good to hear!
@sparkydave I am assuming you simply use the āHA / IoT LANā routerās WAN port connecting to a standard port on the home main network and is picking up an IP from this range. This would mean routing is available from all devices outside of this network? Or have you somehow restricted this? Joining the 2 routers would allow all connected IoT devices on the 2nd LAN to route out of its local LAN to the web. This may have some security and exposure implications. Would you agree?
Ideally I would like the same setup, but with only the HA server (RPi, though could be another host platform) on a web-routable (i.e. main home) LAN.
Does the HA server require web access? Presume so for only 2 functions, updates and configuring remote access inbound. But the devices do not? Or they can, if you want to allow it, and at the same time accept the increased exposure of your network, attack vectors and security implications.
I might try only connecting the RPi with a 2nd NIC (USB, so only this device (not potentially the whole network) is web-connected. It also has more robust firewalls and other protections as well.
My setup is an ISP supplied modem/router connected to an Ubiquiti router. The ISP modem/routerās only function is to accept the VDSL line and provide internet to the Ubiquiti via a LAN port with a fixed IP address. Wifi is turned OFF on it. The Ubiquiti router then connects everything else in one big LAN (plus Ubiquiti wifi via an AP)
The IoT devices donāt need to be blocked from the internet as they only talk to HA. The only suspect devices in this situation are Xiaomi / Yeelights which have a tendency to āphone homeā, thus are blocked from external access in the Ubiquiti router. Having IoT devices on a network does not create security holes unless you have weak passwords / open SSH tunnels / Chinese devices that try to connect to remote servers etc. Other than that, they are no different to any other device on your network such as a laptop.
Yes, I do allow internet access to my HA server as you say: for updates, and for remote access. There is a port forwarding rule from the ISP to the Ubiquiti router to allow remote access to HA but thatās it.