Ahh.
This is exactly why such devices are running in my home network and not in the iot one.
Igmp routing across vlan is very difficult and causing strange behaviors…
But obviously you don’t have a igmp issue but an multicast one.
This is why you need to switch networks…
Igmp issue are maybe there for roku in addition.(I don’t use roku)
E.g. netflix does not need any igmp, not sure if roku does need it.
Btw. Your are not only in different subnets but vlans right?
Sending multicasts across subnets is easy, while vlan is isolated
LAN (can’t set a VLAN) - Wired devices are on LAN (Plex stack, Home Assistant, Unifi switches/APs/Cams, Webservers…etc) VLAN20 - Wireless (exclusive to family iPhone/iPad/Macbooks…etc) go to WiFi Main (2.4/5Ghz) VLAN30 - Friends/External family/guests can use a throttle Guest network. (2.4/5Ghz) VLAN40 - IoT devices (if I can’t access the device OS) it goes on IoT (2.4Ghz)
Understood.
I think you should asking in a unifi forum, as the idea is clear but does not work as it should.
But this is a pretty good example why I wanted to avoid the changes applied to the router.
Btw.
If you want enterprise features (working) for low cost, check out mikrotik. But be warned, its far away from simple, but can do whatever you like.
I’m a bit confused what most here are accomplishing…
You separated your iot and trusted devices, which is great, but then you bridged the two VLANs with home assistant? Doesn’t that defeat the purpose of your security measures?
If you are savvy enough to set up HA and segregated VLANs, you can surely setup avahi reflector and enable igmp snooping.
See my replies somewhere above why HA is connected to both VLANs
AVAHI (mdns) uses broadcasting…
1.) Broadcasting/Multicast → Spaming your network.
2.) Having multicast between VLANs is not intended to happen and if done by a work around it is exactly against of what I want to achieve.
Question:
Why do you think my HA Bridge (Promox Bridge) is defeating my VLAN purpose?
IMHO, and I have not yet wiresharked it, but my purpose is to keep the broadcast / multicast in their own networks.
Hi all,
Just to add some more info here regarding separation and forwarding packets from one network/interface to the others, some important things that might help one to decide, how good/secure of a strategy this is.
I have it setup like that, and I don’t feel it to be insecure.
By putting two network interfaces in HA and connecting them physically to two different networks, does it make it potentially less secure? Absolutely! No cable means no connection, so 100% secure. Two cables/networks means 100% more insecure than one cable/network. So is HA 100% bulletproof secure with only one network? Not really.
The main objective, just like mentioned before by Christian is to allow HA to be available in multiple networks and at the same time avoid unfiltered contact between all the segregated HA clients/networks. I don’t want my smart TV to see my sensors, so separation should be done at multiple levels/networks/vlans. Having a virtualized HA makes all this easy as pie as one can add as many vlans/network interfaces as you wish, as long as you have a switch that supports tagging.
Obviously routing through the firewall would be a better strategy (keeping HA inside a DMZ), but unfortunately this breaks communications that require broadcasting, which does not survive routing (thankfully).
So moving on from the tinfoil hat approach, we can take into consideration a few things:
Packets are only routed between networks by HA if it is set up as a router (meaning it can move packets from one network to another)
HA has to be a gateway to other devices in any of the networks it belongs to.
net.ipv4.ip_forward needs to be set up (‘sysctl net.ipv4.ip_forward’ should show “net.ipv4.ip_forward = 1”)
iptables needs to be set up to allow packet forwarding (‘iptables -L | grep FORWARD’ should show “Chain FORWARD (policy ACCEPT)”)
Taking this into consideration, just follow your instincts
Hi Carlos
I have a question from your inputs…
Does it means that you do not use any switch feature (vlan) or do you virtualize every net ?
I plan to do choose a vlan and I wander if you could help us in a step-by step ‘tuto’ to implement what you said ? ( considering that i am not a dummy). I have an hassio HA and try to understand what to do to go through a new config. I created a bond0 with active/passive lan/wifi architecture, 4 Vlan.X . But what else to do ( static ip on each of vlan, dhcp …) i could be very found of your advise on me project
Hi,
Absolutely Everything is now basically virtualized in my setup. I started with a RPI3 and HassOS (when I wrote the tutorial) but have moved since to a proxmox environment (sdcard problems made me take the decision).
So I have an opnsense VM that controls all traffic between internal networks (vlans) and the internet (I have close to 20 vlans configured). There is one 26 port physical switch and a few smaller ones to which devices plug their cables and are “vlanned” immediately to their respective segment (vlan). Wifi clients also get “vlanned” via specific access points and wifi SSIDs.
I then created virtual network interfaces on proxmox (there is a good tutorial on how to do this somewhere up there on this thread) that get attached to the HA VM (as many networks as you need to connect to), each of them “vlanned” to the appropriate network that needs to talk to HA.
