Hello HA community!
I have been lurking here for a bit as I plan my first foray into the Home Automation world.
I have build by ITX server (can supply specs if anyone is interested) and began my install (Ubuntu Server 2 days ago… and they just released 18.04.2 today… might as well practice and do it again .
Anyway, my question was actually directed toward network and security.
I currently have 2 VLAN’s on my network (will probably add #3 for Guest soon too). #1 is for my internet devices (phone’s laptop’s etc.) #2 is for security camera’s (no internet for you!)
I was planning to put all the IoT devices on #2 and block all internet access. #1 can reach #2 (so I can modify settings, etc). #2 cannot reach #1 or the internet
(this is if I have it setup correctly…).
So - my question is, what is the generally accepted best practice for HA server?
VLAN with internet access (#1) or VLAN without internet access (#2).
If I put HA on #1, it will have internet access for updates, MyQ (until I can find a local solution), etc. It would be able to reach IoT devices on #2, but I was not sure if messages (directly, or MQTT) from devices on #2 would be able to be posted correctly if HA is on #1.
Inversely, if HA is on #2, IoT devices should be fine, but I would need to open #2 to the internet at least a little for server updates, integrations, etc. I do use MAC address’ to block camera’s etc. in firewall, so this might be fine - but I am not very experienced so not sure what is best practice.
Or am I WAY overthinking this, and just put all of them on #1 to simplify the installation?
Let me know your thoughts - sorry for the long post!
If you want to update, HA needs internet access. If you want to use ANY cloud based components, HA will need internet access.
This depends entirely on your firewall rules. YOU decide where the messages pass.
Why not just allow your HA server access to the internet and still block all other outbound traffic? You seem to be making this black or white, when gray exists.
That is what my last thought was about over complicating it.
I think just putting HA server on VLAN #2 and not blocking it’s MAC from the internet is the easiest solution.
I was just unsure if this would make any holes in VLAN #2 setup - again, not 100% confident in my firewall knowledge.
What network setup / firewall do you use?
Maybe someone can help you to be sure you set it up correctly.
I have the whole Unifi setup and 3 VLANs (Private, IoT, Guest).
I put everything which isn’t completely under my control in the IoT Lan without access to Internet and other Lans.
Because I deemed my server with Hass, Mosquitto, etc. on it and devices running Tasmota as “under my control” I put them in the Private Lan which has full access to everything. So MQTT is no problem.
I realized that my Echo Dots weren’t working anymore in the IoT LAN because…well they aren’t the local kind of device. I assigned them static IPs and allowed those IPs access to the Internet. Could have also used their MACs instead.