple security option.

August 15, 2016 | 12:02 PM - Posted by willmore

Guess you missed the SN570 podcast from Jul 26 where he revised this yet again. Do'ah!

August 17, 2016 | 11:28 AM - Posted by Anonymous (not verified)

I don't see anything about this subject in sn570 show notes.

August 15, 2016 | 01:33 PM - Posted by Anonymous (not verified)

It does seem bizarre to use three physically separate routers rather than just incorporating the rules into one slightly more advanced router, e.g. an ITX box with a low-power CPU and a handful of NICs. Or dual-NICs and a VLAN-aware switch. If you're worried about the router being compromised, the having three consumer routers just means you get three compromised routers.

August 15, 2016 | 03:58 PM - Posted by Anonymous (not verified)

I thought this sounded familiar. Doesn't Smoothwall have that capability? It has one NIC as the WAN side, then as many other NICs as you want, each one being it's own separate LAN. People on their forums typically had a hardwired lan subnet, a wireless subnet and a third for insecure stuff. I didn't keep up with it, but this article triggered the memory.

August 15, 2016 | 01:40 PM - Posted by Steve Gibson (not verified)

Great write-up! Thanks. I'll mention it on this week's podcast.

And I agree with the previous commenters: We now have a nice choice -- use "three dumb routers" or "one smart router" having multiple truly separate NIC interfaces which can be placed onto independent disjoint LAN subnets. :)

The podcast's current favorite "one smart router" is the Ubiquity EdgeRouter X. And amazing value for $49! But I still think there's a great case to be made for the "three dumb router" configuration when a user on a tight budget already has some old "el cheapos" in the closet.


August 15, 2016 | 02:18 PM - Posted by Anonymous (not verified)

IOT should stand for the Intranet Of Things, and not the Internet of things, with the Intranet Of Things devices only communicating over a dedicated Intranet Of Things router and a dedicated Intranet Of Things server. The Intranet Of Things server should only be able to be accessed read only from outside the intranet layer and should only pass encrypted files to any computer/s connected to the outside internet. Any specialized processing should be done on the dedicated Intranet Of Things server and passed as encrypted files to any outside computers that may be connected to the internet.

Too much smarts inside of too many devices connected directly to the internet becomes an unmanageable security risk so put all the smarts inside the dedicated Intranet Of Things server to post process all the IOT(Intranet Of Things) devices output. So the IOT(Intranet Of Things) devices are only able to use a dedicated Intranet router with a protocol that is only compatible with the dedicated Intranet Of Things intermediary server’s hardware/firmware layers. Pass encrypted files to any outside computers and let the outside(the secure Intranet layer) computers connect/pass encrypted files to the internet. Keep those Intranet Of Things devices dumb as nails and only able to pass their input to the dedicated Intranet Of Things server, and let the dedicated Intranet Of Things server have the brains for any other tasks or features.

It’s a lot easier to keep on top of a single server than dozens of “Smart” devices that are themselves servers/processors in their own right. Too many different “Smart” devices have their own dumb firmware/software programming vulnerabilities and proprietary methods. It’s much better to go with an open source managed dedicated Intranet Of Things server with one set of open source firmware/software to manage. Really any command and control of any IOT devices should be isolated from and data acquisition functionality by using a dedicated command and control processor in its own hardware/software/firmware isolated environment run from the dedicated Intranet Of Things server over its own separate command and control link to any Intranet Of Things devices.

Who the hell would want all these “smart” devices with vulnerabilities all their own running cameras and other data acquisition tasks and blabbing all that information out over the internet. I’d only accept an Intranet Of Things server that I have full control over as opposed to many 10s of devices that I have very little control over, and never would I have these devices connect to the internet directly. Wireless is a big hell no also, with shielded cables/receptacles only!

August 15, 2016 | 06:14 PM - Posted by Anonymous (not verified)

Who wants IoT? People who like spying on you probably.

August 15, 2016 | 09:10 PM - Posted by BillDStrong

Don't the newest routers allow you to create multiple wireless networks that don't talk to each other? Why would we need more than that?

August 15, 2016 | 09:30 PM - Posted by HammerSandwich (not verified)

Editor: The stock Asus firmware allows AP isolation. You can see the setting in the "Wireless - Professional" screenshot.

August 16, 2016 | 12:37 AM - Posted by Havor (not verified)

Hmmm, i/we all ready have the same setup for years, only i use my server as a root router for the different secure wifi/wired and insecure wifi networks.

August 16, 2016 | 12:37 AM - Posted by Havor (not verified)

Hmmm, i/we all ready have the same setup for years, only i use my server as a root router for the different secure wifi/wired and insecure wifi networks.

