Went through some methods for presence detection. Some included alarm panel with punching code, or various sensors to detect person in the room. Ultimately, I went with hardware I already own, and just to configure it in a way which is safe and reliable.
On the way I read some about Wifi security and I hope information will be useful.
a)SSH VS HTTP(S) AsusWRT integration.
SSH integration requires slightly more experience with creating a certificate and adding the keys into the router and HA configuration. You will need to set
“eth0, eth1, br0”
to monitor both 2.4 and 5GHz bands, and ethernet.
SSH integration also reports correctly WAN download and upload, while HTTP(S) integration does seem to report same value for both scenarios.
Unfortunately, SSH integration it does not report RAM utilization.
b) Set AP isolated
Wifi devices used for presence detection do not necessarily need to have an access to Home Assistant (or any other device on the local network). Router/AsusWRT will simply acknowledge device presence and forward the information to the HA.
Assuming you are using as a client device a phone, you can set 2,4GHz band isolated, and keep 5GHz open for intranet or vice versa, as long you dont need really high bandwidth for the client.
c) Guest networks for IOT devices
Most IOT devices will exclusively support WPA2-Personal, 2,4GHz.
Lets split this into two use cases.
Most IOTs will require access to the internet for their application to work, but you would not like them to access any other devices on the local network. Thus you can use either ‘Set AP Isolated’ or disable access to the intranet in guest network setting.
Because there is an issue with subnetting in some Asus routers on Guest Network #1, use Guest network #2 or #3, and disable intranet access.
In other use case you managed to control the IOT device via HA integration. Create another guest network, open intranet to it. Also if you dont want to control your IOT device via internet, just can disable internet access to it - via AI Mesh settings, even when you dont use mesh.
d) Allow known MAC addresses.
When configuring client devices I recommend to use original-non randomized MAC, it will spare you a lot or reconfiguring when you have to setup wifi connection again.
General rule is: If your IOT needs internet access, it should not need local network access.
e) WPA3-Enterprise
If you are using a Radius server and have a properly signed DNS certificate, enable Protected Management Frames to secure the WIFI network a bit more.
However IOTs generally do not support Enterprise networks, nor Protected Management Frames, so in any case move them to a less secure 2,4GHz WPA2-Personal network, preferably without access to local network.
f) Why Protected management frames?
PMFs protect against deauth attacks. In case you have any automation which starts upon leaving the home, a funny neighbour might try to kick your phones from the network, causing the automations to start.
g) Why WPA3 Enterprise?
WPA2-Enterprise will work without PMF, allowing the deauth attack.
WPA3-Enterprise does not have this weakness, and on top of MAC address checking, it will require authentication with Login, Password and domain name over an encrypted channel.
This setup will ensure that:
a) specific user with specific device is in the range of the wifi.
You may even specify different login for 2,4GHz with ‘AP isolated’ and different login for 5GHz where access for HA is alllowed.
b) Users will not deauth on a base of ab attack over wifi
Wifi network stability in the area is an important pre-requisite. Prefer connection stability over high-performance.