How to properly set up secure IoT network with Home Assistant

I tried to migrate my IoT devices to a secure wifi network where all devices are isolated from the rest of the network/world but Home Assistant can see the devices in the IoT network. I first tested with one ESPHome device, but such a setup does not work. I assume the devices still need to see Home Assistant as well.
How do I resolve my network setup so that the devices can be isolated but the HA server still works?
In the future, I also want to set up HA access from the outside world using a secure tunnel.


You assume correctly

That depends on what your network looks like and what network gear you already have/used. We need to know what you setup before reccommmendations

It’s a bit difficult to explain if you don’t know exactly what details are needed, but basically HA is connected to a vlan network with a cable. All devices currently operate on a single network, and the goal is to migrate IoT to a secure Wi-Fi network.
IoT wifi is currently isolated with forward reject rule and allow forward from lan. I use OpenWrt. I imagine that it would work if I put HA to the same wifi, but HA says that connecting the server via wifi is actually not recommended.

Might want to watch some videos on how to do this (search for IoT and/or VLAN when on their channel). They may not have the exact instructions for your OpenWRT setup but the principles are the same.


Lawrence Systems

1 Like

secure your weakest point with firewall, pfsense or pro solution. if you take out ha to inet, without fw we can’t talk security. and ha must be carefully protected for ssh and other gates.
for me the correct scenario is ha + iot devices inside a blob, ha accessed from inet and well protected. the blob downstream the fw i was talking about. i didn’t understood your network setup…

I have no expertise in server setup whatsoever, which means I’m not so much looking for information on what to do, but how to do it. As for the network setup, I have a main network and separate IoT and guest. That’s it. In fact, I am very surprised that the HA manuals do not include a comprehensive tutorial on how to securely configure the entire HA IoT network. It should be an inevitable part of the entire HA architecture today.

My HA server and IoT devices are on the same IoT VLAN. I think you want to do the same.

If the HA server and the IoT devices are on the same VLAN (IoT - either wired or wireless), they are isolated from the other VLANs (Main, Guest, etc.). This assumes the VLANs are configured properly and the firewall rules on OpenWRT are correct.

How to secure your network and devices on your network (Main vs Guest vs IoT) is a fairly common task. It is dependent on your network configuration; therefore, it is a network setup and configuration issue and has very little to do with Home Assistant per se. But if you search this forum and YouTube for “Home Assistant Security” you will find some useful info.

How to isolate IoT devices is not a problem. The problem was how to get HA to communicate with the IoT zone. I couldn’t find any really useful information on how to solve my setup and ended up creating a firewall rule that allows forwarding from the IoT zone to the HA IP address, and I also configured the HA wifi directly to the IoT wifi. I have no idea if this is a good or bad solution, or if it is even secure, but for now it looks like HA can see devices in the IoT zone.

That’s true however, I strongly believe that secure setup instructions should at least be part of HA good practice. When you buy a car, you learn how to drive safely, when you buy a gun, you learn how to use it safely. It’s more like an American way of thinking that if you sell a gun it doesn’t matter anymore how the people use them.

you have to understand that the way how you setup the network doesn’t depend on HA. It depends on iot devices you are using, direction and protocol of their communication, a network routing device and its software.

it really doesn’t matter you are using HomeAssistant or other similar system. Guidelines for iot networking are pretty the same regardless managing software used. And the internet is full of such guides.

1 Like

This answer confuses me.
You said you wanted the IoT vlan isolated from accessing internet(or/and vice versa)
If you add HA with lan port to this IoT vlan, why do you need the firewall forward rule per IoT devices to the HA IoT vlan IP address?
Also why would you connect the HA wifi to that same IoT vlan? And how will you then be able to access HA from let say ‘home vlan’ or even through the HA cloud service for external access?
Or did you mean that you connected HA with LAN to the IoT vlan and with wifi to the (home)internet accessible vlan?