Hi, cannot find too much on this topic but am trying to avoid putting more additional managed switches in my network than I need.
Basically I want to put all my ESP32s on my IoT Network (VLAN 53), using an Asus RT-AX88U. Guest is VLAN 52, and I also have a Primary Network.
My network topology is as attached. The [ESPHome yaml] docs for Ethernet (Ethernet Component — ESPHome) does not mention it.
I am not anywhere close to network proficient, but my understanding is if I could somehow configure the ESP32 as “VLAN-aware”, I could get away with just one managed switch (or even just the one on the Router) sending/receiving tagged frames for the ESP32?
While some people say you should have VLANs to keep things separate, they usually neglect to mention you need to be, at least, reasonably proficient at networking to do it successfully.
Most people who do VLANs and esp32 devices are using Wi-Fi and have separate SSIDs for each VLAN (often using IDIoT for the esp32 one).
Part of the point of VLANs is to make sure the things you control (the switches and APs) ENFORCE the VLAN and definitely don’t count on the end points (which could be compromised) doing it. If one of your end points gets compromised you want to limit the damage it can do.
I had a little giggle, the first response suggests I am in IT and have IT syndrome to push my setup further, you suggest the opposite.
So, why? As above - I like order and neatness. The security of IoT devices being isolated is part of it but not driven by it. As most folks have IoT VLANs for security, most of the discussions are in those areas; and the setups.
As regards proficency:
I do actually have separate VLANs for Primary, IoT and Guest Networks. It’s all set up nicely and works well.
I use an Asus RT-AX88U Pro with Merlin FW, it allows good set up and management of Guest Networks.
Merlin FW allows me to manage and udpate my folks network 9000km away, with Tailscale, Automatic FW updaters, SkyNet and Diversion as necessary.
I have set one of my Ethernet Ports on the Router to Access/IOT VLAN and that works well to my HA Server and some other devices attached to an unmanaged switch.
I use dnsmasq for DHCP reservations for my VLANs and IPTables to allow selected devices across the subnets based on IP Addresses.
I appreciate I could do what I was looking to do with managed switches; but then I started wondering whether this was necessary if I could get the ESP32 devices to be VLAN Aware, then (I think) the HW I have, plus maybe one managed switch is sufficient; but not 5# managed switches.
So am I network proficient? No, nowhere near as much as I would like to be in the area of VLANs insofar as they relate to switches or Tags. I have a reasonably ordered network with all my IoT devices on the IoT VLAN (Ethernet and Wifi), Guests on the Guest VLAN and me and family on the Primary. I can work stuff out … eventually.
I take your point on the endpoints comprising the network, thank you for that.
My goal for VLANs is simply to have all my IoT devices on the IoT VLAN, whether they be Ethernet or Wifi devices. I came to the realisation a few days ago that it was actually easier (and cheaper) to do this with Wifi than with Ethernet.
As I add ESP32 devices (I have 5 x ESP32-C3-Zero, one ESP32-WROOM and one 3 x ESP32-S3-Eth-PoE), being ubiquitous and numerous for use with tracking (Bermuda) and device controls (TRVs for Heating e.g.) I think there is a growing need for my use case, for reliable connectivity (Ethernet) that is not affected by and does not affect the 2.4GHz band (Wifi/BT).
Primary and Guests are easy as they are all Wifi clients.
Sorry for the long winded response, just wanted to do your (good) questions justice.
I have a somewhat comparable setup and struggled with the same thing. Short answer: no, there is no vlan support.
I fixed this by setting the port, directly connected to the esphome, to the correct vlan. So the switch is dealing with vlan-stuff. As I have a Unifi network, this was an easy thing to do.
Part of managing VLANs are also a deep understanding of the protocols being used on your network.
Many protocols have packets that can not be routed, especially packets for discovery are in that category.
These packets need specially designed reflectors to extend movement between VLANs.
On top of that the IPv6 protocol is coming and your IPv4 knowledge is not transferable to that, so you will be struggling with the VLANs then. IPv6 takes priority over IPv4 and Matter require IPv6.
