I’m just starting out on my Home Assistant adventure and am trying to determine the best place for it to “live” in my home network. I have several VLANs configured and would like to isolate IoT devices as much as possible from my main network, but I will need to be able to access/view my Home Assistant dashboard from outside my network. I am planning to do this through Nabu Case Remote UI.
Can my Home Assistant device (mini pc running HomeAssistant OS) be placed on my Main VLAN which has internet access and access to devices on my IoT VLAN? My IoT VLAN does not have internet access and cannot access devices on my Main VLAN.
Or is there another recommended configuration that allows isolation of IoT devices while still permitting remote dashboard access through Nabu Casa/Remote UI?
If you’re a network engineer by trade, having HA on a separate VLAN from all your iOT devices is probably fine. There’s a fair amount of cross VLAN discoverability you have to manage, but, again, if you know what you’re doing you’ll be good.
If you aren’t a network engineer, I’d recommend putting the HA instance on the same VLAN as the iOT devices and then grant just HA internet access from that VLAN. It’s one little hole you’re poking and will be much easier to manage.
Because of problems people have with pairing Matter devices to HA in a home network consisting of an IOT VLAN plus Main VLAN network, most are successful when HA is attached directly to both VLANs. There are a lot of multicast discovery going on for Matter (and this is true in general for many other types of non-Matter based IoT devices), so it is easier for discovery processing to work when HA is on the IoT VLAN.
When HA is on both IoT and Main VLAN, one may also have to configure HA to use the Main VLAN as the default interface to the default router (for internet access).
Kyle - This seems like a perfect solution (block everything except HA). I am not a network engineer - (I don’t even play one on TV). I am also brand new to HA. I have a bunch of Leviton Matter Switches and have read several threads about the troubles people have with Matter and cross Vlan communication (mDNS broadcasts) I’ve sorta learned that dual homed HA was required along with mDNS reflection and finding Bonjour services for all your devices.
Will your solution solve all this? I don’t see the down side. Is there one?
The more you can keep from hopping across a VLAN, the easier things will be. Will it solve every problem you’ve seen? Maybe not, but I bet it will solve 90% of them. The one thing you do need to think about is how you access Home Assistant when you’re at home. With it on a separate VLAN from your computer (assuming your main computer is on your "regular computers VLAN) you often can’t, by default, access it from your “regular” VLAN. (it depends on your networking equipment and how you setup the VLANs). If you have the Nabu Casa cloud service, that would likely take care of all that. If you don’t, then you either have to do more VLAN work or you have to get your computer on the IoT VLAN temporarily anytime you want to access HA.
So it’s still some network engineering things. My hot take is that for as much as people claim you have to have VLANS or your a NOOB asking to be hacked, for many people I think there is minimal risk in having everything on one network as long as you are thoughtful about what you add. I mostly did the VLAN stuff because I wanted to see if I could still do it after nearly 20 years away from serious networking work.