September 17, 2016 | 10:37 AM - Posted by Charlie Tuna (not verified)

I not IT but I is EE and your JPG gave me a headache. ;^)

August 16, 2016 | 03:12 AM - Posted by DaVolfman (not verified)

If modern routers are built anything like the old WRT-54G then it should be possible to separate each port on the router's internal switch into it's own VLAN and pseudo-interface (provided you're using something like openWRT). It's not perfect, and expansion might end up a little expensive or obtuse (either business-grade switches, or more hacked routers for additional switches). That makes wired a little easier to isolate compromised devices.

August 16, 2016 | 03:39 AM - Posted by lott11

I have been running this for years, I use two PC’s low power and modest capacity.
On the first unit I run a Linux firewall server with 3 1000 Ethernet cards plus the built in card.
The built in is use for the second PC witch is the honey pot, in a virtual setup, where if it gets over loaded it reboots.
And this PC has a 3 way WIFI antenna that are extended with cables to the public areas of my home, the only use is for the home guest.
And be for you jump all over my case they are in a virtual net on the second PC with it’s own firewall.
What makes this simple I change the password every 2 weeks. plus I print a bar-code to let them access the WIFI network.
They never look up the password, and since the password is 34 characters long they do not like it.
Now the other 3 cards the fast ones is the line in from the ISP, the first thing I tell them is to disable WIFI.
The next 2 cards go to the home networks they are to 2 routers witch both have DDWRT, one is linksys and the other is a Tp-link.
They both are on different networks and WIFI is also active with the same protocols for password.
Yes my kids think I am nuts, and because the passwords are so long and they all have fixed IP even the cellphones and tablets.
Windows is just like a Swiss cheese, if you think that you have plugged all the holes they just make new ones.
I have use things that I have purchased in my past, like for a time the honey pot was a AMD low power PC I mean 15 watts.
Is it secured for the most part yes, there is one more thing in my one PC there is a peace of software.
That if persist in hacking your way in it warns you to back off, it has kill 12 PC’s as a last resort.
So you can take it for what it is worth, that is my way of doing security.
There is only one more thing every room has fixed Ethernet plugs there are 2 per room or a switch to expand what is missing.
Ho there is a total 4 laptops, 3 tablets, 2 printers, 9 PC's and one Is FreeNAS server.
Hope this help some one, and like I say use what you have smartly.

August 16, 2016 | 12:23 PM - Posted by Anonymous (not verified)

This sound really interesting. I'm interested in setting something like this up. Do you have any guide that you used? Which Linux distros are you using? What kind of components did you use for the low power? Would a Raspberry Pie work as the "honey pot"?

August 18, 2016 | 02:56 AM - Posted by lott11

look at the other post at the bottom of post.
software and hardware are list the choice your what to used.
good lock.

August 16, 2016 | 10:19 AM - Posted by Anonymous (not verified)

Good idea, very bad implementation. While you can Jerry-rig this topology with SOHO routers, you are just complicating things and opening a big can of worms called double NAT. Good luck getting reliable online gaming with that setup, especially on consoles or anything that needs a port forward.

If you want to implement a proper network isolation setup get router appliance or use something like pfSense with multiple NICs or VLAN support with a managed switch. Great opportunity to learn some good network concepts and maintian your sanity.

Just my 2 cents.

August 16, 2016 | 05:46 PM - Posted by Michael Horowitz (not verified)

The $180 Pepwave Surf SOHO from Peplink offers more security than you got with three routers.

ETHERNET: each of the 4 LAN ports can be put into its own VLAN. If thats not enough, you can connect a VLAN aware switch to a LAN port too (have not tried that myself).

WIFI: It offers total isolation of devices on a particular SSID. An SSID can be put into its own VLAN. Devices on that SSID can be prevented from seeing each other (they call this Layer 2 isolation). And, access to the router itself can also be controlled per SSID. Simply put, devices on a WiFi network can be *totally* isolated, so all they can do is communicate with the Internet. Period.

The choice referred to in this article, boils down to whether a WiFi device is connected to the isolated IoT WiFi network or a normal (aka untagged) WiFi network.

Plus, the Surf SOHO defends itself better than consumer routers. You can limit admin access to only HTTPS on a non-standard port and you can change the admin userid too. And, the firmware won't be abandoned by the vendor forcing you to buy new hardware to get bug fixes.

