HA Networking. How do you protect your home network from IOT devices?

yvangelist · May 10, 2024, 10:57pm

Hello all,

I am reaching out to see if anybody has been successful at creating VLANs in their home network to segregate IOT or untrusted devices an still be operational in Home Assistant,

code-in-progress · May 10, 2024, 10:58pm

Yes. Depends on your router and network config, but setting up firewalls to allow for internal LAN access across VLANs is fairly simple to do.

yvangelist · May 10, 2024, 11:02pm

Curious about your setup you can DM me. I have half wired and half wifi IOT devices.

NathanCu · May 10, 2024, 11:02pm

And possibly which devices and network protocols. There’s no single one right answer.

Note:things to keep in mind.

You need to make sure that appropriate ports are opened from the IoT segment to HA (and vice versa) research each device and determine its communication requirements.

Don’t forget to turn on whatever your network gear needs to support mDNS between segments. (it’s how HA ‘finds’ stuff. Not doing this means no auto discover.

Don’t forget ipv6 if you’re doing MATTER. Many people just disable it and call it a day but if you plan MATTER devices in the segment you have to route Ipv6 too.

yvangelist · May 10, 2024, 11:11pm

Thanks guys. So to your eyes everything is entirely feasible. I recently started to sniff data going out of my home network and I really freaked out, I think nabu casa people should start to bring security topic in the forefront. Home Assistant starting to be the flagship and attracting a lot of newcomers and families, information privacy and security should be predominant.

@NathanCu Special thx for mDNS tips and IPv6 ( not using matter currently but I believe it will become inevitable)

code-in-progress · May 10, 2024, 11:12pm

My setup is actually not that complex network-wise. I have a main management VLAN (192.168.1.0) that is where all my main servers and such live. Then I have a 192.168.107.0 VLAN (set to 2.4ghz only and speed throttled to 50kb up/down. This is where all my IOT devices live and it’s blocked from the internet. Then I have a 192.168.50.0 VLAN for my cameras (also blocked from the internet, partially). Then I have a 192.168.70.0 VLAN for my Alexa (and other oddball things) that has some weird firewall rules and DNS blocking. Finally I have a 192.168.200.0 VLAN specifically for guests. It’s blocked from everything except the internet and speed throttled to 250mb up/down.

My setup is a UDM-PRO, with 2 16 port POE switches and 3 8 port POE switches and 3 APs.