Setup VLAN and HA tutorial

aladin · January 29, 2022, 3:44pm

Hi Carlos
I have a question from your inputs…
Does it means that you do not use any switch feature (vlan) or do you virtualize every net ?
I plan to do choose a vlan and I wander if you could help us in a step-by step ‘tuto’ to implement what you said ? ( considering that i am not a dummy). I have an hassio HA and try to understand what to do to go through a new config. I created a bond0 with active/passive lan/wifi architecture, 4 Vlan.X . But what else to do ( static ip on each of vlan, dhcp …) i could be very found of your advise on me project

cr0muald0 · January 29, 2022, 11:58pm

Hi,
Absolutely Everything is now basically virtualized in my setup. I started with a RPI3 and HassOS (when I wrote the tutorial) but have moved since to a proxmox environment (sdcard problems made me take the decision).

So I have an opnsense VM that controls all traffic between internal networks (vlans) and the internet (I have close to 20 vlans configured). There is one 26 port physical switch and a few smaller ones to which devices plug their cables and are “vlanned” immediately to their respective segment (vlan). Wifi clients also get “vlanned” via specific access points and wifi SSIDs.

I then created virtual network interfaces on proxmox (there is a good tutorial on how to do this somewhere up there on this thread) that get attached to the HA VM (as many networks as you need to connect to), each of them “vlanned” to the appropriate network that needs to talk to HA.

An example of a possible HA multiple network interfaces:
eth0 - 192.168.1.1 - “vlanned” to vlan1 segment with access to internet and with a proper working default GW defined so that HA can update and go to the internet via this (opnsense IP in 192.168.1.)
eth1 - 192.168.2.1 - “vlanned” to vlan2 where lights are connected, no GW defined on this interface, although it might exist on another opnsense network interface, if you need to open access to firmware updates (light switches and opnsense ip’s would be 192.168.2. obviously)
eth2 - 192.168.3.1 - “vlanned” to vlan3 where temperature sensors are connected and again what I referred to in the previous vlan
eth3 - … and so on and so on

It all depends on how many separations you want/need…

aladin · January 30, 2022, 10:26am

Hi Carlos
Thanks a lot for explanation. I will have a look Into later for my project…
But in m’y project i only have a wifi expander wifi to lan (openwrt)connected to my ethernet Switch box and i could have limited physical links. I use same ssid name for my expander and my ssid from provider.
So i wanted to use vlans on that openwrt to connect my devices and reserve physical lan for servers ha,…

So you probable used static IP on each devices ? or do you have a dedicated DHCP on each vlan ?
Does it means i need a DHCP relay for those dhcp servers ?
Regards

cr0muald0 · January 30, 2022, 1:22pm

No worries Well, openwrt (depending on your router/ap model) can/does support vlans. I have a TP-Link Archer C7 v2 with openwrt 19.07.7 installed, configured as an AP (so no routing performed) and it’s connected to my main switch via one physical cable, but all vlans traverse it through tagging. This means I can create multiple ssid’s, each for a specific vlan, for ex. named “lights”, “sensors”, etc and attach them individually to their vlans and so on, as many virtual ssid’s as the AP permits.

The firewall (opnsense in my case, but pfsense does this as well) is connected to all these networks (it is in fact the default GW for all of them, so I can filter/block outgoing traffic) has an inbuilt dhcp server that can be configured per interface and serve multiple networks, one per interface. So it is only a matter of adjusting the dhcp preferences in each interface/network. No relays necessary.

Pretty easy, but all depends on what level of segmentation you want/need to achieve and allows you to separate all the devices you want. If you wished, you could have a vlan per device with no GW defined/available at all, setting the network to a /30 subnet mask, meaning that the device would only be able to talk to HA itself. It would make updates over the internet for this device a bit troublesome, though.

It’s all about your level of “paranoidness”

aladin · January 30, 2022, 9:15pm

I am not very at ease with design lan network layout/rules , but you probably don’t use the dhcp from your internet provider but instead yours for all your devices,sensors, lights, pc , phone ?
My TpLink is a TL-WA850RE v1 and i don’t have the vlan capabilies.
So i try to create a common ssid for all my devices but I still use the dhcp from my providers wich is uniq on my lan .
The goal is probably to disable my native dhcp and configure the dhcp providing ips inside each lan segment. But as i am quite lost in such a config with what you called firewall as a GW . Question Is it the fw of the HA ? or the FW of the server hosting HA ?

cr0muald0 · January 31, 2022, 12:19am

Yes, you are right. I do not use my provider’s dhcp server. Two ways to solve this situation you describe (in my opinion), both involve having a 3rd device (pc or similar) that will be able to control all traffic flow between your local networks and internet (I recommend opnsense but pfsense is also a good option).

