I tried to migrate my IoT devices to a secure wifi network where all devices are isolated from the rest of the network/world but Home Assistant can see the devices in the IoT network. I first tested with one ESPHome device, but such a setup does not work. I assume the devices still need to see Home Assistant as well.
How do I resolve my network setup so that the devices can be isolated but the HA server still works?
In the future, I also want to set up HA access from the outside world using a secure tunnel.

Thanks

You assume correctly

That depends on what your network looks like and what network gear you already have/used. We need to know what you setup before reccommmendations

It’s a bit difficult to explain if you don’t know exactly what details are needed, but basically HA is connected to a vlan network with a cable. All devices currently operate on a single network, and the goal is to migrate IoT to a secure Wi-Fi network.
IoT wifi is currently isolated with forward reject rule and allow forward from lan. I use OpenWrt. I imagine that it would work if I put HA to the same wifi, but HA says that connecting the server via wifi is actually not recommended.

Might want to watch some videos on how to do this (search for IoT and/or VLAN when on their channel). They may not have the exact instructions for your OpenWRT setup but the principles are the same.

NetworkChuck

Lawrence Systems

secure your weakest point with firewall, pfsense or pro solution. if you take out ha to inet, without fw we can’t talk security. and ha must be carefully protected for ssh and other gates.
for me the correct scenario is ha + iot devices inside a blob, ha accessed from inet and well protected. the blob downstream the fw i was talking about. i didn’t understood your network setup…

I have no expertise in server setup whatsoever, which means I’m not so much looking for information on what to do, but how to do it. As for the network setup, I have a main network and separate IoT and guest. That’s it. In fact, I am very surprised that the HA manuals do not include a comprehensive tutorial on how to securely configure the entire HA IoT network. It should be an inevitable part of the entire HA architecture today.

My HA server and IoT devices are on the same IoT VLAN. I think you want to do the same.

If the HA server and the IoT devices are on the same VLAN (IoT - either wired or wireless), they are isolated from the other VLANs (Main, Guest, etc.). This assumes the VLANs are configured properly and the firewall rules on OpenWRT are correct.

How to secure your network and devices on your network (Main vs Guest vs IoT) is a fairly common task. It is dependent on your network configuration; therefore, it is a network setup and configuration issue and has very little to do with Home Assistant per se. But if you search this forum and YouTube for “Home Assistant Security” you will find some useful info.

How to isolate IoT devices is not a problem. The problem was how to get HA to communicate with the IoT zone. I couldn’t find any really useful information on how to solve my setup and ended up creating a firewall rule that allows forwarding from the IoT zone to the HA IP address, and I also configured the HA wifi directly to the IoT wifi. I have no idea if this is a good or bad solution, or if it is even secure, but for now it looks like HA can see devices in the IoT zone.

That’s true however, I strongly believe that secure setup instructions should at least be part of HA good practice. When you buy a car, you learn how to drive safely, when you buy a gun, you learn how to use it safely. It’s more like an American way of thinking that if you sell a gun it doesn’t matter anymore how the people use them.

you have to understand that the way how you setup the network doesn’t depend on HA. It depends on iot devices you are using, direction and protocol of their communication, a network routing device and its software.

it really doesn’t matter you are using HomeAssistant or other similar system. Guidelines for iot networking are pretty the same regardless managing software used. And the internet is full of such guides.

This answer confuses me.
You said you wanted the IoT vlan isolated from accessing internet(or/and vice versa)
If you add HA with lan port to this IoT vlan, why do you need the firewall forward rule per IoT devices to the HA IoT vlan IP address?
Also why would you connect the HA wifi to that same IoT vlan? And how will you then be able to access HA from let say ‘home vlan’ or even through the HA cloud service for external access?
Or did you mean that you connected HA with LAN to the IoT vlan and with wifi to the (home)internet accessible vlan?

I am looking to do the same thing. Could use some guidance/recommendations.

Sophos XG router
Switch that can do VLan’s
Unifi AP’s
Synology NAS
HA running on VM
Cameras

My plan is to move all my IoT devices to thier own WiFi.

My issue is how do I get this all setup so that the devices will talk to each other?

Would need Alexa to be able to run with HA and cameras (wired & wireless) to still record to my NAS.

Do I need a VLan on the switch? How do I isolate the HA on the VM? Do I need IoT WiFi? How do I get them all to talk?

Thanks in advance.

What I did, was separate IOT network and I simply moved all devices there. They do not know that outside world exists.
Everything must be there. So it was little bit headache to get HA itself to talking outside world but this is mostly server firewall rules thing. Basically HA is middleman and only one who is aloud to talk with everybody.
I personally use OpenWrt so when you decide to go also that route it is best to ask people there.

How to Segregate IoT, Security, Guest, and Private Networks While Allowing Communication with Home Assistant

A Beginner’s Guide to VLAN Segmentation for Smart Homes

Understanding VLAN Segmentation

A VLAN (Virtual LAN) allows you to separate your devices into isolated networks while still allowing controlled communication where needed. This enhances security, performance, and organization.