Thank you, really appreciate the clear answer on this one.
It is as I suspected, but of course if there was a cheaper and easier option, it just makes sense to run that to ground first.
I guess as ESP32 Wifi conectivity improves Wifi ESP32s is the way to go, just went the ESP-Eth Route as that’s what many threads say to use, for reliability/less interference, which makes sense. Adding a switch in each room to be able to get an ESP32-Eth in each room, onto a preferred VLAN, makes … less sense, at least cost-wise, for a home user.
Just going back to switches, for the topology above, if I replaced the big “Unmanaged Switch”, with a managed switch, does anyone know if could it be set up so that it sends BOTH VLAN53 (my IoT) network packets to an ESP32 AND at the same time, all the VLAN Packets to the Mesh Node on any one room ?
Thank you, yes I think this is where my eyes curl up in my head .
All this Home Assistant stuff is really fabulous and the possibilities are endless, but man it’s a struggle sometimes, trying to implement it without spending hours nailing down a yaml, costs escalating crazily to effect orderly networks and/or just really ugly setups with wires everywhere.
Anyway I didn’t think it an unreasonable question to ask and appreciate the heads up on me being in way over my head (which I am!).
Wired is generally “better” than wireless, except it requires wires and that is usually enough to make it not feasible/desirable in many cases. I have MANY wireless nodes splattered around the house and property. I currently have 5 access points to get good coverage everywhere, but 5 years ago I did it with just two (one for the house and one for the barnyard).
If you want VLANs and wired networks, you need a switch that understands them and allows you to set ports for a particular VLAN so the end points don’t need to know anything about it. You also need to have the knowledge to set up and troubleshoot it correctly for all the uses. For HA many people find it challenging to get it to work correctly.
I am not sure what order you are seeing by keeping your IoT devices off of the main network. Having a guest network makes some sense especially if you frequently have guests and even if you don’t if you live close to others. VLANs are more about security in my book and to use them well requires a good understanding of them and the networking requirements of all the devices on them and the communication paths you want/need to allow.
Ask yourself why you would want to do this in the first place.
If it’s because you want all your ESPs to have the same IP range, this is easily achievable by assigning them a consecutive IP address (outside your DHCP pool on your primary network) in their yaml.
If you’re worried about devices reaching outside your network, the ESPs literally can’t do that. They’re only aware of your gateway, and that bit is only used to communicate with HA - they have no knowledge of the outside world unless you specifically tell them to.
At most, if you’re still worried, you can block their outside internet access in your router - Merlin should let you configure that quite easily.
Let me ask again - what specific problem are you trying to solve which requires VLAN segregation on a device with your own firmware?
I’m surprised to see all the vlan bashing in this thread. For years I thought it was recommended security practice to put IoT devices on a separate subnet. I guess that doesn’t include ESPs? Somehow that detail got left out, and I’ve been doing it for years.
It’s not true that ESPs “literally can’t” reach outside your network. Anything with a default gateway can attempt to send traffic to the Internet, and go read up on “supply chain hacks” if you think just because you compiled the firmware yourself then it’s safe. Another way to think about it, is protecting your IoT devices from your internet-connected devices since that subnet is more likely to be compromised by a virus or botnet. I guess at the end of the day we all have different trust levels and risk tolerances.
My 40+ ESPhome and Tasmota devices are on a dedicated SSiD, which is a separate subnet (vlan), with no default gateway. Even if they guessed the router IP, its firewall wouldn’t route their traffic. Managed switches handle the vlan assignments. My HA server (container) is dual-homed to both subnets using a tagged port, but two NICs also works. Incidentally this also avoids the mDNS problem. If this sounds complicated to you then don’t do it, but in my opinion it’s fairly straightforward.
It is, but people do not know how to do it correctly , and then it becomes wrong.
Best practice is still to put IoT devices on its own VLAN, but that means all of them, including HA.
It also means to let the router handle the routing and not having HA act as a router with a multihomed setup, for which it lack management tools.