First and simplest option is to connect this PC with opnsense/pfsense installed WAN port to your provider’s router, that would create a double NAT, but you’d control all devices in your local networks.

Second and better, but more complicated setup, is to bridge your provider’s router to this opnsense WAN port, thus effectively making your provider’s router a dumb pipe and your external ip managed by opnsense (not all providers nor devices allow this).

To sum up, without a device in between your provider’s router and your own local devices, you will not be able to segregate/control your local networks and communication between devices.

The FW here is the PC (opnsense/pfsense, virtual or physical) that controls all traffic flow between networks and internet. Without that, you can’t control your networks.

enoch85 · January 31, 2022, 10:05pm

Cool, I have something similar:

SERVER-LAN = Proxmox, HAOS VM. Kind of DMZ as I only allow IoT to the specific IP of HAOS.
IoT-LAN = IoT devices, separate Pi-Hole (don’t want to talk DNS with the SECURE-LAN)
MGMT-LAN (untagged) = Only UDM, and APs
GUEST-LAN = Guest LAN… Public DNS
SECURE-LAN = All families laptops and phones etc + Pi-Hole that serves SECURE-LAN, SERVER-LAN and MGMT-LAN.

NoT-Devices (Group where I put all my NoT-devices IP) = Cameras and other stuff that don’t need internet.

The Proxmox server on SERVER-LAN can only communicate with itself, and SECURE-LAN + IoT-LAN since I made a group of subnets on that port in the UDM.

@fireheadman How does your setup work out for you? Are you able to reach all your IoT-devices as you should? I personally use mDNS for Chromecast and will get my Schnieder Wiser stuff soon + Sonoff USB Zigbee stick (plus model). Just wondering if you have any issues with connectivety with your current setup since broadcasting can’t happen across VLANs (or can it?)

Also wondering why you put IoT → HA, and not HA → IoT with established related traffic?

fireheadman · February 2, 2022, 5:47am

no… was constantly having issues. did some soul searching with this config and decided to un-complicate things. In reality I do not have anything of value on my network to lose aside from a mp3/mp4 collection. I took at look at myself struggling with this, thinking… “I’m losing night and day battling inefficiencies and shortcomings of unifi for what?” I lost the thrill of this part. I still value HA and still love the automations, but life is to precious to be hacking on a computer for that amount of time.

…that and covid got me, so I just wanted the easy street for a while.
maybe if I become bored or solve all of my other life’s mysteries I’ll attempt it again.
good luck out there.

enoch85 · February 2, 2022, 9:18pm

Yeah I’m also noticing some lag with mDNS turned on. Thinking of maybe moving HA to the MGMT-LAN instead and connect the IoT directly into it with another “(v)cable” to avoid VLANs but I don’t know… That would defeat the whole purpose of VLANs…

cr0muald0 · February 3, 2022, 3:03pm

I still don’t understand why you say it defeats the purpose of vlans (I guess segmentation of clients is the purpose, because HA will have to be available to all), when you do have a point where all of these vlans must meet (most likely your router/fw, unless they are not going to HA, to the internet or elsewhere (like crossing vlans).
By presenting HA to each vlan with a unique interface that is just another iot element/client, not itself a router/bridge of network segments, you achieve what you want in a simple way, with minimal risk of spilling networks (IMHO ).
If you are really nervous about HA spamming all vlans with unnecessary traffic, which might happen, but I still doubt it, you could fine tune each of the services in HA to only listen to a specific interface/address/vlan, right?

autoX · February 4, 2022, 2:04pm

Just forget it.
Obviously there are people knowing it better, while I have not seen any useful guide, only written words about theory…

Looking forward to see a post of implementing the vlan correctly.
But be prepared of a lot critical questions, we really want to see it implemented as by its “purpose” without any bypass

And of course no solution without network sniffing.

