I tried to migrate my IoT devices to a secure wifi network where all devices are isolated from the rest of the network/world but Home Assistant can see the devices in the IoT network. I first tested with one ESPHome device, but such a setup does not work. I assume the devices still need to see Home Assistant as well.
How do I resolve my network setup so that the devices can be isolated but the HA server still works?
In the future, I also want to set up HA access from the outside world using a secure tunnel.
Itâs a bit difficult to explain if you donât know exactly what details are needed, but basically HA is connected to a vlan network with a cable. All devices currently operate on a single network, and the goal is to migrate IoT to a secure Wi-Fi network.
IoT wifi is currently isolated with forward reject rule and allow forward from lan. I use OpenWrt. I imagine that it would work if I put HA to the same wifi, but HA says that connecting the server via wifi is actually not recommended.
Might want to watch some videos on how to do this (search for IoT and/or VLAN when on their channel). They may not have the exact instructions for your OpenWRT setup but the principles are the same.
secure your weakest point with firewall, pfsense or pro solution. if you take out ha to inet, without fw we canât talk security. and ha must be carefully protected for ssh and other gates.
for me the correct scenario is ha + iot devices inside a blob, ha accessed from inet and well protected. the blob downstream the fw i was talking about. i didnât understood your network setupâŚ
I have no expertise in server setup whatsoever, which means Iâm not so much looking for information on what to do, but how to do it. As for the network setup, I have a main network and separate IoT and guest. Thatâs it. In fact, I am very surprised that the HA manuals do not include a comprehensive tutorial on how to securely configure the entire HA IoT network. It should be an inevitable part of the entire HA architecture today.
My HA server and IoT devices are on the same IoT VLAN. I think you want to do the same.
If the HA server and the IoT devices are on the same VLAN (IoT - either wired or wireless), they are isolated from the other VLANs (Main, Guest, etc.). This assumes the VLANs are configured properly and the firewall rules on OpenWRT are correct.
How to secure your network and devices on your network (Main vs Guest vs IoT) is a fairly common task. It is dependent on your network configuration; therefore, it is a network setup and configuration issue and has very little to do with Home Assistant per se. But if you search this forum and YouTube for âHome Assistant Securityâ you will find some useful info.
How to isolate IoT devices is not a problem. The problem was how to get HA to communicate with the IoT zone. I couldnât find any really useful information on how to solve my setup and ended up creating a firewall rule that allows forwarding from the IoT zone to the HA IP address, and I also configured the HA wifi directly to the IoT wifi. I have no idea if this is a good or bad solution, or if it is even secure, but for now it looks like HA can see devices in the IoT zone.
Thatâs true however, I strongly believe that secure setup instructions should at least be part of HA good practice. When you buy a car, you learn how to drive safely, when you buy a gun, you learn how to use it safely. Itâs more like an American way of thinking that if you sell a gun it doesnât matter anymore how the people use them.
you have to understand that the way how you setup the network doesnât depend on HA. It depends on iot devices you are using, direction and protocol of their communication, a network routing device and its software.
it really doesnât matter you are using HomeAssistant or other similar system. Guidelines for iot networking are pretty the same regardless managing software used. And the internet is full of such guides.
This answer confuses me.
You said you wanted the IoT vlan isolated from accessing internet(or/and vice versa)
If you add HA with lan port to this IoT vlan, why do you need the firewall forward rule per IoT devices to the HA IoT vlan IP address?
Also why would you connect the HA wifi to that same IoT vlan? And how will you then be able to access HA from let say âhome vlanâ or even through the HA cloud service for external access?
Or did you mean that you connected HA with LAN to the IoT vlan and with wifi to the (home)internet accessible vlan?
What I did, was separate IOT network and I simply moved all devices there. They do not know that outside world exists.
Everything must be there. So it was little bit headache to get HA itself to talking outside world but this is mostly server firewall rules thing. Basically HA is middleman and only one who is aloud to talk with everybody.
I personally use OpenWrt so when you decide to go also that route it is best to ask people there.