For more see

August 16, 2016 | 10:49 PM - Posted by lott11

Wild you may think that gaming is imposable it is not.
To make the argument is ridiculous, yes ps4 do not like long passwords for WIFI.
But why on the world would I send any thing through WIFI on less it is text, that is WIFI is for web and text that is it.
You are not secured savvy all the PC’s, ps4, any thing goes to the internet is hardwired, cell and tablets are by nature isolated.
What I mean by isolated any WIFI has it’s own protocol of filters on both routers, have you ever use DDWRT.
On like the typical firmware you can add your rules and packages to limit what goes in and out.
So yes it a long process, but then you only do this ones in a blue moon.
The only thing is monitoring that is 3 times every week, in the past 6 months 2 attempts.
There are 3 servers in my home that dose not even count the firewall server,.
There are no nest devices or smart TV’s not even a car that can be access by any WIFI or remote system.
Yes the all way I do not need any more tracking, nor any monitoring I can fix my cars.
Do I live in the twenty first century yes, do I have to do there way no.
Do I miss out on any thing, not at all.
What can a smart TV do that I can not do on Kodi, with kodi I see news, TV, pay per view 59 times more then on cable.
So what are the limits the you are talking off, there are 5 gamers at home we all use steam.
And some have ps4 and x-box or 360 what ever, the point is when my kids or my self want to host we do.
We hosted up to 12 gamers at home and 27 online, do I do this all the time no can it be done yes.
You are limited by your imagination I am not, I am 54 we had to hack to make things work.
You kids just buy a peace of software that is it, some of us still use one’s heads to work out problems.
And to the other anonymous user.
Would a (SBC) work, well they would but most back hat will just LOL in how fast they got it down.
They just do not had the power to keep up, you need at least 2.0 GHz and 2 GB ram and a Linux or BSD.
You would think that this is over kill, you can download Kali Linux and see how long it would take.
This is not the only way but it is well documented and fast to use, to test and penetrate any network.
Yes there are 12 other ways plus at least 7 Linux that do the same and more you have to start some ware.
I have two ways of doing the first server one is slack ware, the other that mite be fast and just as useful Zentyal server there is also Pfsence and ClearOS.
Now for simplest to use the last two distros.
If you what a SBC for any thing go Newegg or Amazon and I do not mean pico boards.
I mean AMD and Intel N &M class or kabini fusion or ontario most of this board are $24 to $54 Us.
And they all a 250 to 350 PSU some ram and a hard drive, use something that is use that you have small 10 up to 50 GB.
If you use Intel Atom quad core, a Celeron dual core the problem is the heat and manner of attacks now days.
They are brutal on the CPU’s, so just because it is a honey pot it is still a PC keep it in a cool place.
Hope this helps.

August 17, 2016 | 09:17 PM - Posted by drbaltazar (not verified)

If I understood Steve right (this week or last week )Steve Gibson found a box that could do it all 5 separate port (yes literally separate but within the same box (60$)so if I understood correctly just adding this box and plugging wire in the correct order with your router etc should technically T.N.O your network. Ask Steve or one his allies .I am sure it's done already (sure sounded very done ,unlike S.Q.R.L)

August 18, 2016 | 02:02 AM - Posted by David Beem (not verified)

Steve has been covering the Ubiquity EdgeRouter X ($50 - $60 USD), I have one and also use pfSense. My solution has the IoT "routers" (in my case, re-purposed DSL modems) authenticate to the DMZ interface of my pfSense firewall through PPPoE (the EdgeRouter X can do the same thing):

August 18, 2016 | 02:38 AM - Posted by Anonymous (not verified)

How is this more secure than having 1 router running OpenWRT with a firewall that will only forward traffic from IoT MACs/IP range to the WAN?
The software configuration is a bit more complicated, but you don't have to buy and keep 2 extra routers in your home.

August 18, 2016 | 04:52 AM - Posted by Anonymous (not verified)

And if you're concerned about a compromised device listening in on your wireless traffic, use 802.1x authentication.

August 20, 2016 | 07:54 PM - Posted by arbiter

My Asus N66u router has option in guest network, to setup a wireless guest network and Isolate it from the rest of the network. Devices using can access the internet but can't access anything else connect to that router.

That is built in to stock Asus firmware.

August 26, 2016 | 12:33 PM - Posted by NoraaC (not verified)

I have set up the three dumb routers as described. The iot router is at the end of a long ethernet cable that was originally used to extend our office network into a distant part of a large warehouse/packinghouse building to connect a barcode printer needed in that location.

As time went on we added a FosCam ip camera to allow us to keep tabs on the packing operation from the office and then a Honeywell Internet connected thermostat. There are obvious benefits to being able to access the camera and thermostat from remote locations, at night etc.

