I have finally migrated all my IoT devices to a dedicated vlan on my Ubiquiti console. I have not done any isolation yet and since I have shelly and ruuvi cloud services the IoT vlan has internet access enabled.
My HA (green) is still on the main network where I access it from my pc on local lan.
I need to turn on inter vlan isolation, would it be recommended to move HA onto my IoT? How would I then access HA from pc on main lan?
I have multiple vlans:
- IOT → internet enabled
- LOT → No internet
- Home
- etc…
The easiest way to get HA to go to all networks have your HA server be part of them all.
in debian for example in /etc/network/interface you can add a vlan:
auto eno1.5
iface eno1.5 inet static
address 192.168.14.15
netmask 255.255.255.0
this way your HA server can go anywhere, but your devices cant.
1 Like
Typically your main (secure/management) VLAN would have access to all other VLANs. It is the other VLANs that you block from each other and from the main VLAN.
If set up this way, your HA server could remain in the main VLAN.
That makes sense, thank you 
All IoT devices and HA on the same VLAN.
Other setups require you to have deep knowledge about IPv4 and IPv6, and you also need deep knowledge about all the protocols being used on top of these protocols, especially the discovery protocols.
1 Like
Access to is the tricky part. IP4, IP6 (because matter), and all the protocols.
The network owner has to know all this stuff and make sure it stays working. If you don’t understand it, stay with a flat network on your production stuff and play with stuff that don’t make the housemates mad.
What I do it have a /22 IP4 subnet that HA is on. When set up in the right place that gives me 4 /24 IP4 networks that I can use to keep things separated some and give different subnet firewall rules to, but the stuff using /22 has full access to everything. I just let ipv6 run wild (or block it) because I haven’t figured out how to tame that. This is an easy to understand no VLAN way to separate stuff (on IPv4 anyway).
You setup might work now but using /24 subnet insde a /22 subnet is an unsupported usage and you might hit network stacks that are more strict with broadcast addresses, which is where the issues will rise.
Yes, but I know what I designed and understand it at least, and that’s the point. If you don’t understand it you will be here asking WTF every time your adGuard acts up.
One of my networks has some added complexity with HA on a 10.x.x.x and everything else on a 192.168.x.x bridged in PFSense,
I don’t suggest that, and if you do that you are on your own…
That reminds me, just bought a new Asus router to update one that went endoflife, and it comes with an IOT network setup built in and adGuard built in. I quickly flashed it with Merlin and put it into AP mode to hide that crap.
You might understand it, but suggesting it to others is maybe not a good idea.
The setup might act up, because it goes against the protocol standard and nobody will be able to help then.
I also have a Ubiquiti setup, I only use two VLANs:
- Default
- Automation
All the automation components (including Home Assistant) run on the Automation VLAN. Everything on the Automation VLAN has no internet access (by default).
However I have a Midea AC unit which appears to require cloud access so both it and HA need to have internet access (So HA can send commands and the AC can read them), therefore I create a policy to explicitly permit those two devices to access the internet (even though the rest of the VLAN can’t)
Other than to simplify management I don’t see any value in having two IOT VLANs (With and Without Internet access) since you will likely permit all traffic between those two VLAN’s anyway.
And there is an (admittedly small) advantage to only using one VLAN which is all IOT traffic remains Layer2 - doesn’t need to be routed (except for any internet traffic). TL;DR - Automations continue to run even if you reboot your Ubiquity gateway (again not including cloud based services).
If you say so.
The only actual difference is the subnet mask used and the DNS for the /24’s root is bounced thru the /22 root.
So OK, don’t do that either, stay a flat subnet.
IPV6, sure that stuff is really hard to get right.
But for home automation your ESP device does not need V6 so on a V4 VLAN it goes 
Staying away from VLANS because its “hard” is personally not the case.
Sure you need to get used to it, but its not hard. We are all tinkering with HA so a bit of VLAN in the mix is not a problem.
Again give the server access to all vlans and you are golden. Nothing more nothing less.
