I apologize if this is already addressed. I did see few posts around this, but I have not found a solution that would work. I am very new to HA and I would really appreciate if anyone who has accomplished this could guide me.
What I am looking for is to have two different networks. A regular network where my home devices are connected to with internet access and so is HA connected to it. A separate network where the IOT devices will be connected to, but it will not have any internet connection. Any interaction to internet will be made through HA on need basis.
Below is how I am anticipating to set up. Is this feasible?
There are several things you need to take into account.
Your IoT devices might need access to a NTP server to set time.
Your IoT devices might be using broadcast to publish their existence, which is not routed, unless special rules are made, so no auto.discovery without.
Some IoT devices might still need internet access to certain services.
DNS access might be required for some services to work on the IoT LAN.
The usage of certificates might require access to CAs.
Expect huge issues with IPv6, Thread and Matter products with this setup.
The setup can work with some alterations.
Avoid Matter, Thread and IPv6 for now.
Move the HA installation to the IoT LAN and set up rules for accessing port 8123 instead and maybe a few other services needed, since these will not be broadcast/multicast services.
Depends on your hardware and network, and how strict you want to keep all traffic locally.
Most wifi devices will use a server outside, because the accompanying app then can easily be connected. For some devices, like Tuya there is a local solution. Otherwise you have to use a local DNS that tricks the devices to a local endpoint. (solaredge for example). Just blocking outgoing traffic can work only of it is not required for normal operation. Chinese camera’s often call home to china all the time and blocking that still leaves the ONVIF stream working.
I have personally decided to go for Zwave (Zigbee would also be an option), since these are mesh protocols using local wireless traffic that is independent of Wifi and therefore not connected to the Internet anyway
NTP is not an issue. You can either decide to define an NTP endpoint in your firewall as alowed or set up your own local NTP in docker like this one.
I type “might” in the original post, because it is really a question from device to device.
Without NTP you might experience time drift, which can e fine in some setups, but if there are encryption involved somewhere, then a time drift will over time cause a too great difference and then the endpoints in an encrypted communication will begin to fail, because the communication is taken as a replay attack.
