Securing & segregating your home networks

Likewise, I’m 100% on Ubiquity (4 Unifi AP) and use the complete local controller.
No cloud dependability. I can confirm they are clean. The "cloud’ part is only meant to give you access to remote settlements you may be in charge of.

I don’t see in @kameo4242 's guide that he states where the HA device is connected and on which VLAN it is. I’m not clear yet on how HA monitors all the IoT devices from a different VLAN, or if HA needs to be on the IoT VLAN then how we presumably configure a VPN for it to communicate with the protected VLAN(s) or out to the internet.

I see he is setting up an SSID for each VLAN. Any consideration for a RADIUS server for a single SSID instead?

hi @haio, @WallyR solution will work. You will eventually have issues with device trackers across networks though. The various device_trackers plugins work differently depending on which one you use. I use the iPhone tracker, uncomfortable at tracking device across different subnets. (Ping is as well I think). It’s probably an HA limitation as a whole, I’m not sure. ie if you have yours on 192.168.XXX.YYY and your guests on 172.16.XXX.Yes, it will not be tracking the latter if I recall properly.

A workaround I found to assess if my guests are home or not is to have a script running in a cron, checking their specific IP address and updating an MQTT topic to then in return, with an automation, update the device_tracker.

Not very slick, but works.

#!/bin/bash

iphone_julia="172.16.0.41"
hping3 -2 -c 3 -p 5353 $iphone_julia -q >/dev/null 2>&1
ping -c 3 $iphone_julia >/dev/null 2>&1

if [[ -z `ip neighbor show | grep REACHABLE | grep $iphone_julia` ]]; then
  sleep 5
  hping3 -2 -c 3 -p 5353 $iphone_julia -q >/dev/null 2>&1
  ping -c 3 $iphone_julia >/dev/null 2>&1
  if [[ -z `ip neighbor show | grep REACHABLE | grep $iphone_julia` ]]; then
    julia_status="not_home"
    mosquitto_pub -h localhost -p 1883 -u ESP -P r.e.d.a.c.t.e.d -t homeassistant/phone_tracker/julia -m "not_home"
  else
    mosquitto_pub -h localhost -p 1883 -u ESP -P r.e.d.a.c.t.e.d -t homeassistant/phone_tracker/julia -m "home"
    julia_status="home"
  fi
else
  mosquitto_pub -h localhost -p 1883 -u ESP -P r.e.d.a.c.t.e.d -t homeassistant/phone_tracker/julia -m "home"
  julia_status="home"
fi

echo $julia_status

I declare an MQTT sensor:

    - name: julia_iphone_mqtt
      unique_id: "julia iphone (mqtt)"
      state_topic: "homeassistant/phone_tracker/julia"
      qos: 1

It’s among those ugly things you tell yourself “I’ll fix it one day” and since it works, keep on forgetting about…

HA is easiest to place on the IoT network and then just open up the ports the web interface.
This way all the discovery protocols will work with all the devices on the IoT network and Matter with IPv6 and devices on the IoT network will also be possible to get running.
You can place it on the normal network, but you will have to really set up a lot of routing and firewall rules and Matter will not work with devices on the IoT network.

Yes separate SSID for each VLAN.
No point in segregating into VLANs if your WiFi is not following through and there create a bridge between the VLANs.

1 Like

@WallyR @kameo4242 you guys rock, thanks so much!