Network Configuration VLANS, Home Assistant, and Smart Home Devices

Hey all,

New to the forum here and a relatively new home assistant user. I’ve been in the upgrade planning stage for weeks with no progress as I’m trying to wrap my brain around everything. Mid next year, we’re planning a remodel and I wanted to use this as an opportunity to upgrade some equipment and my network

Right now, my setup is minimal. I have a Raspberry PI 4, 8GB (Want to plan to change this to an Intel NUC soon), with an SSD, and the ZWave and Zigbee USB Dongles. This is linked up to my Sonos Arc, Philips Hue Bridge and Lights, Lutron Caseta switches, Abode security system, and a Schlage ZWave Lock. Like I said, minimal. I have a Nest Cam Doorbell, and 2 Outdoor Nest Cams, that I’m not sure how to get into Home Assistant, however, at this point, I’m not sure it will matter as within the next year or so, I will be overhauling my setup; which I’ll explain below.

Presently, I’m in the planning phase of the new network and setup. I’m looking to swap out my nest cams, for Amcrest IP Cams and add a frigate system for AI and facial recognition. With the IP cam addition and the increase of IOT devices., I was looking to bolster the security of my network. Presently, my home network setup is simply MetroNet modem to an Eero 6 System.

I’m new to home networking. At least, to the scale that I’m thinking below.

So my thought layout for a new network was with the TP Link Omada SDN System with the following equipment below. I have a 24 port switch, as I plan to add ethernet drops to all rooms in the house:

  • ISP Modem
  • TP Link ER605 VPN Router
  • TP Link TL-SG3428 Managed Switch
  • TP Link TL-SG2210 MP Poe Switch (IP Cams)
  • TP Link Omada OC200 Controller
  • TP Link EAP670 Access Point
  • Cable Matters Patch Panel
  • TP Link EAP670 Access Point
  • I would have the VLANs as follows:

Main VLAN

  • Main PC with a Plex Server running on it (Ethernet – Main Network)
  • Personal iPhone (Wifi – Main Network)
  • Personal iPad

IOT VLAN

  • Lutron Caseta Hub and Switches (Ethernet)
  • Philips Hue Hub and Bulbs (Ethernet + Wifi IOT Network)
  • Abode Security Gateway (Ethernet)
  • Sonos Move (Wifi – IOT Network)
  • Sonos Arc (Wifi – IOT Network)
  • Sonos Ones (Wifi – IOT Network)
  • Nintendo Switch (Wifi – IOT Network)
  • LG OLED TVs (Wifi – IOT Network)
  • LG 4K Smart TVs (Wifi – IOT Network)
  • Ecobee Thermostat (Wifi – IOT Network)
  • Denon AVR (Wifi – IOT Network)
  • Apple Airport Expresses x2 (Ethernet)
  • PS5 (Ethernet)
  • Home Assistant (Ethernet)
  • Amcrest 410 Doorbell (Wifi – IOT Network)
  • Google Home Hub (Wifi – IOT Network)
  • OPPO UDP 203 (Wifi – IOT Network)

IP Cam

  • X5 IP5M-T1179EW-28MM POE Amcrest Cams (Ethernet)
  • Frigate Server (Ethernet)

Guest VLAN

Wifi Access Point, with throttled bandwidth connection

Work VLAN

Work Laptop (Ethernet)

Server VLAN

  • WDMyCloud (Contains movies for Plex) (Ethernet)
  • Frigate (AI and Facial Recognition) (Ethernet)

I was curious if anybody here had somewhat of a similar setup. My primary concerns are these:

  • If home assistant is on an IOT VLAN, can it still be remotely controlled when I am away from home?
  • Would I want home assistant on my main VLAN instead, but if so, would auto discovery work sufficiently?
  • If the storage for my plex is on another VLAN, can my main PC talk to it and load up content with my IOT devices on another VLAN also subsequently can that can that content be served to my remote users?
  • Can all my smart home devices on the IOT network be controlled by my phone on my main VLAN (things such as Airplay)?
  • Can frigate see the IPS cams on a different VLAN or should they be segmented into the same VLAN, then subsequently can home assistant, see the frigate and the respective IPS cams? Plus, I wouldn’t want the IP Cams “phoning home”, so would those be able to be viewed remotely, when I’m away?

Three vlans

IOT
Anything that does not need to connect to external WAN(internet) and really no need to send out from itself, everything connects or send command to it.

Wifi switch, audio receiver, Non stream TV, ip camera, printer

GUEST
Anything that goes to internet but really has no business talking to others on network.

Streaming media players and TV, guest and family phones, personal computers

SERVER
Things that are talking to everything on network and needs internet access. Controlled and basically trusted devices.

Servers and Network equipment (switches, APs)

I have wifi SSID associated to these 3 vlan. IOT is 2.4 only because 5 not commonly used and causes issues at times.

I use Opnsense and Guest vlan can only see the limited ports needed to access services like plex, or HA but cannot see anything else

IOT vlan cannot see other devices or outside the vlan but SERVER vlan can access IOT devices to retrieve camera streams or send commands to switches

Firewall rules ultimately decide what can see what. You can allow a vlan to see all IP in another vlan or you may limit communication to just allow 2 IP to talk. Just like internet, if you go out of vlan to communicate with device the reply back is allowed so this is why I can block IOT but SERVER can still go into IOT and work.

1 Like

So if I’m understanding you correctly.

So things such as Lutron Caseta, Philips Hue, would fall under IOT? Because those technically will be
controlled locally by Home Assistant, which sits on the Server VLAN and is allowed to talk to the IOT VLAN? I’m assuming the Airport Express falls under the same IOT VLAN because it’s locally controlled.

Yes. As long as they function with no external internet and you do not use app that requires their cloud.

This is tricky. Discovering devices across vlans isnt great experience and may bot work. The device also may broadcast messages for discovery and blocked IOT network may break this. For device like this you can try IOT but likely it will be moved to guest. It is apple so i tend to trust these more and allow more access vs a device on iOT where manufacturer is sloppy and exploits may be known or common. This device is like roku/ where they may get special rule created to access servers for things like plex. For the airport it may be opposite where i may have rule to allow other devices to connect to it

For these devices it gets messy until you have things in place and understanding of what all devices need. I am not strict about rules but try to limit access without causing user headache. It home network not corporate.