This was done by setting up a second router with the ethernet plugged in to a LAN port with the router on the same subnet as the office and all devices connecting to the router - some wired some WiFi.

We live in an area where Internet access is not available (Other than Satellite) for many people so our employees appreciate having Internet access at work at least.

As a regular watcher of Steve's Podcast I was becoming increasingly nervous about the iot devices on our office network not to mention all the various cell phones and laptops brought in by employees and customers.

The problem now is having set up the isolated subnet in the packing house I still need to be able to print to the barcode printer which must be located where it is and I would like to be able to access the video from the camera.

My question after all this long winded explanation: Is there any way to print to the printer on the iot subnet from the office subnet without compromising the whole setup or am I forced to run another 100' of ethernet cable just to connect the printer?

August 26, 2016 | 12:43 PM - Posted by NoraaC (not verified)

I meant to post this here but posted to a different thread by mistake (too many open tabs) so sorry if it is redundant.

I have set up the three dumb routers as described. The iot router is at the end of a long ethernet cable that was originally used to extend our office network into a distant part of a large warehouse/packinghouse building to connect a barcode printer needed in that location.

As time went on we added a FosCam ip camera to allow us to keep tabs on the packing operation from the office and then a Honeywell Internet connected thermostat. There are obvious benefits to being able to access the camera and thermostat from remote locations, at night etc.

This was done by setting up a second router with the ethernet plugged in to a LAN port with the router on the same subnet as the office and all devices connecting to the router - some wired some WiFi.

We live in an area where Internet access is not available (Other than Satellite) for many people so our employees appreciate having Internet access at work at least.

As a regular watcher of Steve's Podcast I was becoming increasingly nervous about the iot devices on our office network not to mention all the various cell phones and laptops brought in by employees and customers.

The problem now is having set up the isolated subnet in the packing house I still need to be able to print to the barcode printer which must be located where it is and I would like to be able to access the video from the camera.

My question after all this long winded explanation: Is there any way to print to the printer on the iot subnet from the office subnet without compromising the whole setup or am I forced to run another 100' of ethernet cable just to connect the printer?

August 31, 2016 | 01:13 AM - Posted by David Beem (not verified)

When you have two wired devices (in your example a barcode printer and IP camera) that use the same uplink cable, but still need to be isolated from each other, the best solutions is to set up VLANs. I strongly recommend replacing the Ethernet switch at the end of this long cable run with an Ubiquity EdgeRouter X (between $50 to $60 USD, more pricey elsewhere). You would also need the network infrastructure where your main systems are in the facility, but getting a professional to set it up the right way will give you peace of mind.

I also recommend setting up a separate wireless network for employees bringing in their own systems into the office (called BYOD - "Bring Your Own Devices")...

August 31, 2016 | 01:23 AM - Posted by David Beem (not verified)

The Honeywell thermostat is more of the true "IoT" - I discuss in my blog ( how my Honeywell thermostat "phones home" to the Honeywell servers, then I access that data by connecting to them - not the thermostat directly. Your IP camera is more likely designed to be accessed directly on the other hand. Be aware that the Foscam brand is good - and typically has a setting in the interface for configuring an Access Control List.

There are security camera systems that feed that data to an Internet location or a server that you would run, but I think at this point you need a good network consultant to review everything for an ideal method...

August 27, 2016 | 01:53 PM - Posted by MeadDogMan (not verified)

I have the same issue as NoraaC, but it pertains to a Plex Media Server on the secured network and the Roku 4 on the IoT network - need to access the secured Plex Media Server and play the movies on the IoT Roku 4.

Any suggestions on doing this?

August 31, 2016 | 01:29 AM - Posted by David Beem (not verified)

A Roku interacts more within your network and is not an IoT device that should be isolated. I've got about eight Roku units of various levels around. Since you have a new model it needs the Internet connection for possible updates and any external streaming; If you were only playing Plex content there would be a chance of locking it down with an advanced hardware firewall like pfSense.

August 28, 2016 | 09:28 PM - Posted by Frank iot (not verified)

Great info, the pepwave surf soho mentioned by Michael is promising as one device that fits all purpose including wifi. We'll have to wait for thr new model release that is able to do more such as concurrent dual band and 11ac.

Steve's ubiquiti edge router x does it too but it does not have wifi for which you need to buy separately (e.g. Unifi from the same company is good choice).

October 14, 2016 | 05:38 PM - Posted by Anonymous (not verified)

I know that Ubiquiti just had some MAJOR hacks back in May. ALL of their devices were hacked and the username was set to mother password set to f****r. The hacker bypassed the security of the kernal and reset the credentials. It affected their radios and their routers as well. I don't know if I would trust the Ubiquiti option for security. I am a wireless provider and luckily, we have SSH and FTP blocked from outside of our network to our WISP.

