[stevelup]

Suggest you use these:-

https://www.broadbandbuyer.com/products ... ocom2-kit/

Come pre-configured and ready to run out of the box. I have 20+ pairs of these out in the field and they are zero trouble.

[Colonel Panic]

Thanks @stevelup - if I were to use those I could reduce the distance to 75 metres, spurting the signal from my office instead of from the garage (where the SWA cable goes from to the top of the drive). I've watched a couple of YouTube videos re setting them up, and understand what to do at the office end, but what hardware would the "slave" unit need to have attached to it in order to radiate wi-fi by the gate? The videos don't really make that clear. Maybe "just" an Airport Express or similar? The less the better financially and pfaff-wise

I have a weather proof plastic box on a post with the gate electronics and a 13A socket, so I do have some space if required.

[stevelup]

Shame the thing you’re connecting to is WiFi only.

Does it have an external antenna connector? If so, you could put a high gain directional antenna on it and then just have a single Ubiquiti device by your office pointing at it.

[Colonel Panic]

I haven't decide on "the thing" yet - but likely to be either a widget that will feed in to the gate controller (so I can keep it open on an ad hoc basis rather than current hard wired digital time clock which is a pain to access) which is either 868mhz or AIUI 24v DC wired, and possibly a "magic eye" widget that could alert me through an app to the gate opening. I half thought about using the soon to be released Shelly Door Sensor so that it fits in with Hassio etc.

[Colonel Panic]

Slightly random question: if reserving a LAN IP eg to fix a camera, so that it falls outside DHCP, does it matter whether you reserve a low number or high number (ie 192.168.1.20 or 192.168.1.180)? Is there a "best practise"?

[stevelup]

Entirely up to you. There's no best practice for this.

[rikur_]

Slightly random question: if reserving a LAN IP eg to fix a camera, so that it falls outside DHCP, does it matter whether you reserve a low number or high number (ie 192.168.1.20 or 192.168.1.180)? Is there a "best practise"?

Various network engineers that have worked for me have had their own conventions and justifications of why they are 'right'. In a small domestic network it's probably irrelevant, but as networks grow it can make life easier to set yourself some own conventions.
e.g.
192.168.1.1 - 63 .... static/reserved IP with outbound network access
192.168.1.64 - 127 .... static/reserved IP with no default internet access
192.168.1.128 - 254 .... DHCP addresses

then within that I allocate ranges for device types (e.g. 192.168.1.64 - 79) are IP cameras ... partially that makes life easier with allocating firewall rules (e.g. IP cameras are allowed internet access for ntp but nothing else), and also makes it easier when looking at things like traffic stats to instantly recognise what sort of device is consuming bandwidth

As a general aside, it can be preferable to avoid 192.168.1.x range, and pick something in the 10.x.y.z range. There are some exploits including a recent Draytek one that rely on the assumption that your router will be 192.168.1.1 ..... it also makes life easier if using VPN connections to client systems etc as less likely to have an IP clash.

[Barcli]

ColonelP - have a look at gogogate2 - I use it for gagrage doors and gate openers - it has sensors to indicate closed/open - can be programmed- can activate IP cameras , and all controllable from your app / iphone

[Colonel Panic]

Thanks all - very helpful. I'll start to get things in more order, but changing from 192.... to 10.... will have to wait for a more root & branch upgrade.

I've also heard that it is good to separate out all IoT stuff on to a separate network; should that be a separate SSID, or a separate LAN (ie LAN2)? But would doing so not make interacting with it locally (set up & subsequent interrogation of devices) more difficult? c/f laptop on "main" network, widget on "IoT" network.

[Colonel Panic]

The gogogate2 is now called ismartgate and it does look good - and not hideously expensive. I've "reached out" to them ( ) to see if the 150m distance between the garage and the gate is a surmountable problem, as it would make sense if both locations could be served by the same hardware/app.

[stevelup]

The problem with segregating IoT stuff is that often the discovery by apps then fails. Much of it is badly implemented.

You might find that you can switch to your IoT WLAN/VLAN, do the discovery, then switch back to your 'safe' WLAN and find everything still works.

Or it might not... It's a lot of work for minimal gain to be honest. Everything uses SSL these days and your Apple things don't have any open ports anyway unless you've deliberately done something weird, so I'd just get on with it. I'm really not sure what harm a rogue IoT device could really do anyway if everything is properly secured to start with.

[rikur_]

I've also heard that it is good to separate out all IoT stuff on to a separate network; should that be a separate SSID, or a separate LAN (ie LAN2)? But would doing so not make interacting with it locally (set up & subsequent interrogation of devices) more difficult? c/f laptop on "main" network, widget on "IoT" network.

I'd agree with Steve that it's probably overkill for most people.
I've done it nonetheless (!), 4 VLANs, each with their own wireless SSID:
1) General (normal laptops, phones, printers, NAS, etc)
2) Kids (with content filtering)
3) IoT
4) Guests

3 and 4 are self contained (i.e. no access to each other or the other VLANs)

My initial rationale was to set-up the kids network - i.e. to create a network for the kids laptops, tablets, etc that had content filtering by design. It took a little bit of fiddling (with a tool called proxy-arp) to get things like DLNA and mirrorcast to work across the two VLANs, but after the initial set-up they all seem to work fine. We've also ended up with a couple of the smart TV's on the kids network as a lazy way of blocking YouTube.

The IoT network was set-up out of paranoia. Various things from CCTV, heating, weather station, automation, etc. In theory some of these could be a point of entry to the network to run malicious code, and some (E.g. house alarm) have remote access by design from the alarm monitoring company .... so I isolated them from the main network. As Steve says this often means that to initially set them up I need to temporarily connect to the IoT network to run the initial discovery and configuration routine.

I don't think I would recommend that others bother.

Everything uses SSL these days and your Apple things don't have any open ports anyway unless you've deliberately done something weird, so I'd just get on with it. I'm really not sure what harm a rogue IoT device could really do anyway if everything is properly secured to start with.

I'd generally agree. Ironically if anything is vulnerable it's probably the other IoT devices on the same VLAN anyway. There are a few 'holes' on the generic network - e.g. DLNA by design makes photos available insecurely, so was one reason for putting guests on a separate VLAN.

[Flyin'Dutch']

Is there any mileage or need to get a VPN with all these IoT things reporting to their Chinese owners? I have been pretty relaxed about that with normal internet access as our internet activity is rather uninteresting but maybe not advertising the layout of one's house, cameras etc may not be unclever?

[rikur_]

Is there any mileage or need to get a VPN with all these IoT things reporting to their Chinese owners? I have been pretty relaxed about that with normal internet access as our internet activity is rather uninteresting but maybe not advertising the layout of one's house, cameras etc may not be unclever?

I'm not sure that VPN is the answer to that issue.
(Ignoring their legitimate corporate purposes) VPN's are typically used to obscure where you are accessing the internet from. Typically these are set-up using configuration on your computer, so the IoT stuff would bypass it anyway.

[rikur_]

...all these IoT things reporting to their Chinese owners?

As an aside, having done far too much traffic analysis ... the Android things reporting to their Google owners, seem to out talk the Chinese things by a factor of 10.