I am currently planning our new building. The last few weeks have been spent intensively planning the network. It will be a Unifi network with multiple access points in the house. Security gateway from Unifi will also be installed, with which I can enable VLANs and separated networks.
I have read up a lot, but still have problems in some places.
My goal is:
As secure as possible, but still so that I get popup notifications and can view it externally. At least the window/door sensors.
window and door sensors from Homematic IP, which inform me always and over all, how the condition is and if it changes.
smoke detectors that also act as alarm sirens from Homematic IP that always and above all inform me what the state is and when it changes.
dimmable lights in the ceiling in the living-dining room. Here I had the idea to use Shelly dimmer with a simple switch. The switch just turns on and off and then using the tablet next to it to dim the lights.
roller shutters on the first floor controllable with Alexa “Alexa, good night” and everything goes down. Here, I have thought of Shelly 2.5. I would not like to lay cables everywhere.
cameras from Reolink unfortunately without heat sensor with NVR or from Instar with heat sensor, but connected directly to the Synology.
garage door controllable via app. Here I found a device from meross, which makes the garage door smart.
in the living room a home assistant dashboard with a tablet on the wall, through which I can view and control all the above points. For this I wanted to use a FireHD10. Home Assistant I wanted to install on a Raspi 4 Model B 8GB and hang this on the switch.
My questions about the points:
What is the best way to build my network so I can access the products, get popup notifications when I’m away, so they are as secure as possible though? VLANs/Networks/VPNs?
With the Homematic IP devices I currently thought of the Access Point, because the CCU is too much for me. But I haven’t really understood the AP yet. Does it automatically communicate with the Internet? Where should I put it (network)?
And generally a perhaps stupid question. What exactly is Home Assistant besides the dashboard in the living room?
Maybe we should start with this and then see how the thread goes.
Home Assistant is here to combine all the different devices from different manufacturers into a single system, so that you e.g. don’t need 10 apps on your phone to control the lights, garage door, sensors etc. In addition you can use Home Assistant for automations like e.g. you leave the house, but left the garage door open, then you can create an automation that notifies you about this, ideally with a button to close the garage door remotely.
I double-checked all the devices I want to buy and they are all compatible with Home Assistant. How should the configuration look like that I get popup notifications everywhere without connecting every device with their own public cloud?
Beware that compatible with Home Assistant doesn’t necessarily mean local control, some devices still need to be connected to the cloud.
You would connect all devices to Home Assistant, setup remote access, install the Home Assistant app on your phone, then you can send notifications to the app from Home Assistant.
If you want local control you need to get the CCU, the AP links the devices to their cloud only.
I use a Wireguard VPN inside my network then connect to that, so I communicate directly from my phone or other device without going through a third party. Device IP ranges are grouped by type, so I can easily block a subnet from the internet if required, say for example Chinese made ip cams.
ok, thanks for that information. I do not see any issues with connecting to the cloud for door- and window-sensors- Especially when the communication seems to be anonymous.
I don’t get the network configuration for what you explained. VPN to you private network, ok. But how do you realize that for example Home Assistant send you popup messages when you are extern and the Smart Home devices in your network should not speak to the cloud or the most of them shouldn’t do that.
Smartphone popup (public internet)
communicates to
(internal network) Home Assistant infrastructure - this should have internet access right?
communicates to
Homematic IP (maybe connected with AP to the cloud, maybe only internally with CCU)
Shelly (in the best case without the option to communicate to the internet)
Garage door (NO INTERNET ACCESS because it is able to open or close a door in the house)
And more
How many VLANs should I configure and how should I connect them to each other? And how do I secure my garage door if I am able to connect to my Home Assistant from public internet? In the case that someone hacks my Home Assistant accessible via public internet they have access to all my devices.
You don’t remote access for popup notifications, as the notifications work through Google’s Firebase Cloud Messaging. However, you need remote access if you want control devices remotely.
Why? Unless you want to set different lights on the same circuit to a different brightness, or need need color, I would use a z-wave or zigbee wall dimmer (or wifi).
No, I did not say anything about VLANs.
Your Home Assistant server should have internet access, as there are some services that require an internet connection to get the needed data. But remote access to your instance is only needed if you want to control your system remotely.
So if you already plan to use Homematic for the door/window sensors, why don’t you also use their components for dimmable lights, garage door opener, shutter control etc? I also have a similar setup and using less different providers of systems does make it easier. It then is also easy to add more wireless buttons etc to control your lights and shutters and…and…
I have exposed certain shutters and lights via Home Assistant to Alexa, so also have the “Good Night” control? Which shuts everything, locks the door, turns off remaining lights etc.
The main advantage of Home Assistant in this setup is that I have connected different devices together (Like the door lock, my kitchen integrated HomeConnect lights and several of the Homematic components). So yes, I have the Alexa voice control as well, but hardly use it anymore, because the biggest advantage of Home Assistant is that everything closes and opens based on automations and presence detection. That is where the real power is.
Anyhow…coming back to my original statement: I would reconsider the selection of your components and would advise to “keep it simple” by limiting hardware vendors and systems. Just makes the entire setup easier.
@Burningstone: Ok it was my fault. But then I do not get how I keep everything save without internet. Everything in a Smart Home VLAN and only the IP from the Home Assistant server with internet connection and for all other components blocked? I predict a lot of errors … ?
@Remko The Homematic product are so expensive in comparison to Shelly. One Shelly 2.5 (shutter control) costs 21 euro and one shuter control from Homematic costs 60 euro. I get your point to keep everything simple. And in the end I do not want anything happens automatic.
I wrote a small guide in my Github repo on the topic of VLANs and how my setup looks like here. I have e.g. one VLAN with all IoT devices that don’t need to have internet access called NoT. Then in the firewall there are multiple rules, one rule that blocks internet access for the NoT VLAN, one rule that blocks access from the NoT VLAN and some rules that allow access from the Home Assistant server to the NoT VLAN on certain ports so that Home Assistant can communicate with these devices.
Home Assistant has access to the internet to get information such as weather data.