Most of the IoT devices use external cloud services, where the device establishes a connection outbound with the external service. As such, your typical “established” rules take care of the rest. For something like the XBOX, the games tend to pick the best host for multiplayer (if it’s doing xbox<->xbox communications), so it will take the one that’s wide open vs one that is blocking all inbound connections (MS calls it strict NAT). Pretty much any XBOX on a home network is going to use UPnP to open up all the necessary ports, allowing a “strict NAT” XBOX to connect to it.
Even for something like Google Cloud Print – the device e.g. Printer, opens an outbound connection to Google, and communication happens over that persistent connection. Again, as long as your firewall/ACL has an allow for established connections, this works as it should. It’s always the device establishing the outbound connection rather than the external service trying to establish an inbound connection. If anything, the need to poke holes is diminishing. Device/service companies realize that the average person isn’t going to know how to poke holes in their router, and a corporation is unlikely to do so at all. Thus, everything is about the device establishing the connection outbound, and communication occurring on that persistent connection. Jeff On 6/8/16, 8:37 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Curtis K. Larsen" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of curtis.k.lar...@utah.edu> wrote: So today we have the 1x student, faculty, staff network, and the open guest network only. So essentially the "guest" network doubles as the non-1x option. We are contemplating a PSK network that could accommodate registered non-1x devices for students in student housing areas for example and that could solve some of these problems, but that is farther out and not the main point of my post. My original question was for those that do have the default deny inbound already (and it sounds like the majority are doing this). What are the top requests that you get for exceptions to the rule, if any? We want to forecast a little and understand what might break when we add the deny inbound. And, yes we've been looking at flow data and AVC dat from the WLC. My concern is that particularly in housing areas (but also some on campus) the number of devices that act like a server in some way, requiring inbound connections is probably growing. The multi-player xbox explanation is interesting. Any other common examples you've seen? Thanks, Curtis On Wed, June 8, 2016 7:59 am, Thomas Carter wrote: > What do you consider a "guest" network? I ask, because we have a "guest" > network that is just for > use by people not directly associated with the college (i.e. not faculty, > staff, or a student). > Saying that, we don't have enough public IP space to give out public IPs or > even 1-1 nat, so all > traffic (guest and internal) uses traditional NAT with default deny inbound. > The only real issues > we've had are related to Xbox multiplayer; the person on campus cannot host > the game, but can join > someone else's game. With so many free/cheap cloud options, things like > physical "servers" run by > students seems to be a thing of the past. > > Thomas Carter > Network & Operations Manager > Austin College > > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen > Sent: Tuesday, June 7, 2016 6:34 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Servers on Guest Networks > > Hello, > > We're looking at a default deny inbound and possibly opening ports as > required later on the guest > wireless network. If you have already done this I am curious to know what > you and your user > community defined as being required on the guest network. > > I think primary drivers might include devices that are not capable of > WPA2-Enterprise *and* > needing to run a service. Google cloud printers come to mind, someone also > mentioned multi-player > Xbox? Do you have other examples or use cases for allowing services like > http/https from the > internet to your guest wireless network? If so, please share. > > Thanks, > > Curtis > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can > be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