An example of a possible HA multiple network interfaces:
eth0 - 192.168.1.1 - “vlanned” to vlan1 segment with access to internet and with a proper working default GW defined so that HA can update and go to the internet via this (opnsense IP in 192.168.1.)
eth1 - 192.168.2.1 - “vlanned” to vlan2 where lights are connected, no GW defined on this interface, although it might exist on another opnsense network interface, if you need to open access to firmware updates (light switches and opnsense ip’s would be 192.168.2. obviously)
eth2 - 192.168.3.1 - “vlanned” to vlan3 where temperature sensors are connected and again what I referred to in the previous vlan
eth3 - … and so on and so on
It all depends on how many separations you want/need…
Hi Carlos
Thanks a lot for explanation. I will have a look Into later for my project…
But in m’y project i only have a wifi expander wifi to lan (openwrt)connected to my ethernet Switch box and i could have limited physical links. I use same ssid name for my expander and my ssid from provider.
So i wanted to use vlans on that openwrt to connect my devices and reserve physical lan for servers ha,…
So you probable used static IP on each devices ? or do you have a dedicated DHCP on each vlan ?
Does it means i need a DHCP relay for those dhcp servers ?
Regards
No worries Well, openwrt (depending on your router/ap model) can/does support vlans. I have a TP-Link Archer C7 v2 with openwrt 19.07.7 installed, configured as an AP (so no routing performed) and it’s connected to my main switch via one physical cable, but all vlans traverse it through tagging. This means I can create multiple ssid’s, each for a specific vlan, for ex. named “lights”, “sensors”, etc and attach them individually to their vlans and so on, as many virtual ssid’s as the AP permits.
The firewall (opnsense in my case, but pfsense does this as well) is connected to all these networks (it is in fact the default GW for all of them, so I can filter/block outgoing traffic) has an inbuilt dhcp server that can be configured per interface and serve multiple networks, one per interface. So it is only a matter of adjusting the dhcp preferences in each interface/network. No relays necessary.
Pretty easy, but all depends on what level of segmentation you want/need to achieve and allows you to separate all the devices you want. If you wished, you could have a vlan per device with no GW defined/available at all, setting the network to a /30 subnet mask, meaning that the device would only be able to talk to HA itself. It would make updates over the internet for this device a bit troublesome, though.
I am not very at ease with design lan network layout/rules , but you probably don’t use the dhcp from your internet provider but instead yours for all your devices,sensors, lights, pc , phone ?
My TpLink is a TL-WA850RE v1 and i don’t have the vlan capabilies.
So i try to create a common ssid for all my devices but I still use the dhcp from my providers wich is uniq on my lan .
The goal is probably to disable my native dhcp and configure the dhcp providing ips inside each lan segment. But as i am quite lost in such a config with what you called firewall as a GW . Question Is it the fw of the HA ? or the FW of the server hosting HA ?
Yes, you are right. I do not use my provider’s dhcp server. Two ways to solve this situation you describe (in my opinion), both involve having a 3rd device (pc or similar) that will be able to control all traffic flow between your local networks and internet (I recommend opnsense but pfsense is also a good option).
First and simplest option is to connect this PC with opnsense/pfsense installed WAN port to your provider’s router, that would create a double NAT, but you’d control all devices in your local networks.
Second and better, but more complicated setup, is to bridge your provider’s router to this opnsense WAN port, thus effectively making your provider’s router a dumb pipe and your external ip managed by opnsense (not all providers nor devices allow this).
To sum up, without a device in between your provider’s router and your own local devices, you will not be able to segregate/control your local networks and communication between devices.
The FW here is the PC (opnsense/pfsense, virtual or physical) that controls all traffic flow between networks and internet. Without that, you can’t control your networks.
SERVER-LAN = Proxmox, HAOS VM. Kind of DMZ as I only allow IoT to the specific IP of HAOS. IoT-LAN = IoT devices, separate Pi-Hole (don’t want to talk DNS with the SECURE-LAN) MGMT-LAN (untagged) = Only UDM, and APs GUEST-LAN = Guest LAN… Public DNS SECURE-LAN = All families laptops and phones etc + Pi-Hole that serves SECURE-LAN, SERVER-LAN and MGMT-LAN.
NoT-Devices (Group where I put all my NoT-devices IP) = Cameras and other stuff that don’t need internet.
The Proxmox server on SERVER-LAN can only communicate with itself, and SECURE-LAN + IoT-LAN since I made a group of subnets on that port in the UDM.
@fireheadman How does your setup work out for you? Are you able to reach all your IoT-devices as you should? I personally use mDNS for Chromecast and will get my Schnieder Wiser stuff soon + Sonoff USB Zigbee stick (plus model). Just wondering if you have any issues with connectivety with your current setup since broadcasting can’t happen across VLANs (or can it?)
