In the past, I’ve set up all my connected devices on a separate guest network. It seemed easier to me to isolate them all from a security perspective, but now I am rethinking my decision. I just started with Home Assistant, so I’ve noticed that nothing is recognized from the guest network. Was my original guest network decision wrong? Should I move all connected devices to the main wifi network or is there a better solution?
Guest wifi networks generally cant communicate between devices. Try VLANing them instead.
what are you using for your vlan?
@Aggie Moving all your devices back to the main network would certainly work, however it definitely wouldn’t be the most elegant nor the most secure solution. If you are willing to invest the required money, and some time, VLANs would work perfectly. You would need to either get a new AiO router which supports these, and multiple ssids, or a router + ap combo. I would recommend the Ubiquiti Edgerouter X (~$50), as well as their UAP-AC-LITE (~$80) ap (I have the er-x, works really well), or a decent prosumer router loaded with DDWRT if you’re feeling adventurous. Some customer-grade routers also offer vlan functionality out of the box, which is quite rare, but if your router has them, you should use them! Basically you would have two vlans as the minimum. One would be your main network (vlan 0) and another one for IoT devices. You would then have to set up firewall/routing rules to allow connections from the main vlan to the server running hass. Homeassistant would then handle all of the connections to the IOT devices themselves. This way, you could possibly also block traffic to the internet from the iot devices for more privacy. Unfortunately, consumer-grade network equipment doesn’t (yet) offer many options for IoT security, short of using a guest network, which is quite inconvenient.
Phew.
2 Likes
Well put. I just bought an Edgerouter X so I can setup some VLANs. I’m generally wary of DD-WRT or any modified router as they may advertise a lot of features, but usually aren’t tested thoroughly. I’ve tried using Asus-wrt Merlin firmware on a router and had issues using it as a wireless bridge, though it was a standard feature on the firmware.
I agree with you. Modified firmwares are nice for tinkering but if you want it to “just work” then Ubiquiti or an equivalent would be the superior choice.
The Edgerouter X is an astounding bit of kit for the price. I just read this security warning about Ubiquiti discovery and because of the Edgerouter stateful firewall had it fixed in no time.
Though I must admit AsusMerlin was miles ahead of the stock firmware on my old Netgear r7000. I thought it was the ducks guts (that’s a good thing in Aussie slang).
Thanks, all. Very helpful. Guess I’ll need to figure out VLANs.
I’ll throw my opinion in here at the risk of being shot down.
If you have a home network for your home devices that’s considered trusted why have the hassle and the extra management of segregating traffic? Don’t get me wrong i’m all for security but how far do you go before the overhead and management isn’t worth it? and lets face it the ultimate security is to stick with a dumb home and no one wants that around here. Time and time again you see people with complex network setups struggling to get something simple working.
My setup is simple. A trusted home network with HA and my family devices that i pretty much have control of then a guest WiFi that friends and family connect to and i can expose services to this network if required but it’s pretty much so they can visit and (ignore us) and browse the internet on their phones. Oh and you guys will hate me for this one its running on Google WiFi
On a side note if you insist with segmenting everything for security then VLAN’s alone are NOT secure. just google VLAN hopping
1 Like