I was personally looking at one of the Dell Sonic Walls for my home. I have several DVR's, Media Player and Apple TV on my LAN along w/ my computers. I have Ubiquiti unifi AP's in my home and my main desktop acts as the controller.

I came to this site because I am trying to figure the best way to set myself up w/ proper security for the future. At this time, I only have one router and a gigabit cisco 50 port POE switch. But am about to put in smart locks, garage door openers and IP cameras. Was wanting to segregate that traffic from the rest of the LAN for security reasons and for bandwidth reasons on my LAN and not make my other video suffer and start buffering.

I only have DSL speed to the Internet even tho I have a gigabit LAN.....

Am I on the right path?

December 6, 2016 | 12:31 AM - Posted by Joseph Kesselman (not verified)

Confused by one point: In discussion it was suggested that a single Ubiquiti box could provide solid enough isolation to avoid the three-router setup. But that doesn't seem to provide wifi, which is sorta sine qua non for many IoT devices and desirable for guests even if your secure net is hardwired. So it seems at least one additional router or AP is needed, possibly two. What am I missing?

I'm also wondering whether simply firewalling the IoT devices to communicate only with their official hosts/hubs and/or control sources wouldn't do the job more efficiently...?

December 16, 2016 | 08:40 PM - Posted by Joe (not verified)

So I tried to setup up this same exact configuration in my house, and I have a question.

I recently purchased a Ring Doorbell -- this is an IoT device (for those that don't know) that has a camera which allows you to see who is at your front door if you use the associated Ring iOS/android application. The Ring app will also allow you to view the camera feed when you are away from your house and outside of your local network. In my setup, I connected the Ring Doorbell to my "IoT network". Meanwhile, my iphone with the associated Ring phone app is connected to my "Secure network".

When all three routers (Border, Secure, and IoT) are on, I can access the live feed from the Ring doorbell no matter which network my iphone is connected to (from the "IoT network", from the "Secure network", and from my cell phone provider's internet). However, when I turn off the modem used for the "Secure network", I can only access the feed on the Ring app when my phone is connected to the "IoT network". In this scenario, I obviously can't access the video feed from the "Secure network" because that modem has been turned off. But what doesn't make sense to me is why I can't access the video feed while my phone is connected to my cell phone provider's internet.

Anyone have an explanation for this?

(Apologies if it's a dumb question -- I'm obviously not a networking expert)


December 26, 2016 | 04:58 AM - Posted by RH (not verified)

Nicolae Crisan, thank you for making SGibson's theory implementable by those not super technical!

The majority of the comments lean against this “3 dumb routers” configuration. It seem most consider it inefficient. There are comments suggesting the Ubiquity EdgeRouter X, pfSense, or Pepwave Surf SOHO.

If my primary objective is to isolate IP cameras, specifically Foscam 8910s from sensitive devices, is the “3 dumb routers” config an easy to administer set up for a non-technical person that has zero interest in learning anything about networking?

Here is my scenario:
I am assisting my cousin and her two teenage daughters. She lives three states away, so my support will be remote with her acting as my eyes and hands. One device with complex rules, will be too much for her to help me troubleshoot remotely. To date, the guys she has dated have not been technical. I plan to configure/test the network at my house, ship her the pieces and walk her through snapping in the cables. I know a little about networking, but very far from being an expert. By providing her a list of devices types to connect to IOT or Secure, my hope is for her to easily be able to admin her network.

Primary objective: isolate 4 Foscam 8910s from her main network.
Secondary objective: Encrypt Foscam data streams, Foscam 8910s do not have https. Her current contract cell service has spotty service, so she uses free WiFi too much. When using free WiFi, she is giving her network login and password to anyone that is looking or capturing LAN data.

Her current home LAN set up is Time Warner Cable service, a cable modem she owns, connected to a Netgear 3400 v2 wireless router. Netgear has not release an update for v2 in 2-3 years. It is currently running its most recent firmware ( It supports a guest network, but it is not set up. Remote administration, WPS, and UpnP are turned off. Each of the four IP cameras has a port forwarded in the Netgear.