Recommended VLAN Setup

Since you have a Sophos XG router, VLAN-capable switch, and Unifi APs, you should create separate VLANs for different device categories:

Your Home Assistant (HA) should stay on the Private VLAN (10.10.40.x) since it acts as the main controller.

Wi-Fi & VLANs on Unifi

Since you have Unifi APs, you can create multiple SSIDs and tag them with the appropriate VLANs:

“Home Wi-Fi” → VLAN 40 → Trusted, full access
“IoT Wi-Fi” → VLAN 10 → Restricted, only communicates with HA
“Guest Wi-Fi” → VLAN 60 → Internet-only, no LAN access

Getting IoT Devices to Communicate with Home Assistant

Q: “Do I need to put HA on IoT VLAN?”

No! You want HA on the Private VLAN (10.10.40.x), but you need to allow select traffic from IoT VLAN (10.10.10.x) to HA.

Step 1: Configure VLANs on Your Sophos XG Router

You will create VLAN interfaces under your LAN interface and assign each VLAN an IP range.

Example:

• VLAN 10 (IoT) → 10.10.10.1/24
• VLAN 30 (Security) → 10.10.30.1/24
• VLAN 40 (Private) → **10.10.40.1/24`
• VLAN 60 (Guest) → 10.10.60.1/24

Step 2: Firewall Rules to Allow IoT to Talk to HA

By default, VLANs should not communicate. You must create firewall rules to allow IoT devices to talk to Home Assistant.

Allow IoT VLAN to Access HA (but nothing else)
In Sophos XG Firewall Rules, create:

This allows IoT devices to talk to HA but prevents them from accessing PCs, NAS, or other private devices.

Step 3: Allow IoT Discovery with mDNS

Many IoT devices discover HA using mDNS (Multicast DNS). However, mDNS is local to a VLAN and won’t work across VLANs by default.

Solution: Enable mDNS Reflector in Sophos XG

• In Sophos XG, enable avahi-daemon or mDNS Repeater.
• This lets IoT devices discover HA even when they are on different VLANs.

Step 4: Assign VLANs to Switch Ports

Since you have a VLAN-capable switch, configure the ports correctly:

• Trunk Ports (carry multiple VLANs) → Connects to Router & Unifi APs
• Access Ports (single VLAN) → IoT devices, Security devices, NAS, etc.

Example VLAN Port Setup:

Step 5: Assign VLANs in Synology NAS & Home Assistant

• Synology NAS → Put it in Private VLAN (10.10.40.x)
• Home Assistant VM → Assign Private VLAN (10.10.40.x)

If your HA is running in a VM on the NAS, you may need to enable VLAN tagging in the VM settings.

Final Recap:

• Use VLANs to separate IoT, Private, Security, and Guest devices.
• Put HA in Private VLAN (10.10.40.x) and allow IoT VLAN (10.10.10.x) to talk only to HA.
• Set up VLANs in Unifi for Wi-Fi SSIDs (Home, IoT, Guest).
• Enable mDNS Reflector in Sophos XG to allow IoT discovery.
• Properly configure firewall rules to isolate IoT but allow necessary communication to HA.

Basic Firewall Rules for VLAN Segmentation in Sophos XG

(A Beginner’s Guide to Securing IoT & Home Assistant Networks)

Since you’re using Sophos XG, you’ll need firewall rules to properly segregate VLANs while allowing necessary communication (e.g., IoT → Home Assistant).

Step 1: Access Sophos XG Firewall Rules

Log into Sophos XG Admin UI
Go to → Rules & Policies > Firewall Rules
Click “Add Firewall Rule”

Step 2: Create Essential Rules

Rule 1: Allow IoT Devices to Talk to Home Assistant

• Source Zone: IoT VLAN (10.10.10.0/24)
• Destination Zone: Private VLAN (10.10.40.21 - Home Assistant)
• Services (Ports):
  • 8123 (Home Assistant Web UI)
  • 5353 (mDNS for device discovery)
  • 1883 (MQTT if you use it)
• Action: Allow
• Log Traffic? (Good for debugging!)

This rule allows IoT devices to control smart home services without accessing other private devices.

Rule 2: Block IoT Devices from Everything Else

• Source Zone: IoT VLAN (10.10.10.0/24)
• Destination Zone: Private VLAN, Security VLAN, Guest VLAN
• Services: All
• Action: Drop/Block
• Log Traffic? (Helps catch misbehaving devices!)

This prevents IoT devices from reaching personal computers, NAS, etc.

Rule 3: Allow Home Assistant to Talk to IoT Devices

• Source Zone: Private VLAN (10.10.40.21 - HA)
• Destination Zone: IoT VLAN (10.10.10.0/24)
• Services:
  • 5353 (mDNS)
  • 443 / 80 (API Calls)
  • 1883 (MQTT if used)
• Action: Allow

This lets HA control smart devices like lights, switches, thermostats.

