Skip to main content

  • Home

  • Getting Started

    • Offers

U
user_j4njzu
1st Topic
1st Reply
1st Like

2 Messages

Tuesday, October 10th, 2023 3:14 PM

Closed

IoT Device Isolation / Xfinity Wifi Hotspot?

I'm a new Xfinity customer.    I purchased/subscribed the the Unlimited Data Plan and am using the Xfinity supplied device.  First off, setup was easy and I'm getting a great signal across my whole house.   But...

But, what I thought would be easy, because I've done this at my old home with a different cable/internet provider, appears to not be supported with Xfinity - which I provide really surprising.   What I want to do is simply and in accordance with all internet security best practices these days, segment all the IoT devices on my house onto a separate "IoT only" network.  So they they won't have connectivity to things like my desktop and laptop computers, SAN storage, etc.  Preferably even on the IoT network, they'd be isolated from one another.

But there appears to be no clear way to set this up using the device Xfinity provided (model CGM4981COM) unless I'm missing something.

Reading through these forums, I don't see an alternative but I find it hard to believe that's an acceptable answer.   I also considered using the "Xfinity Wifi Hotspot" that I enabled.  On the surface, it appears that being able to use it would seem to meet my needs, but I don't see a clear way to provide these (rather dumb) IoT devices with the access details to that network.   It seems Xfinity wants this "guest network" to be available only to peoples phones that it recognizes and isn't something I can use for my purposes.    That kind of makes me want to just turn off this feature of the their gateway but maybe I'm missing some clever way to leverage this?

To be clear, an idea like connecting my own wifi router south of their gateway, won't solve my security concerns unless there was a way to tell their gateway to isolate traffice to/from that network from its wifi and lan.  

Any suggestions?  

Am I going to have to resort to learning how to put their device into "bridge mode" and do the "3 router" thing (https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/).    

 

Thanks!

Question

 • 

Updated 

1 year ago

1.2K

4

Was this helpful?

Accepted Solution

XfinityJustinC

Official Employee

 • 

893 Messages

1 year ago

@user_j4njzu, I appreciate your time working with me today, please let me know if there is anything else you may need assistance with. We are available 7 days a week from 6:00am - 12:00am EST. The search tool, is also a great way check for similar issues or questions you may have that a wonderful community member has already created a post for. 

0

0

XfinityJustinC

Official Employee

 • 

893 Messages

1 year ago

Hello, @user_j4njzu. Thank you for reaching out over Xfinity Forums for support, you have contacted the right place for assistance in regard to your modem questions. The xFi gateways are set up to use the optimal 2.4 or 5 network and auto connects to the best network, so making internal changes is limited. Here is some more information: https://www.xfinity.com/support/articles/change-wifi-mode-admin-tool-xfinity-xfi. 

 

If you're looking to turn your home WiFi hotspot off this article is very helpful to walk you through the steps: https://www.xfinity.com/support/articles/disable-xfinity-wifi-home-hotspot. 

 

When setting up bridge mode to use personal routers here is some good information on setting that up and the features you have while in bridgemode: https://www.xfinity.com/support/articles/wireless-gateway-enable-disable-bridge-mode. 

 

0

0

flatlander3

Problem Solver

 • 

1.5K Messages

1 year ago

For more complex routing, and because I don't trust a consumer closed source gateway for security (or one with a phone app.....eyeroll), I use a firewall/router.  Check out Netgate's pfsense community edition (free)  https://docs.netgate.com/pfsense/en/latest/  or if you want to really get into customizing and build your own distribution, opnsense https://docs.opnsense.org (free).  Opnsense has built in build tools so you can check out source code, mod stuff, and recompile your own distribution.

Buy a straight modem and a junk/refurb 64bit PC with at least two Ethernet ports (see hardware requirements). 

You can segregate VLANS, or buy a cheap NIC card with a couple of ports, or several if you got the slots for them.  The Intel network cards are a bit more compatible with BSD (what's under the hood).   Generally, I use a dedicated Ethernet LAN port for each segregated subnet.  It makes the firewall rules easier.  A specific device on a subnet can communicate between subnets, or they can remain totally isolated if you want. You just make a firewall rule for that.  A cheap access point can provide WiFi on an isolated subnet if you need it.   

Lot of add-on possibility too.  Anything you can compile on BSD.  They have some pre-packaged stuff in a repo too.  

(edited)

0

user_j4njzu

2 Messages

1 year ago

Thanks @flatlander3 and @XfinityJustinC for confirming what I feared I'd have to do! 

I doubt I'll be rolling my own opnsense device, I'll probably go with one of the pre-installed Netgate (2100 looks about right) devices and just learn to configure it properly:  Something like

Xfinity device in BridgeMode -> Netgate device -> Amplfi Alien(s) (which I currently have but not installed in the new house, its from my old one) for Wifi
                                                                              -> POE switch for Cameras
                                                                              -> IoT LAN


I guess I have a lot of reading, configuring, and testing to do ...

2

flatlander3

Problem Solver

 • 

1.5K Messages

@user_j4njzu​  Sure.  The Netgate 2100 will work exactly like that.  Keep in mind your WAN port is a 1Gbps port on that one, so max throughput is going to be 960-980Mbps if you are currently subscribed to a higher speed tier.

That's one of the nice things about just buying an old office refurb Dell machine for $80 bucks.  You can pop in a 2.5Gbps card for the WAN at any time if you need it, and dual port Intel NIC cards are $30 if you got extra slots ($90 for a 4 port).  The hard drive doesn't matter.  A 40GB  SSD hard drive is plenty of space -- use an SLC, not anMLC ssd drive.  SLC is much more durable on writes.   8G of memory is fine. 

One thing about Xfinity though.  In most markets, they only pass out a /64 prefix for IPV6 for some reason, so only one of your subnets will be IPV4/IPV6.  The others will be IPV4 only.  It shouldn't really matter as things stand today.  I haven't ever had an issue where I couldn't reach a site with IPV4.  Years from now, that may not be the case. 

As far as bridge-mode on an Xfinity gateway, there isn't much point to that.  You are renting it for $14-16/month, and using it like a straight cable modem.  You might consider just buying one of those.  Break even happens sooner or later.  Find an approved model number here, and shop around.  Prices vary:  https://www.xfinity.com/support/articles/list-of-approved-cable-modems 

*I'd also add for testing, when you get it or buy one?  You can leave the gateway in gateway mode for testing, and your gateway WiFi will still work (radio is disabled in bridge mode).  Figure out the interface and config before you deploy it.  It's called a "double nat", but it will work.  When it does, you just change your gateway and reboot.  

(edited)

1 year ago

0

PIXELFLIP

Regular Visitor

 • 

3 Messages

Many thanks for all of this knowledge. 

1 year ago

0

forum icon

New to the Community?

Start Here