IOT isolated network, unable to change network settings from system/network tab

Installation Home Assistant OS
1

I have all my automation devices on separate IOT WiFi network, which I have isolated from my main network. This is best practice from a security standpoint. I want to put my RPi/HA on this IOT network, and on Eth0 set a static IP address and add a VLAN tag, and access it from my main network after adding a firewall rule to allow access. I made the firewall changes, and here’s what I found:

  1. Set up the RPi/HA and plugged into my main ethernet network. HA found all kinds of devices ton my main network that I didn’t want to be found. I isuccessfully integrated devices from my IOT network. I tried making changes to the Eth0 settings to put in onto the IOT network, but was not allowed.

  2. Starting from a fresh config, adding a display and keyboard and NOT connecting to any network: from the ha> prompt it typed login to get to the # prompt. From here I used nmcli commands to add the IOT IP address for my RPi and add the VLAN tag. The new network with the new IP address and VLAN tag and the orignal Eth0 one show up with the “nmcli con show command”. I plugged this in to my main ethernet network and found that HA now still found all my main network devices. Once again I was able to use the ‘integrate’ function to add my IOT devices. From the HA main page, I went to the system / network and saw both the main Eth0 and Eth0.VLAN networks were there and active. Eth0 had obtained an IP from my main DHCP server, and the Eth0.VLAN showed the IP address and VLAN tag that I had assigned. I tried to set Eth0 to ‘disabled’ but was not allowed. This still wasn’t isolated from my main network, so I tried again.

  3. Starting from a fresh install and completing all the steps above but before plugging in to my main network: I was still at the # command line. I tried to disable the original eth0 network with the “nmcli con down ‘Eth 0 name’” command, but since this network was never connected, I couldn’t do this. I connected the RPi ethernet to my laptop just so it was connected to something. The RPi was now trying to get an IP address from a DHCP server which wasn’t there. Now, the “nmcli con show” command showed Eth0 in orange type. (Green is connected). Now the “nmcli con down ‘Eth0 name’” command executed successfully and “nmcli con show” displayed it as such. I rebooted and plugged this into my ethernet and waited HA to do initial setup. It still found all my main network devices and system/network showed Eth0 and active with an IP address it obtained from my DHCP server. Once again, I was unable to disable Eth0.

I’m out of ideas. I’m just trying to follow best network practice by isolating all my automation devices including the RPi/HA on a separate IOT network. Any / all help appreciated! Please correct anything I’ve overlooked or mistakes I’ve made. I’m really not interested in a discussion of best network practices, but just want to do something that could be simpler.

Thanks, and Best Regards to all!

2

I’m very confused. You appear to be trying to isolate the HA device… from within the HA device. That makes no sense. If a device on your network gets to decide what it can and cannot see for itself then something is very flawed.

Go to your router/switch. In the router/switch have it assign the port HA is using to a VLAN. Configure your firewall to say what that VLAN is and isn’t allowed to see. Then just plug HA in.

If HA is able to see things it can’t see then either you’ve assigned HA to the wrong VLAN or your firewall is configured incorrectly, neither of those things should configured from within a client device like whatever you’re using for HA.

Like think about the implications of being able to change this kind of stuff from the HA machine. The whole point of an isolated IOT network is that if a device gets hacked or malicious software is installed and the device becomes a threat it is isolated so the damage it can do is limited. If you’re able to change what parts of your network can be seen from that device itself then the IOT network is entirely pointless. If you can do it then so can something malicious so its not really isolated at all.

2 Likes
3

Thanks for your frank comments. I repeated step my # 3 above and it worked as I wanted. I must have missed something. When I plugged the RPi in, it was on my IOT network, and found nothing from my main network. I integrated my HA devices successfully. Eth0 shows as disabled and all communication is through the network the system labeled as Eth0.30 (my VLAN ID). I opened my firewall to allow only the RPi IP address. Access is directly through the RPi IP address. ‘homeassistant.local:8123’ does not work for access, nor should it.

Best Regards