Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.
Arlo Community

Arlo Smart Hub 4540 - How to Block It from Access to Other Devices on Router

Reply
Discussion stats
  • 3 Replies
  • ‎2020-02-21 01:33 PM
  • 1457 Views
  • 0 Likes
  • 3 In Conversation
centralVA
Aspirant
Aspirant
‎2020-02-21 01:33 PM

I need some pre-sales technical support.  The Arlo Pro 3 smart hub plugs directly into your router ethernet port to establish an internet connection.  My question is how do you prevent the smart hub or anything connected to it from accessing other devices or computers connected to your router?  The FBI recommends, as a best practice, that your Internet of Things devices be connected to a separate network that cannot access your router's intranet.  This is easy with most routers by using the Guest network function.  For my other home security hub which has a wireless connection instead of an ethernet connection I connect it to a 2.4 GHz guest network which, by default, blocks it or any devices connected to it from accessing devices connected to my non-guest wireless LAN.  How do I get this functionality with the Arlo smart hub and wireless devices connected to the smart hub?

Labels:
0 Likes
Reply
Message 1 of 4
1,457
3 REPLIES 3
jguerdat
Guru Guru
Guru
‎2020-02-22 08:47 AM

You can't separate the Ethernet connection without advanced networking knowledge (which I don't have). So, theoretically, you can't separate it from your network. The WiFi between the hub and cameras is dedicated with no access by you or anyone else without substantial capabilities (anything can be hacked). However, there's been no known real cases of hacking Arlo that have been reported here. Thus, as long as your network is reasonably secure with the firewall up and a strong WPA2 or higher password on your WiFi, there's little chance of anyone being able to gain access. Of course, access from inside your network can negate all of your attempts to secure things so best practices for web browsing, email, etc. should be followed to keep the concern to a minimum.

 

The recent issue with Ring had to do with weak and/or reused passwords that allowed folks to log into the service, taking control as if they were the owner. Use of a strong Arlo password as well as two factor authentication (2FA) reduces the risk substantially.

0 Likes
Reply
Message 2 of 4
1,427
centralVA
Aspirant
Aspirant
‎2020-02-23 06:15 PM

Thanks for the reply.  I also could not find an easy answer.  After further research, however, I did find that by using DD-WRT firmware in my router I can configure a VLAN for a specific ethernet port which will isolate all the devices on that port; i.e., the Arlo Smart Hub and everything connected to it.  I still will have to try this out and verify that it works, but it seems like it should.  I picked DD-WRT since it has a GUI configuration page for VLANs, as well as for Guest Wireless LAN access which will set up a VLAN for wireless devices.  It's a shame that router manufacturers don't offer the Ethernet VLAN functionality in their stock router firmware.  Color me paranoid about IoT hacking and malware 🙂

0 Likes
Reply
Message 3 of 4
1,397
StephenB
Guru Guru
Guru
‎2020-02-24 04:36 AM
@centralVA wrote:

After further research, however, I did find that by using DD-WRT firmware in my router I can configure a VLAN for a specific ethernet port which will isolate all the devices on that port; i.e., the Arlo Smart Hub and everything connected to it.

 

It's a shame that router manufacturers don't offer the Ethernet VLAN functionality in their stock router firmware.  Color me paranoid about IoT hacking and malware 🙂

That will work, though you will lose some features (in particular, local 2K live streaming).  Direct access to local storage might be affected - you'd need to use port forwarding even when on your home network, which limits the isolation.  

 

You might also have trouble setting up (or resyncing) the system - as that does require your PC or mobile device to be able to reach the base station over the network connection.

 

FWIW, I agree that router manufacturers should include network isolation in their products for IoT (particularly the higher-end ones).

 

Other setups that would work:

  • double-route (two NAT routers back to back), and connect the base station to the outer router. 
  • connect the base to a wifi extender, and connect the wifi extender to the router using the router's guest network.

 

@centralVA wrote:

  Color me paranoid about IoT hacking and malware 🙂

There's good reason to be paranoid.  Though in this particular case, the base station isn't a low-end appliance with no built-in security features.  It's a modified router - and it has been hardened so you can't directly log into it over either WiFi or the base station.  Personally I just leave it on my normal network (though I actually do have VLANs in place for other purposes). 

 

You do of course need to trust the security of the Arlo Cloud.  But if you don't feel you can do that, you probably shouldn't be using their products (since the threat of illicit access to the camera footage and live camera streams is serious enough that you don't need to consider other threats).  

0 Likes
Reply
Message 4 of 4
1,386
Discussion stats
  • 3 Replies
  • ‎2020-02-21 01:33 PM
  • 1458 Views
  • 0 Likes
  • 3 In Conversation

Arlo
Support

Visit our support page for answers from simple setup to security optimization. Search for something specific or select a product or category for helpful articles and videos.

Visit Arlo Support

Arlo App
for Support

For personalized support specific to the Arlo products you own, access Support from within the Arlo iOS or Android App. Simply login to your Arlo App, go to Settings, Support, then select the Arlo product you would like support for.