Your phone or laptop does not need anything it can stay in your IPV6/V4 mixed main vlan and you really can safely put all the phone home stuff in a isolated network.
the simplest setup:
Sure there are better ways of doing it, but this works, LOT cant access the internet, but devices from Main can access them. HA/ESP/ etc. can do 99% of all the discovery protocols. If you are in docker you might get mDNS problems, but who needs that when you have a LOT/IOT network where you can assign static stuff.
The problem with the 4 VLAN setup is the HA server acts as a bastion into the Main and Other networks, so if the HA server got breached the attacker would have a route into both of those networks.
A better solution would be to only place the HA server on the IOT and LOT networks. You can then use a proper router/firewall to route traffic between Main, IOT and Other networks - i.e.: You access the HA UI from the Main network using its IOT address: 192.168.12.10
Note: I am not clear what services you are running on “Other” so something special might be required for that.
I will concede that the 2 VLANs approach (above) closes one security hole** which is a breached IOT device couldn’t be used to access an LOT device. However I am not super worried about that (Juice ain’t worth the squeeze).
** - Over my single automation VLAN setup - outlined in my previous reply.
I realized I never actually answered the OPs’ question:
Yes put HA and IOT devices on their own VLAN.
In my setup I did the following (UniFi specific):
- Created a new Zone: Untrusted Private
- Blocked All Outbound traffic from the new Zone - It can’t talk to anything internal or external.
- Granted access to allow the
InternalZone to accessUntrusted Privatewith “Allow Return” on. - Assigned the
AutomationVLAN to theUntrusted Privatezone.
With those steps you have a private VLAN/Subnet that can be accessed from your main VLAN / Internal Zone.
Then you just need to add a specific firewall rule (I only needed one) for HA and any other devices that need to be able to access the internet.
- Source Zone: Untrusted Private
- Select Device:
- Add the devices you want to be able to access the internet (including HA)
- Port: Any
- Action: Allow
- Destination Zone: External
- Any (IP)
- Any Port
- Both (IPv4 and IPv6)
- Protocol: All
- Connection State: All
That is fair, But as a hacker, a bank might be nicer to go after or a person that has HA open to the web on the router with port forwarding.
I only have my VPN port open on my router so there is a chance its not 0, but its also not something I am concerned about.
This would be a decent improvement to the setup, not sure if figuring all the FW stuff out is doable for a average HA enthusiast, but also if HA has a zero day in the front end its still a bastion…
Was more a example, perhaps you want your kids to have this vlan with a special DNS server that filters traffic. Or guest network you could then remove this vlan from the server. endless possibilities.
Many things aint worth it in a home setup but sometimes its the learning experience that might hold value. Each their own 
It’s a question of why bother with VLANs at all, if you are not going to close the door from “low trust” devices to higher trust ones.
You only have to watch a few DefCons to see what complete CF security is on IOT devices, HA has too many plugins to make any serious argument that it couldn’t be breached, in short I don’t trust it.
That doesn’t mean I don’t want to use it, it just means it gets placed in its own little sandbox.
VLANs make administration a bit easier on more complex networks.
But the V in VLAN stands for “Virtual”, just creating a separate LAN gives you the same security posture.
To that end you could probably just put all of your HA / IOT devices on “guest” or “DMZ” WIFI on your typical cheap home router, it would probably get you most of the way there.
Right a zero trust network is of course great (and perhaps the goal), but for average HA user going from "cool my lights work" to "FW rules on the router that my IPS provides help" is too much to aks and will not happen in most HA installation.
So step 1 separate VLANS is great. that includes 1 VLAN without internet access, then of course a VPN to your house instead of opening the HA front end to the world.
This should be fine for most of the users around. as this should prevent IOT devices from punching holes in your FW.
Then after that yes, if your skills permit and you want a better setup then everything and all on one VLAN with FW rules is a way better setup I am not disagreeing.
But again I doubt that this is the goal here or for most HA users, for me it would be great to see where my setup could improve so I will take your idea and will play with it