Your smart home and the Internet of Things (IoT) devices it comprises are fantastic for convenience, but, as with most networked devices, the trade-off is reduced security. We've all seen the reports of IoT devices and other networked devices like printers being infected and turned into massive botnets, and the unwelcome truth is that many of our smart devices could be vulnerable to attack.

Even if not infected, letting random IoT devices connect to the internet is a potential security risk, and I'd rather not let the cheap Wi-Fi connected lightbulbs that make my living space cozier betray me. Instead, I've blocked all IoT devices from accessing the internet, though I will grant them access for a brief period a couple of times a year to check for updates and security patches. It's a pretty quick process to set up, and it makes me feel better about using devices that I don't have the technical skills to dissect.

Go bespoke or DIY but all you need is a network firewall

Home network security doesn't only protect from threats outside your home

Blocking any devices from connecting to the internet usually requires a firewall, and building a custom firewall is easier than you'd think. I used OPNsense for this, but you can use many other custom firewalls to achieve the same goal, or a bespoke system like those from Ubiquiti, TP-Link Omada, and others.

building a custom firewall is easier than you'd think

I used a $150 mini PC with an N150 processor and two 2.5GbE ports, but you could use old PC hardware, or a mini PC designed for use as a firewall. You might not need to build your own firewall, depending on the router you're already using, but it's certainly easier to do on a system designed for security.

A few network and firewall rules later, and my goal was achieved

The easiest way I've found for managing IoT devices is to put them all on one VLAN, which is then isolated from the rest of your home network. This lets them talk to one another if necessary, but keeps broadcast packets away from the parts of your network where your laptops and computers live.

Once I had those IoT devices on a VLAN, setting a default DROP ALL traffic rule from that VLAN to anything else stopped them from both dialing home to remote servers and from accessing any of my other network segments. I also blocked DNS access to my gateway from the IoT VLAN, because if it shouldn't be dialing home, it doesn't need to resolve names.

Then I set up mDNS reflection to ensure local smart device services like AirPlay still work, and a stateful rule that IoT devices can return traffic to the main network when asked to do so.

If your network doesn't support VLAN segmentation, you still have options

Not every network wants or needs the complexity of VLANs, and I can completely understand if you'd rather handle your IoT devices in another way. It's going to be more time-intensive, however, because you'll first need to catalog all your IoT devices, with their MAC and IP addresses, then create outbound firewall rules blocking traffic from those MAC or IP addresses to the WAN zone. This should be achievable on most home routers, though some ISP models might not let you add blocking rules.

There's one last thing to do: block all outbound DNS requests on ports 53 and 853 (DNS-over-TLS) at the firewall level. Many IoT devices have hardcoded DNS addresses, and this can bypass your network's blocking rules if not addressed. Adding a Pi-hole as a DNS-level sinkhole completes the security, ensuring any errant devices cannot get around your rules.

Now I had another issue to solve

Why does my lightbulb need to talk to a cloud server anyway?

You might find that some of your IoT devices have stopped working or have reduced functionality once you block them from internet access. Several of my robot vacuum cleaners were affected like this because they contact the servers for various things, as were my Hue bulbs, which contact the servers for some of the scenes.

There should be no reason that any IoT device has to rely on external servers. This was one of the things the Matter protocol was supposed to fix by requiring local-first control. Companies could then use external servers for extended features, but every core function needed to be reachable if there was no internet access.

Home Assistant to the rescue

Home Assistant has been the best tool for managing my IoT and other smart devices, enabling me to ditch dozens of dedicated apps to have everything controllable from a consolidated dashboard. It's easy to set up, fairly easy to maintain, and has a huge community of enthusiasts who have probably already solved any issue you run into.

And it gives you local control over your smart home, which should be the default in my opinion. Relying on cloud servers is yet another point of failure, to say nothing about the potential security risks. And whether you use a VLAN or other methods to block your IoT devices from accessing the internet, they'll still be accessible via your local network.

I want local control for my smart home, so I'm not relying on the cloud

It's surprisingly simple to block your IoT devices from phoning home to their hardcoded servers. It's slightly more complicated to get local control of those devices if they rely on a cloud service for connectivity, but I've found third-party replacements for all the smart home devices I own and managed to connect them to Home Assistant, so I still have full control over them. I do have to check manually for any updates on those IoT devices, but the companies update them so infrequently that it's only a quick check every few months.