Not sure if it is woth that effort, but happy to see it…

enoch85 · February 4, 2022, 3:02pm

Well, by “purpose of VLAN” I mean that VLANs shoulnd’t be able to talk to each other - at all. The default in Unifi is the opposite, which to me is kind of crazy.

The easiest way to solve it would be to put HA in the IoT network and consider it dangerous, but that’s not a good idea either I’ve read. Maybe I’m over thinking it.

cr0muald0 · February 4, 2022, 8:08pm

I don’t use any Unify equipment, but by default, switches (I use netgear, hp and tp-link) come with one vlan setup to all ports, the pvid, which is normally vlan with id 1. It is only when you add more vlans and set different pvid’s to the ports that segregation starts happening.

When you put an additional network interface to HA, attached to the insecure vlan, HA is not meant to be the gateway for this vlan (vlan could be even sealed from accessing internet by not having a default gw configured), HA should be configured to allow only what you want to allow in that vlan (port wise and service wise via HA and even linux host firewall, depending on installation you have) period.

It’s not overthinking, it’s just minimizing your attack surface, if any should exist. This secure vlan would have no internet access, but HA would update itself via the other interface, that is in other more open vlan and you could “monitor” HA via firewall rules, if you believe it might turn rogue on you)

enoch85 · February 4, 2022, 9:33pm

I work in IT (Systems Administrator - Linux/Windows), and have been doing so for a few years. You are right that that regular consumer grade products (routers) doesn’t get you the possibility to add different VLANs - Unifi does, which is one of the reasons I got it (even though their implementation isn’t “best practice” IMHO).

I don’t know if you or @autoX are using consumer grade products, or if you actually are network masters, but telling from your reasoning I tend to believe you are not able to easily divide your network into VLANs (as VLANs should be setup - no traffic in between). That’s also why I understand your way of making HA the “gateway” (even if it’s not) for the IoT network.

The whole point for me is to totally separate network to be 100% sure that no traffic can sip through. I even setup a separate local DNS server on the IoT network because I don’t want to mix traffic from either one of my secure networks. A good example of how I’m thinking in my setup above is that rule is that I allow HA → IoT, and then established/related traffic to talk back, so in other words I’ll only allow IoT to talk back if HA initiated the traffic. But again, maybe I’m over-thinking it…

My end goal at least is to be rest assured that no matter what gets hacked on the IoT-LAN, nothing can make it’s way through my LAN, or any other network for that sake. Therefore, putting HA on my LAN, and then connect a direct cable to it from my IoT would make HA the weak point. HA will also talk to my other secure LANs and what stops a hacked IoT device to sniff traffic and make attacks on my other LANs as well if HA are connected to them? Nothing really.

So, in that aspect, what’s the point of making a separate VLAN if it doesn’t protect me anyway? What really bothers me is that it seems that I don’t have any choice than to do something similar to what you have done since broadcasting traffic can’t be sent over separate VLANs, or maybe Unifi is a shitty product - I don’t know since it’s my first Unifi device. I usually buy real network servers and install OPNsense/PfSense which I find more capable.

Regarding internet or not for IoT - I will have (already implemented in the setup above) a rule in FW which I add devices to that shouldn’t talk to the internet so called “NoT”.

exxamalte · February 4, 2022, 10:53pm

That is not the primary purpose of a VLAN, and it’s not crazy for UniFi not to implement strict separation by default.
If your personal network design involves implementing VLANs for security purposes and you want the networks to be segregated then you have to use tools like firewalls or ACLs to achieve that. That’s not crazy at all and just your tools of trade.

Well, that’s what VLANs do, they form separate broadcast domains and that’s why the broadcast traffic does not flow between VLANs.

Are you sure you are concerned about broadcast traffic, or is it multicast traffic for example for auto discovery? If the latter, you could install a multicast relay and then allow specific devices to send their multicast traffic into the network where Home Assistant is located.

