Best Practise on putting HA on Home-subnet or Io- subnet

Hello,
before HA i was using iobroker. I had a IoT subnet where i had everything. I also had a home subnet for my mobile and PC.
I was running into issues because my phone cant broadcast in the IoT and vice versa. So that caused multiple issues, as well with the homepods.
Hence when i switched to HA i set up everything on my home network.

While this is working convinient, i am putting more and more devices and i start to worry because my PC and mobile is on this subnet so i kinda want to secure them.

Now im scared that i run into issues again.
What do you guys do? All on one subnet? Do 2 subnets and try to hack everything in? Especially Multicast routing is always a big pain and i really like to avoid it.

What worries you, exactly?
Beyond FUD, having multiple VLANs is surely more headaches than it’s worth…

Yea thats my thought.

It worries me that i have IoT devices which probably are unsafe in the same vlan as my private PC.

is it allowed not to agree?

The real answer is… It depends.

Yes putting yojr IoT gear in a single subnet off in it’s own VLan is ABSOLUTELY safer.

Its also a pain to maintain, you need to really understand routing and some things simply won’t work. (MATTER for instance won’t route across VLans per the spec right now) So we’re back to the classic safety v usability argument. (Sure I can make your pc safe by sinking it in concrete…)

I run a flat network. But I am also a 25 year IT ops and ID veteran who’s draconian about local admin (you don’t get it on my network, sorry) and what is/not allowed on my wire. You don’t take updates sorry you don’t connect. … I don’t have control of the machine… Guest network. Sure I could be less controlling and open the networks up and isolate clients but I also don’t want to spend 4 hours a day working routing rules and fixing IT problems at home for the spouse.

2 Likes

Sure. Happy to change my mind if you have a real-life example of an IoT device responsible for any kind of hacking of a PC or mobile…

some of my IoT devices are internet connected, or they are not going to work.
they are hackable (like everything else)
if they are or are not in the same network of my “core” devices IS changing the security of my infrastructure.
i assume we agree on that.

i agree much more with your point if you talk about (for example) detailed access control outbound for iot devices.
Some time ago i tried sniffing devices traffic and creating dynamic rules based on dns resolved ipsets.
THAT was an headache not worth of. Not vlan.

Sorry, but that’s what I mean by “Fear, uncertainty and doubt”, aka FUD.
Until I see an actual report of an IoT device being hacked and itself hacking PC’s, it’s just fantasy to me.

Strangely enough, PCs and mobile are able to defend themselves, as themselves are connected to internet.
You are infinitely more likely to be hacked by an app installed on the PC or mobile than by an IoT which would itself have been hacked.

And don’t get me started over sniffing. As much as VPN are basically useless as a security device, those days, due to 99% of internet connections being encrypted by HTTPS/TLS, so is THAT fantasy.

Once again, the odds just are not worth the hassle

I have my internet dependent iot devices (cloud integrations) on a separate vlan. This is easy to set up, just allow that vlan only internet access. It doesn’t make the device(s) themselves any more secure though. What’s harder to set up is internal traffic between an iot-vlan and your regular vlan. As you said multicast can be a pain.

I use IPS/IDS on my router and have set my router to drop traffic from a lot of countries and I sleep well at night.

it is not. it’s quantitative.
i’d be glad to have you writing regulation in place of guys wanting us to adopt micro segmentation :smiley:
my pc is hackable (like everything else), i have solutions for that. 100% safe? no. i’m accepting that risk.
And i’m accepting the risk hacking my alexa devices (example) can take.
I really can’t understand why i should accept a risk i can manage of compromised iot devices sniffing my network traffic.
I access locally my router and my proxmox in plain http. Why should i let my iot devices to be in the position of sniffing it?

thank you for your position on vpn :slight_smile:
but i can’t understand the rest of the point.
I explained my sniffing was dns based for outgoing traffic. what does it mean? that if one of my iot devices get hacked, it can connect outbound only to dns names i want. Where exactly TLS is coming into the point?
(and yes, this is not worth the hassle)

god bless banip :slight_smile:

1 Like

I’ve had a few situations where I’ve tried to download stuff (a BIOS if I recall correctly) where the link just threw 404 until I remembered about the country blocking :stuck_out_tongue:

1 Like