In reply to a post by Fido:

The additional devices that I am slightly concerned about are;

(1). The Hive Heating Control System.

(2). The Smart TVs.

(3). The BSkyB Sky Q Boxes.

(4). The Xbox/s.

(5). etc.

Are any of the above devices potential security risks?

Yup - all of them are potential security risks - it's all about your particular risk appetite.

Everything in my house that I don't/can't personally manage the security of, is in its own VLAN (essentially the "guest" network) that cannot get to the regular VLAN where things like my PC & phone go.

In reply to a post by Fido:

There is a lot of discussion on the internet about the vulnerability of certain devices, (with weak passwords), being on a Home LAN in which devices can then potentially communicate with each other and since my personal knowledge of internet security is not expert, (it is certainly a lot better than average and like you I can put forward a gut feeling but certainly not expert), I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

In simple terms

All the connected devices on your LAN will tend to be protected from "the internet" in terms of inbound attacks because they will be behind NAT or the firewall on your router. Yes there are elaborate ways to evade that but it's irrelivant so for one moment just assume that anything on your LAN cannot be compromised from an inbound connection from the internet.

However, if any of these devices have bugs or backdoors in them, or make calls to the internet and then end up compromised, they can in themselves be untrusted. These devices, sitting on your LAN, DO have the ability to connect to the other devices on your LAN, because they are on the same network.

This is what is known as lateral movement.

It's a bit like locking your front door on your house - that stops strangers from outside stealing things, but it doesn't stop rogue family members who are inside the house from doing that and then unlocking the door and leaving with your posessions.

So by implementing a private VLAN approach you are effectively locking every room in the house and each person in the house can only steal things from their own room and leave the house, they can't steal things from other rooms.

But realistically are your family members going to do this and would they be able to steal things easily from other rooms? In the case of your devices on the LAN - it's very unlikely. These devices would need to become compromised (unlikely) and then be able to leverage an exploit on the other device. It's just not going to happen.

In reply to a post by Fido:

I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

My advice to you would be its not worth the hassle. It will cause more problems than its worth and unless you know what you are doing it will result in problems. For example as soon as you want to connect your phone to your TV or control your home lighting, anything that relies on direct connectivity will fail or go wonky. Here's my guess as to what happens with your devices if you start segmenting them etc.

(1). The Hive Heating Control System. - Will be OK

(2). The Smart TVs. - Won't be OK if you interact with them on your phone

(3). The BSkyB Sky Q Boxes. - Won't be OK

(4). The Xbox/s. - Will be OK

(5). etc. - Who knows

In reply to a post by Pipexer:

In reply to a post by Fido:

I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

My advice to you would be its not worth the hassle. It will cause more problems than its worth and unless you know what you are doing it will result in problems. For example as soon as you want to connect your phone to your TV or control your home lighting, anything that relies on direct connectivity will fail or go wonky. Here's my guess as to what happens with your devices if you start segmenting them etc.

(1). The Hive Heating Control System. - Will be OK

(2). The Smart TVs. - Won't be OK if you interact with them on your phone

(3). The BSkyB Sky Q Boxes. - Won't be OK

(4). The Xbox/s. - Will be OK

(5). etc. - Who knows

At present the way that I have things set up does work seamlessly with fast internet and good WIFI everywhere so any changes are a hassle.

Personally, I prefer to restrict the amount of my personal information that is collected, I avoid social media and I certainly would not miss the lack of access between the Sky Box and my phone, and other interconnectivity etc. as I do not bother with any of that but do I accept the point that it may not be worth the hassle as I do not see it as being likely. - (Definitely possible but not likely).

The problem is ALL Security setups are a bit like an insurance policies in that you do not know how good or bad the insurance policy is until after you need to make a claim which may never happen.

A person may choose to have Open WIFI, (it is a lot less hassle, it is simpler and easier), and they may never have a problem with Open WIFI but these days we all use the most secure types of WIFI that our routers etc. can handle because there is no point taking unnecessary risks.

I do not plan to revolutionize my setup but I will tweak it.

