CR: IOT_WAN VPN Passthrough — Risk & Communications

Risk Assessment

Risk Mitigation

Risk	Mitigation
Opens ESP/IPsec outbound from IoT	Outbound only — IoT initiates the connection to external VPN gateways. No inbound rules changed. Return traffic handled by existing established/related rule (IOT_WAN rule 10).
Could allow unauthorized VPN use from IoT devices	IoT devices (cameras, smart home sensors) do not have VPN clients. These rules enable human users with laptops temporarily on the IoT VLAN. Monitor via `default-log`.
Blast radius if misconfigured	Changes affect ONLY `IOT_WAN` (IoT → WAN direction). No other zone policies modified. Three discrete rules with clear protocol/port scope.

Opens ESP/IPsec outbound from IoT

Outbound only — IoT initiates the connection to external VPN gateways. No inbound rules changed. Return traffic handled by existing established/related rule (IOT_WAN rule 10).

Could allow unauthorized VPN use from IoT devices

IoT devices (cameras, smart home sensors) do not have VPN clients. These rules enable human users with laptops temporarily on the IoT VLAN. Monitor via default-log.

Blast radius if misconfigured

Changes affect ONLY IOT_WAN (IoT → WAN direction). No other zone policies modified. Three discrete rules with clear protocol/port scope.

INC-2026-04-06-001: Domus-IoT VPN Connectivity

CR: IOT_WAN VPN Passthrough — Risk & Communications

Risk Assessment

Related