I’m trying to set up an HA system. It seems that good security hygiene says that you should have your sensitive devices (PCs, tablets, etc.) on a different LAN/subnet from your Internet-of-Things devices, so they can’t spy on broadcast traffic. The simplest solution (which I have now) is to connect a second router to my primary one, and hang IoT devices off it. It looks like this:
ISP-Modem->Router1 (192.168.1.1)
Router 1 lan ports -> PC1, PC2, Router2’s WAN port (192.168.1.100, but internal address of 192.168.0.1)
Router2 lan ports -> HA device, Device2, Device3, etc. (w/ addresses of 192.168.0.x).
Right now, all devices can see the internet, but no devices off Router1 can see devices off Router 2 and vice verse.
This is very secure, but also inconvenient. Since the HA device can’t see my PCs (phones, tablet), it can’t send them notifications and they can’t control it directly. I can get around this through some cloud-services, but it also means that HA can’t get statuses from those devices. What I’d really like is either:
Keep HA device on Router2, but somehow allow it to see everything on Router1 (but do no allow anything else on Router2 to see anything on Router1).
OR
Move Home Automation Manager to Router1, let it see everything on Router2, but only let devices on Router2 see the Home Automation Manager, not anything else on Router1.
Do you know of anyway to do this? I wasn’t sure how to set up port-forwarding, NAT, etc., so this happens?
(Another option is to have all PCs off Router2 and all IoT things off Router1, if this makes it easier. But I still wasn’t sure how to make it work).
Any ideas? I’ve searched the net for this, but there are so many permutations, and very few have the needs of an HA system.
Thanks, that would be helpful. I have a Linksys EA8300 and a TP-Link Archer 59. I can flash the TP-Link with DD-WRT firmware, but the Linksys won’t take anything but the native firmware. Currently, they are both working with the native firmware. Thanks.
Router 2 devices should have no problem seeing router 1 devices because of the routing involved here. I recommend against a double router setup and recommend getting proper network gear if you want to segment off your traffic.
Right. Router2 devices can see Router1, but they can’t see devices on Router1. 1) Is there a way to make some of those devices visible? 2) What is the proper gear? Sorry, I know very little about networking…
Router2 can’t be a router in this scenario. A routing domain can’t have two routers sharing the same subnet 192.168.0.0/24. This is called a duplicate route, it is not allowed. So you will need to turn routing off on Router2 making it a switch. It’s basically the same as two cities having the same Zip code. How is USPS to know which city you mean?
To do routing the devices on Router2 LAN need to be a different subnet and Router1 will need a static route to point back to it, and/or you need to NAT the devices on Router2.
But you should be aware that a lot of IoT functions rely on broadcasts. UPNP, Bonjour, HA Discovery will need it, so at a minimum you would probably want to dual home your HA server, or give up on those features.
So, just to update, I ended up having two domains (192…) and (10.1…). The IoT devices live on 192…, my personal devices and HA live on 10.1… I have a routing rule on the 10.1 router that says that everything in the 192 domain should be sent to the 192 router. This means that HA can see all the IoT devices, but they can’t see (w/o first being queried) HA or any other personal devices. So far, it seems to work. Does this seem OK to you ? Thanks.
As was mentioned earlier, a lot of discovery protocols that IoT devices use for HA to discover them transmit “link local multicast” and “link local” means they are confined to the subnet they originate from and routers are not allowed to route them to another subnet, so you should have HA on the same subnet as your IoT devices. I would recommend putting HA on the 10.1 along with your other IoT devices, and keep all your others on 192 subnet.
The other item to bring up is NAT. I would lean towards turning it off on Router2 and let Router2 just do pure routing. It will make it easier to initiate connections from 192 subnet to the 10.1 subnet.
Thanks. Right now, I’ve got everything working, although I take your point. I’m just starting to experiment with MQTT (no luck w/ the RTL_433 Bridge thus far), and I see how this will just not work without the devices in the same subnet. Thanks.