I need some help deciding how to configure my network (router + managed switch)
I have two sub-nets, both wired and wifi, configured on my router
10.0.0.0/24 for all regular devices and some IoT devices
10.30.0.0/24 VLAN 3 for (most of) IoT devices
Home assistant is running on a raspberry 5 debian system in a docker container.
My first thought is to configured HA to listen on both sub-nets like for example in Hass.io vlan separated networks. This way both networks are nicely separated. Access from mobile phone, laptop, etc. is easily possible. Access from IoT devices can easily announce themselves to HA
However, there are other threads which suggest to configure the router to to route the IoT sub-net and configure HA with only one address from the regular sub-net.
Previous threads have basically stated you have 3 options:
#1 - One Subnet/VLAN
Dump the 10.30.0.x subnet and just run everything on one big network.
#2 - Dedicate Subnet for both IOT and HA
Move the remaining IOT devices (and HA) onto the 10.30 subnet.
Hence HA still sees a flat network (with all the IOT devices).
You can then add a firewall rule to access the HA GUI (HTTP/HTTPS) from your main LAN.
This is how my network is configured.
#3 - Figure it out yourself.
Not all IOT devices are able to cross subnets cleanly - once you disclose that you are not using a flat network most threads will tell you to simplify your network to option #1 or #2.
Thanks for your answer.
Putting everything in one sub-net, similar to e.g. guest network, was my first thought too. However, there are a few devices like mobile phones for presence sensor, Sonos boxes, … which, for one reason or another, need to remain in the general network.
I fear that setting up and maintaining rules for those will easily become a full-time job.
Hence my idea to “simplify” have home assistant listening on both networks at the same time. This solution, however, is something I only found described in link provided and I wonder if there is any disadvantage doing so.
The added benefit of this approach, for me, is that is can easily flipflop devices from one network to the other if needed.
I’d also think this is the “cleanest” way. But I’m not a networking expert and only use simple Wi-Fi devices. I use the “HA only on the main network” option myself, but mainly because I didn’t know there was another way to do it at the time.
I can also say that HAOS supports multiple interfaces. I have another home connected, and since the router in that home doesn’t support WireGuard, I set the second HA interface to the WireGuard IP address range. It works flawlessly. Well, there are no VLANs involved, and mDNS doesn’t go through, but that’s a WireGuard thing (and I actually don’t want mDNS working between homes).
This is hard to do and HA is not natively designed. For this… Have you met Ipv6 yet (matter requires it)
Flat network or the iot/consumer network together - basically HA expects a flat network. And if you’re cutting it up you are 100% on your own with little to no docs on what integration (that’s not a has call on ports it’s just collecting… most network port requirements come from your choice of integrations)
So you’re flying blind without a stick and expected to build a secure surface on the fire wall? If you’re jot very good with WireShark and hold a professional title saying something like network or network security engineer… I wouldn’t even start because yes. Full time gig and badly applied security that leads a false sense of security and an unsupported operating environment isn’t secure imho…
I believe that is the wrong question, the right question being:
What is the advantage of dual-homing?
In that:
Option #1 - Provides maximum convenience running everything on one big network means you won’t have any additional networking complications.
Option #2 - Provides real security - if your HA + IOT network was compromised the blast area would be restricted to just those systems - anything running in your main LAN would be isolated **.
** - At least in so far as the LAN is already protected - given you probably use your LAN to access sites on the internet so a HTTP/HTTPS vulnerability already exists on your LAN.
The crux of my argument is that if you dual home HA you get neither convenience nor security.
For clarity - yes dual homing is slightly more secure than option #1 in that it will defeat some attack vectors - but is the cost of setting it up worth the return of ONLY defeating some attack vectors?
I would say that the fact you are asking the question means you should not run multiple networks.
Multiple networks needs deep knowledge about IP routing for standard protocols and packets, both IPv4 and IPv6, proxying for all the protocols and packets that are not routable, like nearly all discovery protocols, both open standards and proprietary ones, which HA use quite a few of.
You also need to understand how service bindings work for the different services and especially in HA, which lacks many common tools to manage those.
If you had that knowledge then you would not ask that question and you would probably also know why your intended setup is a nightmare.
Dtrott gave you the possible options in the first reply.
Thanks for all the answers and comments so far. I really appreciate your time looking into this.
As written above I do see the benefit and argument towards putting everything IoT in one (separate) sub-net and really wish this would be possible - aka solution #2 proposed by @dtrott. This was and will be the intention of the “10.30.0.0/24 VLAN 3 for (most of) IoT devices” sub-net.
That, however, at least for my setup, ignores the reality that there are other devices that need to reside in the general sub-net but still need to communicate with home assistant. @dtrott suggested firewall configuration for http/https access to home assistant from “main LAN”. I like this approach but fear reality isn’t that simple and straightforward.
That said, I believe I have enough to continue. First tests with home assistant connected to both sub-nets look promising. This without any additional routing configured between the two sub-nets.
That goes for the companion apps and the HA GUI through a browser.
Other devices might have multiple extra protocols that needs to be opened up for, routed or even proxied between the networks.