Looking at your network design that you posted earlier, I think it’s pretty good and reasonable. I have implemented a very similar design and it has been working quite well over the years. However, it also requires constant supervision, testing and modifications to suite new devices and their unique behaviours.

cr0muald0 · February 5, 2022, 2:31am

I would not say that vlan support is what separates consumer grade from enterprise grade switches
The HA is never a gateway in my setup, it is only another member/client of the vlans/subnets that it belongs to.
The way HA works, as far as I believe, it searches the network for IoT devices/clients that already exist and are ready to talk to it. I don’t have/remember any device at all that I had to do the reverse (give the ip of HA to the client or that it “knew” that HA was there - yes, sometimes you might specify an mqtt server ip, that could or not be HA, but that’s already part of how you configure your HA and what services you make available on it)
You can set up different dns/dhcp/whatever servers in different vlans/subnets and everything will work just fine
In a contained vlan where the client has controlled/no internet access, it should be really difficult to hack into HA (read firewall rules for allowed clients and ports) and still jump from there to the LAN. I guess there is a much greater possibility that someone will hack a device (pc/phone/laptop) that already lives in your internet enabled LAN and do something bad from there.
Remember that HA is a container that lives on a linux host, so securing the host might be a good first step. Second this is not a howto on network security. I am not a network security expert!
Anyway the hacked IoT device would not sniff any more that what already goes on that vlan/subnet (unless it has magic powers ) because it would still have to take over HA to get to sniff traffic on the other networks HA belongs to.
Below is a 5 min. diagram/sketch of how I try to segregate things (hint: this is not really my network ):
VLAN1 (green) is a “normal” vlan with internet access.
VLAN2 (orange) is a light switch vlan with internet access enabled only when it’s time to update firmware
VLAN3 (blue) is a temperature sensors vlan with internet access enabled only when it’s time to update firmware
VLAN4 (red) is a cam vlan with no connection to any other vlan.

Off course the firewall controls/blocks network flows between vlans, but vlan4 is not even configured on the firewall. These are all VMs (FW and HA) so assume that joint cable colors are tagged vlans.

HA belongs to all these vlans/subnetworks, so it can talk to these devices directly/freely to avoid all kinds of subnet crossing problems. This also makes HA a very important/central device in your network design, so it should be well secured and maintained! If you believe HA is really a danger to your LAN (I would say the opposite is more likely), then you should have yet another vlan just to allow HA to talk to the internet, not common to the one you use with pc/laptops/phones, and exclude HA from VLAN1.

enoch85 · February 5, 2022, 3:36pm

I think you got that wrong.

Stating the obvious here.

Actually, I’m not sure. I haven’t got the devices in place yet to test it, but I’m thinking I will connect all smart devices like vacuum cleaners, lawn robot, my Schnieder Wiser system, printers, etc etc… I don’t know it the any of those needs broadcasting, but time will tell.

One thing I’m certain of, is that I will not connect any smart locks or anything like that. That would be taking a step too far.

You mean something like this?

Does the Docker act differently you mean?

Not a problem, I won’t replace devices once everything is up and running. Monitoring and fixing is part of the fun.

It depends on what you compare. I mean a standard ASUS-RT68U doesn’t have VLANs for example. If you talk switches, that’s another topic.

Other than that, everything you just wrote makes me lean towards putting the HA in my main LAN instead and let IoT talk back if contacted, and only then. Another alternative would be to put up several HAs in different networks. Since they will be virtualized it doesn’t really matter, HA won’t be reachable from the outside anyway, only from my LAN/WLAN. We’ll see what happens once I move into the new house and have all the devices in place, but your points here have helped me towards a decision at least.

Appreciated!

exxamalte · February 5, 2022, 11:36pm

No, mDNS is just a subset of multicast traffic. Relaying multicast traffic from devices between subnets may help in cases where devices only use multicast traffic to communicate with a mobile app or Home Assistant.

cr0muald0 · February 5, 2022, 11:55pm

I mean a standard ASUS-RT68U doesn’t have VLANs for example

Because Asus doesn’t want to take the time to put it in consumer grade hardware, obviously. But actually, I do have one and with Merlin’s firmware I have it setup with vlans and HA. Does the job wonderfully

autoX · February 11, 2022, 9:39pm

I think all assumptions have been clarified already.
And no, I am not a network master but I at least qualified to get one, some years ago.

Nevertheless.
I do use mikrotik, which is far away from being a consumer product.

My HA is just connect as a client to two different vlans to overcome the multicast story

I don’t intend to have an enterprise network at home.
As I am running a lot of iot devices and having my door lock connected to wifi, I want to make sure I am preventing acces to it.
And the issue is not my IT but the non IT persons around me.
While all that was fine, I encountered issue with HA as e.g. mdns was not working anymore.
Therefor I set my HA into 2 vlans, but not as a router, just a a client in each.

Hope this helps.