Hass.io vlan separated networks

I just got started with home automation as I had a raspberry pi 3 laying around.

I want to separate alot of components from my local network and only allow hassio to communicate with the devices and still allow hassio to be connected to the local network.

I was thinking of having a managed switch with VLAN and run port 1 on VLAN100 and have the local network connected to that port. Port 2 would have VLAN100 and VLAN200 as that is where I will connect the raspberry pi. port 3 and up would be VLAN200 and here I connect all the IoT devices that I want to have.

The isolation of VLAN200 is to protect my local network from rouge IoT devices.

In the local network I will be running kodi and hassio will have kodi configured.
So hassio will run automation when playing something on kodi (VLAN100) and controll IKEA trådfri inside VLAN200 to turn on/off lights.

I have not worked with VLANs that much, but know that I can map a port to a vlan, but when I truncate multiple vlans on one port I need the device to add the vlan flag on the packages.

Is it possible to do with hassio?
How would I do it?
Or should I just get a usb 2.0 to ethernet for the Pi and separate the networks that way?

1 Like

Are you trunking both VLAN100 to VLAN200 to your pi so that it will have sub interfaces on both VLANs? ie. 2 IPs? if not, I’m not sure what you mean by having both VLAN100 and 200 going to your pi.

Well that was the plan, I haven’t done it as I’m not sure it would work and how to do it on hass.io.

Hass.io/raspberry pi need to have two interfaces with two IPs ex. and, one for each VLAN.

Hmm, come to think about it, I think that I would need a dhcp server on the IoT network too.
So Hass.io needs to act as a DHCP server too on VLAN200.

I maybe have to rethink this. But I want to separate the networks so my IoT devices will not communicate with the rest of the network and Internet.

1 Like

I think what you are looking to do has less to do with hassio and more to do with network capabilities of the underlying OS configuration of your pi.

But I’m running hass.io not hassbian.
I installed SSH but it did’t look like I was on the core OS so I can’t do any special things outside hass.io.

So I have done similar to this HASS.IO wifi hotspot

using the ethernet side of RasPi on one network and the Wi-Fi on another for Wifi IOT devices. Only issue is either getting something to bridge some of the traffic so the devices can hit the internet or as in my case where I don’t want them to I need an NTP server/relay to at least get the Hass.io time to them

Also from the picture you posted my Draytek Vigor router would also you to segment the traffic onto the different VLans and route between them

Not sure about Hass.io, but why couldn’t you put your wired Ethernet on the Pi on one Vlan and the wireless (connected to your route/AP) on another Vlan.

My security camera server (Intel/CentOS) has 2 Ethernet connections and the cameras are all on a seperate Vlan from my “regular” home network. The server has access to both Vlans, but will not route IP traffic between them.

I don’t want to run wifi, as it can be jammed etc. more comfortable with ethernet.
But if I can run both wifi and ethernet, then I should be able to connect a second ethernet via usb instead and configure it that way without VLANs, correct?

That would’t be that nice looking, but if vlans are not possible with hass.io then that’s the way I guess.

Strictly speaking on a Raspberry Pi running Raspbian and the USB Ethernet adapter is support by the OS, yes. You don’t need Vlans. I run them anyway because if someone does manage to get on my "camera network and change the IP, they could reach my other network if the Pi is routing between.

I don’t know anything about Hass.io unfortunately

Yes, that type of isolation is what I want, if any of the IoT devices gets compromised I want my local network not to be affected.

I dont like that hass.io is “locked” from core configuration. using the SSH server I think I get into a isolated (docker?) part and not the OS.
Guess I will have to install Raspbian and home assistant on top.

Don’t see why the way I did it with wi-fi wouldn’t work with another ethernet adaptor/connection, just create a new connection file in resin for it, and then set the dhcp server to work on that interface

Yes, I think that will work, I will have to buy a usb ethernet adapter first to test.
The best would have been with VLAN as then I only need one cable to the PI, now I will have an extra adapter and cable.

Personally, I would do both adapters AND Vlans. (Provided you have a managed switch)

LCL - i am exploring a similar requirement. Did the VLAN routing work? or did you end up using two different Ethernet?

Hi, well… I have not done any of it at the moment.
Only thing I did was installing the new hassOS version which is now using NetworkManager.
It looks like it’s possible but have not looked deeper into this.

Probably something I will try sooner as I start to get more connected products that I want to isolate.

any one who has already progress on this?!
i’m also fighting NM at the momentent.
only thing more or less special on my setup is that i’m running it as an HassOS VM on mij mac mini through virtual box.

any tips or help to set it up would be much appreciated!

kind regards Rosiaantje

Hi, have you tried this tutorial I prepared here? Setup VLAN and HA tutorial

I’ve had it working for more than a month and no problem has come up so far.

1 Like