Her devices are (Netgear 3400 v2 seems to handle load well):
-4 wireless Foscam IPs (640x480 resolution viewed via cell phone),
-1 ring doorbell,
-2 iPhones (various models), [usually on carrier’s 4G network]
-2 iPads (various models),
-2 WiFi Printers,
-2 Android phones, [usually on carrier’s 4G network]
-2 Win 10 laptops,
-1 Chromebook,
-2 connected DVDs that can stream Netflix and Youtube,
-2 Rokus,
-AT&T/Direct TV home DVR system with 3 wireless Genie devices, I think they have their own network to communicate to main DVR unit that is separate from her home WiFi network,
-XBox (no online gaming),
-Wii U (does do online gaming),
-1 Fitbit type devices,
-Guess network (she is the neighborhood and Drill team mom, many different teen girls on and off network).

Her family: 50 year old mom. 17 & 14 year old daughters. Many, many friends and drill team members have the guest password saved in their devices.

Suggested Map of Devices to Router and SSIDs (not real name of SSIDs):
-Border Router: Secure Router & IOT Router
-IOT Router; Video SSID: Foscam 8910s; Ring Doorbell;
-IOT Router; Media SSID: Rokus, Connected DVDs, XBOX, Wii U, Fitbit
-Secure Router; Family SSID: Cellphones, Printers, Apple iPads, Windows laptops, Chromebook
-Secure Router; Friends SSID: Printer, many teenage friends of their parents. 5-9 friends at one time seems to be average.

1. NEED TO ISOLATE FOSCAMS. 8910s are using Foscam’s DDNS and port forwarding through the Netgear 3400 v2. They call home often but Foscam initially denied they did. Who knows what data is being sent to China. I have read creepy stories of how the Foscam’s have a full LINUX system inside with limit security or safe guards. A cleaver hackers can enter the home LAN through the Foscam and hop to other devices on the LAN. Once a laptop/tablet is found, the hacker has access to more RAM and CPU power to do bad stuff.

2. DO I NEED TO PORT FORWARD FOSCAMs ON BOTH BORDER AND IOT ROUTERS? If this is required, am I weakening my setup? That is, am I not setting up a potential M-I-M situation since I have granted outside internet access through the border router? What options are there to remedy this scenario? Can it be set up so that I get an email if changes are made to the router’s config? Can a log be set up that will keep its entries through a reboot?

3. HOW DO I ENCRYPT FOSCAM VIDEO STREAMS SINCE THEY DO NOT USE HTTPS? My first thought is to figure out free OpenVPN. But the N12 stock firmware does not support OpenVPN. Is there another router I should consider? I would consider using Merlin firmware, but a few searches suggests the N12 is not stable on Merlin.

4. ARE DATA ON DIFFERENT SSIDs KEPT SEPARATE? One of Nicolae’s images show the Asus N12 D1 firmware can make 3 guest SSIDs. Are data isolated such that data on the MAIN Family SSID is completely separate data on the Friends SSID? Can these separate SSIDs be viewed as a sort of Wifi VLAN? I want to make sure an ex-boyfriend of one of the teens cannot use the commonly accessed Friends SSID to get access to data on the Family SSID.

5. WHICH CONSUMER GRADE ROUTER BRAND HAS BEST REPUTATION FOR MAINTAINING THEIR FIRMWARE? The Netgear 3400 v2 has not been updated in years. I was in Micro Center and noticed the 3400 is still sold, but it is v3. Netgear’s website does not make it clear when the last update was provided for the 3400 v3.

I regret the long post. Please let me know if my requests do not make sense.

Thank you.


December 29, 2016 | 01:01 PM - Posted by Anonymous (not verified)

Back to basics

Yes, this a very clever solution. But to what problem? What is really an IoT device??? How can a webcam, printer, Playstation, IP phone etc to be less 'dangerous' than a refrigerator(or another traditional IoT device). Even a PC with the wrong software installed would not be more secure than a refrigerator.

March 24, 2017 | 12:21 PM - Posted by Fillmore (not verified)

My Netgear Nighthawk Router/WAP, like many devices, has a Guest WiFi Network (well, two one for 2.5Ghz and one for 5Ghz).

Why would I not use this? Now my home automation requires an Ethernet connection so to solve this, I'm thinking I could purchase a WiFi extender with Ethernet port, plug that in to an outlet and connect it to the Guest WiFi. Then plug the home automation hub in to the Ethernet port on the extender.

Set up the guest WiFi for isolation and Bob's my uncle.

What am I missing here? The traffic is isolated, no?

October 28, 2017 | 01:34 PM - Posted by Sjhhas1 (not verified)

Yes, your traffic would be isolated. Guest Networks employ TWO levels of segregation.

1) AP Isolation. Which keeps devices from communicating with each other.
2) Guest Segregation. Which keeps devices on that Guest Network from able to communicate to your internet network AND wired devices.