Rule 4: Allow Private Devices (PCs, Phones) to Access HA

• Source Zone: Private VLAN (10.10.40.0/24)
• Destination Zone: Private VLAN (10.10.40.21 - HA)
• Services: 8123 (HA UI)
• Action: Allow

This allows you to access HA UI from your PC or phone.

Rule 5: Block Guest VLAN from Accessing Anything

• Source Zone: Guest VLAN (10.10.60.0/24)
• Destination Zone: Any Internal VLAN
• Action: Drop/Block
• Log Traffic?

Guests should only get internet access, not access to IoT, security cameras, or HA.

Rule 6: Allow Security Cameras to NAS (NVR Storage)

• Source Zone: Security VLAN (10.10.30.0/24)
• Destination Zone: NAS VLAN (10.10.40.30 - Synology NAS)
• Services: NFS, SMB, RTSP
• Action: Allow

This lets cameras save footage to your NAS/NVR but blocks them from accessing the internet or private network.

Final Rule Order in Sophos XG

Sophos processes firewall rules in order, so position matters! Arrange rules like this:

#	Rule Name	Source	Destination	Ports	Action
	IoT → HA (Allow)	10.10.10.0/24	10.10.40.21	8123, 5353, 1883	Allow
	IoT → Private, Security, Guest (Block)	10.10.10.0/24	10.10.40.0/24, 10.10.30.0/24, 10.10.60.0/24	All	Block
	HA → IoT (Allow)	10.10.40.21	10.10.10.0/24	5353, 443, 1883	Allow
	Private → HA (Allow)	10.10.40.0/24	10.10.40.21	8123	Allow
	Guest → Private, IoT, Security **(

This is basic and where I started with my firewall and rules as well when migrating. It’s a learning journey and if it captures your interest, a major time yanker Good luck!

Interesting. I decided that exact opposite was actually easier (and maybe bit safer). But is there actual difference?

Thank you for the extensive response. I will read and digest this to make sure I understand it.

A few questions on the setup.

1. I use static IP’s for all devices. When moving my cameras to the Security VLAN, I assume I need to manually change the static IP’s?
2. My Unifi AP’s are on my private network with a static IP. What do I do with them and which VLAN should they belong to?
3. How do I enable mDNS Reflector is Sophos?

I tried creating isolated IOT network but gave it up due to that I used to cheep equipments not being compatible. But my understanding was the same, put your HA on your private VLAN not on IOT.

One of the reason is that you want to protect your HA from being hacked by IOT devices. But… this can be done by the FW anyway so it really doesn’t matter

Another thing could be to have two or more iot networks, just to indicate how complex this things can be and how much “it depends”
E.G;
One network where iot devices can only talk to HA
One network where iot devices can talk to HA and other iot devices on the same NW
One network where iot devices can talk to HA and internet
Etc…

As I have very chatty iot devices so to decrease network congestion was my main reason to start isolating and I remember my process was like this

1. create isolated vlan (iot and priv) using different SSID and WiFi channels
2. place ha in priv
3. allow all traffic from iot to ha
4. allow all traffic from ha to iot
5. allow all traffic from priv to iot
6. allow mdns from iot to priv

Thise is kind of a basic setup I think where step 3-5 might not be as granular but a first simple setup.

But not having compatible equipment and mainly based only on different custom FW and cheap managed switches I gave it up after hours of work…

Thank you for sharing this post.
I have 2 doubts,
1, I use SMLIGHT Zigbee coordinator for Zigbee sensors, connected via a Data cable. Where should i connect this cable on Managed switch.
2. Similarly i use Zwave coordinator for Zwave relays, Where this data cable to connected on managed switches.

This is a really thorough guide, thank you @sliptdisk. I am part way there using my own logic of what should be able to access what using a full TP-Link Festa setup which consists of an FR365 Gateway, 3 FS308GP switches and 2 F65 APs.

The Festa system separates Network Security into Gateway ACL, Switch ACL and EAP ACL.

At the Gateway level, I can setup the “global” rules between my Private, IoT and Guest LANs.

image1776×192 17.8 KB

I have to use the Switch level to be able specify the IP address (or MAC address which I have used) of my HA server:

image1685×183 16.3 KB

This all seems to work for Home Assistant. I created second Switch rule because I thought about placing my Squeezebox Touch and Radio on to the IoT VLAN by binding the switch ports that they are connected to to the IoT VLAN and then allowing those ports access to the NAS box running Lyrion Media Server but that didn’t work.

Rule preference is determined by their order and rules can be dragged and dropped to change the order however what I am not clear on is whether a Switch rules takes precedence over a Gateway rule. Do you have any experience with the Festa system?

Lastly, I’m wondering why you suggested creating Rule 3 since the Private VLAN has full access to the IoT VLAN and Rule 4 since those devices are in the same VLAN so can access eachother anyway?