Also wondering why you put IoT → HA, and not HA → IoT with established related traffic?
no… was constantly having issues. did some soul searching with this config and decided to un-complicate things. In reality I do not have anything of value on my network to lose aside from a mp3/mp4 collection. I took at look at myself struggling with this, thinking… “I’m losing night and day battling inefficiencies and shortcomings of unifi for what?” I lost the thrill of this part. I still value HA and still love the automations, but life is to precious to be hacking on a computer for that amount of time.
…that and covid got me, so I just wanted the easy street for a while.
maybe if I become bored or solve all of my other life’s mysteries I’ll attempt it again.
good luck out there.
Yeah I’m also noticing some lag with mDNS turned on. Thinking of maybe moving HA to the MGMT-LAN instead and connect the IoT directly into it with another “(v)cable” to avoid VLANs but I don’t know… That would defeat the whole purpose of VLANs…
I still don’t understand why you say it defeats the purpose of vlans (I guess segmentation of clients is the purpose, because HA will have to be available to all), when you do have a point where all of these vlans must meet (most likely your router/fw, unless they are not going to HA, to the internet or elsewhere (like crossing vlans).
By presenting HA to each vlan with a unique interface that is just another iot element/client, not itself a router/bridge of network segments, you achieve what you want in a simple way, with minimal risk of spilling networks (IMHO ).
If you are really nervous about HA spamming all vlans with unnecessary traffic, which might happen, but I still doubt it, you could fine tune each of the services in HA to only listen to a specific interface/address/vlan, right?
Just forget it.
Obviously there are people knowing it better, while I have not seen any useful guide, only written words about theory…
Looking forward to see a post of implementing the vlan correctly.
But be prepared of a lot critical questions, we really want to see it implemented as by its “purpose” without any bypass
And of course no solution without network sniffing.
Not sure if it is woth that effort, but happy to see it…
Well, by “purpose of VLAN” I mean that VLANs shoulnd’t be able to talk to each other - at all. The default in Unifi is the opposite, which to me is kind of crazy.
The easiest way to solve it would be to put HA in the IoT network and consider it dangerous, but that’s not a good idea either I’ve read. Maybe I’m over thinking it.
I don’t use any Unify equipment, but by default, switches (I use netgear, hp and tp-link) come with one vlan setup to all ports, the pvid, which is normally vlan with id 1. It is only when you add more vlans and set different pvid’s to the ports that segregation starts happening.
When you put an additional network interface to HA, attached to the insecure vlan, HA is not meant to be the gateway for this vlan (vlan could be even sealed from accessing internet by not having a default gw configured), HA should be configured to allow only what you want to allow in that vlan (port wise and service wise via HA and even linux host firewall, depending on installation you have) period.
It’s not overthinking, it’s just minimizing your attack surface, if any should exist. This secure vlan would have no internet access, but HA would update itself via the other interface, that is in other more open vlan and you could “monitor” HA via firewall rules, if you believe it might turn rogue on you)
I work in IT (Systems Administrator - Linux/Windows), and have been doing so for a few years. You are right that that regular consumer grade products (routers) doesn’t get you the possibility to add different VLANs - Unifi does, which is one of the reasons I got it (even though their implementation isn’t “best practice” IMHO).
I don’t know if you or @autoX are using consumer grade products, or if you actually are network masters, but telling from your reasoning I tend to believe you are not able to easily divide your network into VLANs (as VLANs should be setup - no traffic in between). That’s also why I understand your way of making HA the “gateway” (even if it’s not) for the IoT network.
The whole point for me is to totally separate network to be 100% sure that no traffic can sip through. I even setup a separate local DNS server on the IoT network because I don’t want to mix traffic from either one of my secure networks. A good example of how I’m thinking in my setup above is that rule is that I allow HA → IoT, and then established/related traffic to talk back, so in other words I’ll only allow IoT to talk back if HA initiated the traffic. But again, maybe I’m over-thinking it…
My end goal at least is to be rest assured that no matter what gets hacked on the IoT-LAN, nothing can make it’s way through my LAN, or any other network for that sake. Therefore, putting HA on my LAN, and then connect a direct cable to it from my IoT would make HA the weak point. HA will also talk to my other secure LANs and what stops a hacked IoT device to sniff traffic and make attacks on my other LANs as well if HA are connected to them? Nothing really.
So, in that aspect, what’s the point of making a separate VLAN if it doesn’t protect me anyway? What really bothers me is that it seems that I don’t have any choice than to do something similar to what you have done since broadcasting traffic can’t be sent over separate VLANs, or maybe Unifi is a shitty product - I don’t know since it’s my first Unifi device. I usually buy real network servers and install OPNsense/PfSense which I find more capable.
Regarding internet or not for IoT - I will have (already implemented in the setup above) a rule in FW which I add devices to that shouldn’t talk to the internet so called “NoT”.