I will soon be moving into my first apartment. I am an IT administrator, but I mainly look after servers and not networks, so I have a few questions about this.
I would like to sign a business contract with Vodafone so that I can get a public IPv4 address to access my network from outside. I still need to decide which firewall to use, so if anyone has any suggestions, I’d love to hear them.
I will be using Proxmox as my hypervisor. I will then use Home Assistant as a VM. I would use the ZBT-2 as my thread boarder router.
Now to my questions/thoughts
I’ve been thinking about creating a server VLAN and an IoT VLAN. Now I’m not sure how that works with IPv6.
The Home Assistant server definitely needs to get an IPv4 address to access the internet and a unique local IPv6 address to communicate with the smart devices via Thread, right?
That means I would need to have a DHCP server in the IoT VLAN, which would then assign unique IPv6 addresses to the smart devices. But these could also just be local addresses, since the devices don’t need to access the internet (or what about updates to the smart devices—are they distributed by Home Assistant?).
HA is not meant to run in a segregated setup.
If you have a really deep knowledge about networking, then you might be able to do it, but it is not just some IPv4 routing and firewall rules.
You need to understand both IPv4 and IPv6 and your IPv4 knowledge is hardly transferable to IPv6.
You also need to have a deep understanding of all the protocols running on top of the IPv4 and IPv6 protocols, especially the many discovery protocols, that are not meant to be routable and therefore can not be routed with normal IPv4/IPv6 routing.
Trying to set HA up in a router setup (HA with connections to multiple different networks) is also not a good idea, because HA is not meant to be run in that setup and there are no tools to handle the bindings and separate of services.
If you want to use VLANs, then all IoT devices (and that include HA) goes in the IoT VLAN, because then (mostly) you only need to handle the HTTP(S) protocols for the companion apps and the web interface.
An option for remote access is the Nabu Casa service from Open Home that provides several services including remote connectivity. I’m currently on a trip, 900 miles from home and have been accessing Home Assistant using my phone as a hotspot. I don’t do anything special or set up a VPN on my devices, it automatically switches and just works.
I have matter / thread devices and can inspect and control but that conversation is from HA app/automations to the devices.
I didn’t have to ask my isp to provide any special address requirements. In fact they use CGNAT so my relative danger from probing my network is reduced vs dealing with opening NAT ports on a fully Internet address.
I also went down the IOT vlan route but IMO a slippery slope with unclear payback. It works for things like ring where the device is logging out to a service anyway as well as HA accessing it via login in outside the home