My present plan is to keep my Router's Home Ethernet LAN Network and my Home WIFI completely separate just for our PC's , IPads and Phones, - to have a separate WIFI Network for Guests and to put all ethernet devices onto one or two Separate Ethernet LAN/s Networks either via a VLAN/s system , (if I can ever get that to work), or via hardware devices set up to provide separate Ethernet LAN/s.

It does not need doing overnight but it is sensible that we are all aware of the potential issues and as we update our systems we do so in a way that minimizes or eliminates the unlikely risk.

Obviously you are free to do as you wish - but just to play this back - you have essentially asked in here is it worth it - everyone has told you no, provided sound reasoning and advice, and warned you about all the pitfalls, and the fact it's not really going to improve your security, and yet it seems you are going to proceed to do it anyway.

Meanwhile use of Kaspersky, Nord VPN, and your so-called router's AI security is highly questionable.

As long as you enjoy tinkering then by all means have a go - nothing wrong with having a play with things - but it's not the security answer you are looking for.

In reply to a post by Pipexer:

everyone has told you no, provided sound reasoning and advice, and warned you about all the pitfalls, and the fact it's not really going to improve your security

Actually almost the complete opposite is true.

The expert advice, (as per the supplied video from Steve Gibson), is that there is a potential problem that needs to be thoughtfully considered.

Laymen like you and I, who have much less understanding of internet security, (even though I was a professional engineer for 45 years and was Registered with The Engineering Council), are less concerned but the sensible person will consider tweaking the Home LAN setup over time especially as new smart devices are bought and they are added to the home network.

Edited by Fido (Wed 11-Feb-26 21:56:12)

In reply to a post by Fido:

The expert advice, (as per the supplied video from Steve Gibson), is that there is a potential problem that needs to be thoughtfully considered.

Laymen like you and I, who have much less understanding of internet security, (even though I was a professional engineer for over 45 years and was Registered with The Engineering Council), are less concerned but the sensible person will consider tweaking the Home LAN setup over time especially as new smart devices are bought and they are added to the home network.

Serious question, do you take the same approach to your cars security? much has changed since the 1970s.

Do you have extra security installed including a ghost immobiliser, tracker, air tag and sim based cameras installed? as it only takes a theft a few seconds to nick a modern day car if you don't!

It's not a security risk in any measureable amount - I have explained why. It would first of all require one of those devices to become compromised (unlikely), and then once compromised to be able to then leverage an exploit against another device, the chances of that happening are practically zero as it would require 2 unlikely events to happen in conjunction. It would likely require human intervention to be able to conduct something like that, and that sort of effort is reserved for nation-state activity.

To put this another way - what security risk do you think there is / are you looking to mitigate?

What does Steve Gibson actually say about this? Is it all conjecture? Does it make sense to you? Is it rationalised?

That was a very good rant.

I accepted the viewpoint that it may not be worth the hassle as I do not see it as being likely. - (Definitely possible but not likely).

You seem to be confusing a discussion about potential security issues with potential acolytes having the audacity to make their own minds about their own internet security having listened to a range of views, mainly from people who work in this field but also from laymen like you and me.

I do not plan to revolutionize my Home LAN setup but I will tweak it and that is my choice!

You mentioned my router having optional AI Security via Trend Micro as if that was bad ?

It also has optional DoS Protection, optional QOS, network monitoring features/traffic analysis, excellent WIFI and a generally excellent overall performance.

We all choose our own routers for different reasons: your choice is Draytek which is considered to be an excellent router choice for different reasons - Not for its WIFI performance as that is inferior, not for its speed and not for its user menus but for it VLAN capabilities but why would anyone, who does not see the point of separating certain devices onto separate LANs, choose a router which only really excels in that feature ?

The problem is that ALL Security setups are a bit like an insurance policies in that you do not know how good or how bad the insurance policy is until after you need to make a claim which may never happen.

I have explained that I do not see it as being a huge risk, however, the more that I looked at it the more obvious it became that certain devices could become a risk and separating these devices on the Home LAN Network seems sensible.

In reply to a post by Fido:

That was a very good rant.

There is always so much stuff out there on the internet to support whatever view you have on a particular subject matter. As you have clearly made your mind up about what you're going to do why not just get on with it.

Interesting you didn't confirm your risk appetite for protecting your car like you want to do your home network😎