Hello,
I am trying to isolate all of my IoT/SmartHome devices onto a separate network from all of my personal devices for the sake of security, while ideally still maintaining the ability to access Home Assistant from my personal devices (phones, laptops, etc) for the sake of management. I.e. I would like all IoT devices on subnet A, all personal devices on subnet B, and allow subnet B to connect to subnet A, but not vice-versa.
For the most part, I have achieved this by cascading two routers. I have an old WiFi router with DD-WRT installed (let’s call this router A) that I placed between my existing WiFi router (let’s call this router B) and my modem. To clarify what I mean by cascaded, the WAN interface on router A is connected to the modem, and the WAN interface on router B is connected to an ethernet port on router A. Both routers are serving DHCP within their respective subnets. All IoT devices, including my Home Assistant, are connected to an SSID on router A, which uses subnet 192.168.1.0/24. All personal devices are connected to an SSID and router B, which uses subnet 192.168.0.0/24.
As a result, I have achieved the isolation portion of my goal because nothing on subnet A can access anything on subnet B. The reason I say I have achieved my goals “for the most part” is that a device on subnet B can successfully ping every device on subnet A except for my HomeAssistant, and that’s the only one I care about accessing in that manner.
To be clear, a device connected to subnet A can successfully ping, ssh to, and access the web interface of my HomeAssistant, just not when connected to subnet B, and I really don’t want to switch back and forth between two WiFi connections just to use the HomeAssistant app.
I have this issue regardless of whether I configure the Home Assistant to have a static IP or use DHCP, and regardless of whether it is connected to router A via ethernet or WiFi.
Since it’s the only device on subnet A for which I have this problem, it seems unlikely to be an issue with either router, and I assumed it might be related to firewall settings on the Home Assistant. However, iptables
output shows no rules in the INPUT chain, so I don’t think it’s dropping connections that way.
Does anyone have any ideas about how I can debug this? Is there some Hass.io configuration that might prevent access from other subnets? Is there a way for me to install tcpdump or something?
I know cascading routers is probably not the most optimal solution either, so if anyone has other ideas, I’d welcome that too. Router A (the one with DD-WRT) appears to support VLAN tagging, so maybe that’s an avenue I should explore?
Any help would be appreciated!