Network Segmentation - suggestions/hints/tip/gotchas?

Hi all

I have been dabbling with Home Assistant and Smart devices for a while, and as I add more “things”, I am becoming increasingly worried about all the IoT devices on my primary LAN at home. I would like to move all the IoT devices to a separate SSID and VLAN to keep them away from my personal (and sometime work) equipment.

Has anyone else done something similar, moving all their non-personal/work IoT kit onto a separate VLAN, and were there any gotchas that I should keep an eye open for? Have you moved EVERY Smart device to that IoT VLAN? How about any Alexa/Google units?

Can you run hass.io with a second NIC (or VLAN tagged NIC), and get it to discover devices on both networks?

oh so many questions, sorry!

Any help or suggestion would be greatly appreciated

Steve

1 Like

Hi and welcome to the community :slight_smile:

I have one VLAN for IoT devices that are not allowed to connect to the internet (NoT VLAN), one for IoT devices that are allowed to connect to the internet (IoT VLAN) and one for the Server containing home assistant (Server VLAN) (actually I have quite a few more VLANs as you can see on my Github in case you are interested ). I then block access between the different VLANs with the firewall. E.g. devices in the NoT VLAN are only allowed to connect to the home assistant server at port xy for MQTT, all other traffic is blocked. The Server VLAN is allowed to access the other VLANs, so you don’t need multiple NICs for the hass.io server.

1 Like

The other day I watched this explanatory video that has some good concepts.

2 Likes

Thanks @Burningstone and @metbril for your replies. My IoT VLAN is set up like in the video posted (Using UniFi AC Pro and pfSense), but having a separate VLAN + SSID that has no internet access at all sounds like a good idea. Nice documentation on your Github page, I will take a longer look at that later.

I think I need to understand the MQTT part of all this a little more, it’s the missing part of my puzzle I think (how to get devices on the IoT VLANs to connect to a specific MQTT server I host on my primary LAN).

Ah well, plenty of time to test/break/fix stuff over the next couple of weeks.

Steve

I don’t use pfSense, but this should be pretty easy there as well. For me it’s 3 firewall rules.

  1. Allow NoT VLAN to Home Assistant Server on port xy
  2. Block NoT VLAN to other VLANs
  3. Block NoT to Internet

The firewall (USG) works through the rules from top to bottom, that’s why the “Allow” rule is the first one. I actually have a another rule on top of all other rules, that allows all established and related sessions, this way when another VLAN initiates the session with the NoT VLAN the traffic is not blocked.

The rules are the easy part of this problem, which I am sure is just my brain failing to understand some simple part of all this. What I meant was how do I tell those IoT devices “over there” to use this MQTT service “over here”, especially as they will be on different broadcast domains and will not be auto-discoverable.

Its an education and learning thing for me right now, getting to grips with the logic involved with IoT across multiple networks… the blockage in my thought processes will clear soon I hope :slight_smile:

You point the IoT devices to the IP and port of the MQTT broker. Rule number 1 takes care that this connection works.

Not sure on discovery, the Server VLAN is able to access all VLANs, so it should also be able to see devices in other VLANs.

So I went looking for MQTT how-tos and examples (there are loads), and I now have a much better understanding of how MQTT works, what it can be use, and how the clients. I think my biggest problem was assuming that Home Assistant was using it already, but it wasn’t installed, and I do not have any kit here that used MQTT.

After I installed/configured MQTT in Home Assistant, I had a play with NodeRed, pumping some inputs into a specific MQTT topic with one flow, then watching that topic in another flow. That was remarkably painless :slight_smile:

Thanks for tolerating the dumb questions, it has been greatly appreciated!

What do you think about this segmentation and do you have any suggestions for Firewall rules?

VLAN-A - Computer PC Main Management,
VLAN-B- IoT SmartHome, Shelly i Google Home, Nvidia Shield, TV, HomeLab-Server
VLAN-C- Smartphones, tablets
VLAN-D - PoE Cameras
VLAN-E- UniFi Network switches and stuff

I started out with a similar topology when I first moved up from consumer oriented Asus router/APs to pfSense and Ubiquiti. Now I have one network for UniFi APs and switches, a guest network, and the main one where everything else is. I may be outside of the norm as I have somewhere between 50 to 60 hosts on my network. Anyway, getting a lot of stuff to cooperate with differing subnets became too much of second job.

If your security appliance allows everything to speak and listen to everything in the same subnet, you just need to be vigilant with your rules and fully understand the order of rule processing. Consumer “smart” products can be infuriating at times. For instance I had to dumb down the SSID name and PSK complexity in order to accomodate iRobot. I had to further simplify the PSK to just upper and lower case letters to allow my Whirlpool oven and microwave on my IoT SSID (I do have separate wireless networks for IoT/everything else even though both on the same VLAN). And I had to create outbound NAT rules to get my Philips Hue v2 bridge to stop querying NTP servers from every far flung corner of the planet.

Logs, their analysis and resources like ipinfo.io go a long way in assisting you.