Both of these function as a sort of VLAN Segregation. There is literally no additional security required for devices segregated in such a way.. Three Router is a nonsense solution.

April 5, 2017 | 02:30 PM - Posted by WC (not verified)

The issue I have run into when trying to implement this isolated type of setup is that with iOT devices needing hubs (HomeKit with Apple TV for example) it becomes harder to separate and firewall. For example if you use the Apple TV to watch movies from your NAS etc you would generally put that on the secure side of the network, however the Apple TV needs to be able to 'see' the iOT devices to control them therefore causes a problem with routing. I have tried this with some crazy firewall rules to block all but Bonjour style of traffic but a) that is not easily bounced around (Bonjour is not very re-direct friendly) and b) still leaves a bit of a security gap.

Would love to know if others have run into this and how they are resolving these issues with control of iOT devices from hubs that need access to secure side etc.



April 6, 2017 | 10:51 AM - Posted by james (not verified)

Make the second router for IOT devices a VPN router for extra security. You can make one yourself if you are pretty technical or buy a premade one, like or google around for others

April 14, 2017 | 10:21 PM - Posted by train_nerd

Please forgive nOOb questions but would like to try this with Ubiquiti edgerouter X as Border, then existing router as Secure, the add new IoT VPN router for IoT devices.

I'm getting impression from other sources that DHCP should be disabled on the IoT and Secure routers. Does that make sense?

Will devices on secure network be able to see and control IoT devices on IoT network?

(I have the existing router config backed up on NAS, I understand this approach is messier than Gibson advice)

Thank you.

July 16, 2017 | 04:05 PM - Posted by mark b (not verified)

Here is another configuration question

My situation is slightly more complicated.
I live in an RV, have 2 routers (both tied together, and both (sad-face), using a class A (10.70.x.x) address. We can call this (set) router A, as they are integrated together.

This is how I get my internet. either from a local wifi source (think McDonalds/Home Depot), or from a verizon jetpack.

Sub-problem 1: Router A is not a Gig-Ethernet, but only 100mb/s.


first problem
my border router has Class A addresses.
My next router (Router-B)is used for my internal wifi, and is tied via ethernet to RouterA (border). it is a Gb consumer switch.

Next , my "dumb" tv has a chrome-cast. I'd guess this is my first IoT device.

My second "dumb tv, has a ROKU model 1 ( because of the old connectors on it!) This would seem to be IOT device 2.

My first question is WHICH router should provide the DHCP addresses?

is there an easy way to integrate this easily?

I would guess that:
A) my slow (class A) border router would STILL be the interface to the outside world, since it knows how to get my wifi signals.

B) the Ubiquiti EdgeRouter x would be next in line, accepting all signals, and forwarding them to the devices.
b.1) I'd guess this would be my DHCP controller.
b.2) I would connect my second (commercial) router to the secure port, and use this one's wifi signal as my primary device) wifi.
and my next question: where will my secure devices get their DHCP address, from borderA (doubtful), or edge-router(b), or secure (c).

ANd what ip addresses can I use that would be compatible with the class A 10.70 addresses? (I can't change the addresses, because the system is monitored, and phones home)

thanks in advance!

October 28, 2017 | 01:31 PM - Posted by Sjhhas1 (not verified)

This has to be the stupidest network setup I have ever seen. Clearly done by a networking neophyte and definitely not done by a networking engineer that knows network security. Apparently VLANS, Policy Segregation and DHCP Pool isolation are new concepts to some people? All of this can be done in 2 minutes on any SOHO router and/or switch without need for all of this crappage gear.. Please people, stop giving out this kind of dumb information.

November 24, 2017 | 11:33 AM - Posted by PhiDeck (not verified)

"on any SOHO router and/or switch" is a stretch, since multi-homed routers and VLAN switches are not the norm in the home networking market.

November 24, 2017 | 11:39 AM - Posted by PhiDeck (not verified)

"on any SOHO router and/or switch" is a stretch, since multi-homed routers and VLAN switches are not the norm in the home networking market.

February 1, 2018 | 11:08 AM - Posted by Jibsman (not verified)

@Sjhhas1, instead of negative comments, please share the correct solution for this issue. I am truly curious what an expert such as yourself would do. Complete instructions with Network Map would be expected from an expert.

November 30, 2017 | 12:36 AM - Posted by GoSmitty (not verified)

So, I'm giving this a try and having a heck of a time with either DHCP or double-nat'ing, I'm really not sure which... I have the routers set up as described, and here's where my understanding of these various concepts meets its limit: if the point of this is to "secure" my IoT devices on a separate network and that network is on a router behind which itself is behind another router, how on earth is the IoT network supposed to do it's UPnP thing (which Phillips Hue Bridge, among others, requires) which requires as direct a path to thee internet as possible, no?

