Blocking internet access for just one device.

[lostandconfused]

Hello all,

  I have an interesting problem I need help with. I recently purchased a Phillip hue bridge. While I would like my Google home hub and other devices to be able to control it locally, I do not want the bridge to have internet access. The bridge requires access to a wifi ap to be able to work.

 

I'm open to any solution that would work. The current idea is to get a layer 3 switch and put a wifi ap and the bridge on an isolated vlan at the end of 192.168.1.xxx as I don't know if the Google home devices would be able to find it on a different subnet. I plan on setting up an ACL that would allow the main vlan to communicate to the bridge vlan but not the other way.

 

My only real limitations is that I cannot have a non isp provided gateway/router and the isp gateway cannot be put into bypass as it would prevent my IPTV from functioning.

 

So what does everyone think? Would this work? Any help would be greatly appreciated. Please let me know if you have any questions!

 

Thanks

[Alex Atkin UK]

Are you sure it will even work without Internet access?

AFAIK Google Home accesses smart devices via their Cloud APIs.

[lostandconfused]

On 2/8/2019 at 9:49 AM, Alex Atkin UK said:

Are you sure it will even work without Internet access?

AFAIK Google Home accesses smart devices via their Cloud APIs.

Thank you so much for responding. I'm sorry I didn't see it till now.

 

And no I'm not certain

I know the hue bridge will function without internet because that's how I have it set up right now. (On a local network not connected to anything other than itself and a wifi router.)

 

I just assumed that the Google home would access it via local ip instead of a round about internet way... I never even considered that.

 

I don't even know how to test that without first figuring out how to set it up. I'm googling now but so far nothing jumps out as fitting my situation.

[Alex Atkin UK]

I don't think Google Home is that clever to be honest, I believe it sends everything to the cloud to deal with.

Example, to connect with my LIFX bulbs you have to link it to the LIFX cloud service and it doesn't even refresh the scenes or bulb names if I change them from the LIFX app AFTER its been connected to the LIFX cloud service.  I believe you have to unlink and link it again to the service to get the new names, pretty crap really.

[Tzomb1e]

If it will function without a connection to their Cloud APIs, I would almost just toss a pfSense box in with a rule dropping traffic from those devices trying to leave the LAN.  I know you said you have to use the ISP provided router/gateway, but you can have your LAN devices use the pfSense box as their primary gateway and then have the pfSense forward all WAN traffic to your ISP's router/gateway.  This would allow the devices to communicate with you LAN without needing extra VLANs, and allow you to control what devices have WAN access.  You can  go the ACL route as well, I would just be concerned if the devices need to communicate back and forth from a LAN perspective.  You could still have the LAN traffic with the ACL, you would just have to make sure you configure the layers of the ACL properly to permit traffic leaving the segmented VLAN only if the destination IP is still on your LAN. 

[lostandconfused]

19 hours ago, Tzomb1e said:

If it will function without a connection to their Cloud APIs, I would almost just toss a pfSense box in with a rule dropping traffic from those devices trying to leave the LAN.  I know you said you have to use the ISP provided router/gateway, but you can have your LAN devices use the pfSense box as their primary gateway and then have the pfSense forward all WAN traffic to your ISP's router/gateway.  This would allow the devices to communicate with you LAN without needing extra VLANs, and allow you to control what devices have WAN access.  You can  go the ACL route as well, I would just be concerned if the devices need to communicate back and forth from a LAN perspective.  You could still have the LAN traffic with the ACL, you would just have to make sure you configure the layers of the ACL properly to permit traffic leaving the segmented VLAN only if the destination IP is still on your LAN. 

Hi thank you for replying,

 

When you say it will function do you mean the Google home services or the Phillip hue?

 

The Phillip hue will, but I don't know if the Google home needs internet to get to the hue bridge.

 

Unfortunately I cannot put the entire network behind a pfsense box because putting the isp gateway into bypass so the wan can be forwarded disable my IPTV from working. If I put a rpi with pfsense as a bridge between my home network and my offline network (a wifi router and the bridge) could I restrict access that way without forwarding wan since that's what we're trying to block to begin with?

 

I guess the other question is, did the Google home service do a handshake with the bridge or is it a passive command. Does the Google home need to hear back from the bridge?

 

[lostandconfused]

20 hours ago, Alex Atkin UK said:

I don't think Google Home is that clever to be honest, I believe it sends everything to the cloud to deal with.

Example, to connect with my LIFX bulbs you have to link it to the LIFX cloud service and it doesn't even refresh the scenes or bulb names if I change them from the LIFX app AFTER its been connected to the LIFX cloud service.  I believe you have to unlink and link it again to the service to get the new names, pretty crap really.

I don't know the limitations of life but hue bridge works without internet. I just don't know if it will with Google home. I guess what I can do is connect my phone to the offline WiFi network the bridge is currently connected too, and see if I can control it with my Google home service on the phone?

[Alex Atkin UK]

On 2/12/2019 at 4:13 PM, lostandconfused said:

I don't know the limitations of life but hue bridge works without internet. I just don't know if it will with Google home. I guess what I can do is connect my phone to the offline WiFi network the bridge is currently connected too, and see if I can control it with my Google home service on the phone?

LIFX works without the Internet using their own app, but to give any other device access to them you authenticate to the cloud API.  I'd be surprised if Hue is any different as I believe LIFX changed it for security reasons.  I know Logitech Harmony recently did the same, to prevent rogue devices on your LAN from taking control of your IoT devices.

As blocking individual devices from the Internet requires a router that can do so, it would be a cost for potentially ending up unnable to use it how you want anyway.

 

This is the problem with IoT, its all on the basis you trust these companies online interactions.  I'd very much like the limit my own devices to be controlled entirely by my own server rather than the cloud, but they do not cater for that.

[Mikensan]

You do not need to edit/change/configure/bridge your ISP gateway in order to connect an additional router. I would buy a wifi router that allows you a little control over things like DHCP (Asus routers for example give you a lot of control). You would effectively have 2 networks - primary IPTV network say 192.168.1.0/24 and your wireless network 192.168.0.0/24. Move all your wireless devices over to the new 0.0/24 network.

 

From this new wireless router, configure the DHCP specifically for your IOT devices without a gateway. No gateway = no internet.

 

**Edit - not being an owner of the google home I can't speak much to what it needs. but Chromecast loses its shit if it can't ping 4.4.4.4 or 8.8.8.8. Any voice commands for google home I know definitely will not work without an internet connection.

[GuruOfNothing]

I am pretty sure the answer is in the question. And the question used the word Google in it. So, probably no. The bridge and the fixture connect together internally but for the Home to work, it wants mother Google to instruct it... hence the ability to access it from a mobile device... anywhere. And if mother Google doesn't have the right to reach it's unit, you are not going to be able to control anything using it. Very little these days will work without being able to connect to a server somewhere.

[Alex Atkin UK]

11 hours ago, GuruOfNothing said:

I am pretty sure the answer is in the question. And the question used the word Google in it. So, probably no. The bridge and the fixture connect together internally but for the Home to work, it wants mother Google to instruct it... hence the ability to access it from a mobile device... anywhere. And if mother Google doesn't have the right to reach it's unit, you are not going to be able to control anything using it. Very little these days will work without being able to connect to a server somewhere.

To be fair, this is about blocking the Hue Bridge not Google Home.  But your point still stands that Google Home AFAIK is entirely run "in the cloud" with the control devices just being fairly dumb audio capture/playback boxes that send the voice commands over to Google servers, which do the actual interpretation and control via the Internet.

So if the Hue is not connected to the Internet, Google Home won't see it.