Just because something is multi-homed doesn’t mean it is therefore necessarily a router. My HA server absolutely cannot route packets from one interface/subnet to another (IP forwarding disabled). Like any OS, the route table determines which interface to use for outgoing traffic. Again, the IoT subnet has no default gateway.
Note that OTBR does enable packet forwarding between your “backbone” interface and your Thread interface. Anybody running OTBR add-on has turned their HA server into a router.
Sure, I have heard people say that for years. I have also heard people say you should backup your computer. Yet many people do neither. Both also require some knowledge of what you are doing to achieve any real good. It is not complicated if you already have the knowledge to do it and/or you are willing to put in the effort to learn how.
Many devices make assumptions about things (networking) to provide an easy experience. When you create VLANs, you better know what you are doing or things will just NOT work.
You are too narrow minded.
IP forwarding is just one kind of router.
The definition of a router is one that connects to two or more networks and move data between these.
HA does that.
I think I covered this in my posts, but to clarify, essentially when I look at my Router’s client list, especially when troubleshooting, adding new devices etc, I like to see which device is on which network. As above I have manual IP assignments, on all VLANs, to facilitate this. It’s a personal preference.
Simply that in order to have Ethernet connected ESP32 devices on my IoT network, I need the either a router and/or managed switch to define that; unlike WiFi devices which can do so via the WiFi network they are set up to join.
So essentially I’m also following best practice for IoT devices, for order, for security. Initially I did it for security, camera, TVs, etc including having my HA server in the IoT VLAN, ESP32 WiFi, but then tried to extend to ESP Eth which led me here.
I don’t think it unreasonable to learn about us as part of the process.
The fact this thread has generated some discussion is positive and healthy, although I am particularly grateful to the person who directly answered the question about whether what I was inquiring about could be done.
There is nothing wrong about VLANs and multiple networks with inter-network (~subnet) routing, if you know what you’re doing and use the correct gear to do so.
But I don’t really understand the setup described by the OP, there are only two realistic scenarios here:
(small-) managed switch in each room (single cable into each room), deferring the splitting of the VLAN trunk into different access ports down the line into the individual room(s)
one (big) central managed switch, multiple cables to- and rj-45 outlets in the room(s)
(and yes, combinations thereof)
In either of these networking topologies the sensible approach would be to connect the esp32 to an access port (~untagged) - and it will never see any tagged frames, everything just works. The router is responsible to set policy, the managed switch blindly executes it. Only trusted (and VLAN capable) devices (router/ switch, maybe a multi-homed audited system with a server OS) ever get to see tagged frames, all clients are exposed to are untagged frames connected to their network (only) on an (access-) port basis.
However what I guess the OP intends to do, is using unmanaged switches in the individual rooms, despite connecting them to a VLAN trunk - and then deferring the question which VLAN the clients work on to the individual client, …but this doesn’t work.
the behaviour of unmanaged switches in the presence of tagged VLANs is undefined, they may simply drop them, they may pass them through unchanged, they may do weird/ broken things
if it does happen to ‘work’ somehow, now the simple clients need to be VLAN aware and deal with tagged frames
the security aspect of using different networks is gone, as it’s no longer a trusted devices splitting VLANs, but the ‘untrusted’ client can pick and choose which VLAN to use
All of this is independent of the question if esphome, tasmota, random proprietary esp32 OEM firmware or your self-written esp32 firmware support VLANs or not, it’s a rather basic question of network topology and where to make/ execute policy decisions.
If you want VLANs (which is fine), you need VLAN aware devices (router, managed switches) all the way. Unmanaged switches are only usable on the network leaves (only transporting a single untagged network), connected to an access port of a managed switch (so never seeing any tagged frames or VIDs themselves or below it).
The reason you are getting so many questions is, you seem to want to use a VLAN in a way that gets none of the benefits and all (perhaps more) of the pain. I said this in my first post, but it seems you did not understand it that way. Other people have said the same thing (as Steve Jobs famously said, “you’re holding it wrong”). If it was working for you great, but you came here asking for help to do something that makes little sense to people who do understand VLANs.