Which router should handle the DHCP, or does each handle it for it's own subnet (if I'm using the term correctly)?
Should I be reserving IP addresses in the border router's DHCP server for the two "sub" routers? What about using some kind of bridge (I have both dd-wrt and Merlin-wrt routers and both seem to offer this - would it help)?
Should I attempt to assign specific routes to/from the external IP's these devices use to "call home"?

I truly appreciate any help anyone can offer.

February 1, 2018 | 11:05 AM - Posted by Jibsman (not verified)

First of all, I am NOT very knowledgeable about Networks & Routers, so keep your troll comments to yourself. Luckily I work at a company that has lots of very smart folks who do know all about this stuff.

The instructions here are insufficient for people like me, who want to secure our home networks but are unsure how to set things up. Maybe the author assumes we know more about setting up routers than the average bear.

On the WAN side, do you leave the IP as Dynamic, or set that up to a specific set of IPs.
DNS: I think (not sure) that each router DNS needs to point to the router above to get to the Internet. My Secure router could not access the internet because I hadn't set the Border router DNS to the Cable Modem. I'll try that when I get home tonight.
LAN Setup: My Netgear WNDR3400 has a section "Use Router as DHCP Server". I think that needs to be enabled, but again, I'm not sure. When I set the Border Router up with IP, the LAN set up the IPs for the DHCP Server from to Seems like this is the correct thing to do.

There is no mention that I can find about the WAN, LAN (other than setting the IP) or DNS setups.

AP Isolation: So this prevents the endpoints from talking to other devices on the wireless router? I have Amazon Echo Plus, and a bunch of lights, switches and plugs connected throughout the house. With all of these on the IOT router, don't they need to be able to talk to each other? Or do they ALL send their info up to the internet and get their instructions from the internet and not the Echo? My two WNDR3400s have this capability. Once I get all three routers talking to the internet I will try it.

I have a Roku box. Connected wired to the Cable Modem now, so TV can still work while I muck with the 3 routers. Does the Roku need to be connected to the IOT router or is it safe to leave it connected to the Cable Modem?

My third router is an Apple Airport Plus. It does not appear to have any of the options above. I can create wireless networks but can't specify the IP, and don't see any options to change WAN, LAN, DNS or AP Isolation. I haven't gotten to this router setup other than viewing the setup app. The reason I have this router is that we have Apple phones, iPads and iPods, and was sold on the "feature" that the Apple Router beams stronger wireless to Apple products. I realize I never verified this, but it's what I have. This will be my Secure Router, as it currently works great with our Apple gear.

If one of you IT Experts have the time, some pointers here in the comments would be very helpful to Network Newbies like me. Instructions or links to other websites/pages that help folk like me understand better what the heck we are trying to accomplish.

February 2, 2018 | 04:44 PM - Posted by Jibsman (not verified)

I actually got it working, thanks to the experts at my company. Much of what I assumed above was off or just wrong.

Border: Netgear WNDR3400v3
Internet Setup: Leave it on Dynamic from ISP
WAN side: Leave it alone.
LAN side: Set the Border to I left "Use Router as DHCP Server" checked.
Turned off all Wireless and uPnP.
I set DNS to my Internet company's IP: Frontier is

IoT: Netgear WNDR3400v1
Internet Setup: Leave it on Dynamic from ISP
WAN side: Leave it alone.
LAN side: Set the IoT to Leave "Use Router as DHCP Server" checked.
Wireless turned on with WEPA2-PSK, Unusual Name and a 25+ character password.

Secure Router:
Turned it on, it works. Reaches the Internet with no changes.
Wireless turned on with WEPA2-PSK, Very Unusual Name and a very long password.

I had to basically start over with Echo and all the smart switches, lights, etc. Reset everything and add the devices all over again. I had screenshots of my Routines and device names so we didn't have to remember new phrases.

I used ShieldsUp! fro Gibson Research Corporation to test for open ports & vulnerabilities. Everthing passed with flying colors!

March 22, 2018 | 10:43 PM - Posted by Derek Smalls (not verified)

I use the 11 router approach. I find this to be the most secure method.

July 23, 2018 | 06:10 PM - Posted by Imfrank (not verified)

Three dumb routers solves the network isolation problem. But it's way too complex for the average home user. This works a lot better:

One smart router with network isolation builtin. No need to worry about IP, NAT, DHCP etc...

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.