I am reading more and more about wifi IoT device venerabilitys. Fore example about gaining access to your wifi because of connected esp devices see sources here and here.
I now have 4 ESPHome devices en 2 webcams connected to my normal “non-guest” wifi network.
My plan is to make a completely separate IoT only wifi network with its own SSID and a password and chanel, and no connection to the Internet or other network devices (other than Hass which is connected to everything).
My router is a tplink archer C3200 can I just plug in a Ubiquiti Unifi access point?
You guys think this is a good approach and, what hardware/setup would you recommend?
I switched to a separate network for my IoT recently aswell. I use a different vlan for that now and only HA has got access to them. You need to setup 2 vlans and the firewall rules to do this.
I use an older Picostation m2 for my IoT-network. This is because i only need a 2.4 network for IoT (most devices dont work with 5Gz).
The Picostation has the IoT Vlan setup and is connected to an Edgerouter X SFP. For my personal network I’m using a Unifi ap lite.
Ok. So I just did the same trick and here what I learned : You want a separated network with different ip adresses. in my casse I chosed to create VLAN than with my unification setup wifi of separated vlan. ( if you router can’t do VLAN you will need 3 normal router … )
then I didn’t wan’t my hass.io to be on my “personal network” because it’s open on the internet .
So right now I have two wifi:
The first one is my personal one with my phone tv’s google home and computer ( I choose to keep tv and google home on personal network so I could still cast music and video content to it )
The second one is my “home automation” one and in this one I all my other IOT and my Hass.io
Everything is great except when Hass.io need to access to my personal device : I did some rules in my firewall to allow specific device but some thing still don’t work : my google home can’t be discover by home assistant I had to specified manually their ip Adresse and my iphone third party integration for presence detection did not work ( I use something else now … )
Hope it’s help you if you have any question I’m here
I think the cost of 1 simple 5 port Edgerouter will be far less expensive and less complicated than having 3 normal routers.
With regards to you Chromecast you need to be able to enable mdns and repeat it across the vlan interfaces.
*Moved IOT to a new SSID with its own VLAN/subnet ORANGE
*Allowed connectivity of ORANGE to internet, internal network GREEN to ORANGE allowed state-fully, ORANGE to GREEN initiated not permitted
*WiFi Client Isolation on ORANGE & Layer2 Client Isolation on ORANGE Switch VLAN
*As I didn’t want to have to port forward ORANGE to GREEN for all the IOT stuff, I gave HA a second NIC in the Orange subnet to talk to IOT devices, and locked down all IOT traffic in and out of that interface.