I know there is a tutorial, but it starts above my head. Before I make any leap, I have some questions.
My setup is HAOS on an Intel NUC without containers. The NUC has both Ethernet and Wifi, if I wanted to connect it in two places.
I have a Sophos SG115 firewall running OPNsense. It has worked for more than a month with no problems, but I can’t say that I understand it well because I had my hand held through the installation. I do see how to set up VLANs on OPNsense.
I just bought a managed Netgear GS105E 5-port switch that I’m trying to understand. I have two routers that I understand very well to plug into the switch.
My goals are to protect the computers from hacked devices connected to HA and to give the computers more bandwidth. I see several very basic possibilities that are neither mutually exclusive nor exhaustive, so I would appreciate some advice. My goal is to do this incrementally so that I can revert to the existing network setup.
Computers, phones, and printer on one VLAN, the NUC running HA and everything connected to it by Wifi on a second, with a rule allowing the computers to load the HA web interface.
Computers, phones, printer, and NUC on one VLAN, everything else on a second, with the NUC made available to everything on the second.
NUC on one VLAN, computers, phones, and printer on a second, everything else on a third.
Connect the Wifi and Ethernet interfaces of the NUC to each of the two VLANs.
Don’t do it before you can understand those guide completely and see what pitfalls they have.
VLANs is not that easy to do and you do not only need to understand VLANs. but also the protocols on all the devices you will be using and if you use Matter then you also need to understand IPv6.
Most guides do not tell you about discovery protocols, which are often not routable and need special reflectors.
Most guides do not tell you about IPv6, which is quite different from IPv4, so your IPv4 knowledge will not be usable.
Some guides tell you to set up multiple NICs on the HA system, but HA is not a router.
Segmented networks are not officially supported within HA.
HA is designed and expects a flat subnet to work as intended.
This is because every segmented network is different for IP’s and number of segments and firewalls and sharing rules and about 650495849085 other things.
This does not mean you can’t use them or that they can’t be made to work, it means that to get them working you are the support structure on your own subnet(s). Consider it Advanced mode…
I’m just gonna second or third the “do not just do what guide says” . You should fully understand and have detailed reasoning for doing what is suggested.
Everything should not touch the internet. Printers, cameras, light bulbs and such don’t need access to search google. You should block their access to everything. They should simply be able to connect wifi/lan and wait for something to connect to it. They should not be allowed to explore your network or the internet.
This brings up third point. VLANS are not required to do this. You can create a firewall rule specific to a devices IP and block those just like you do a vlan. In fact, in opnsense you can create an alias with all addresses 192.168.1.30 - 192.168.1.200 >> label it IOT > and create firewall rules that will only apply to those addresses. Vlan adds simplicity and organization by allowing you to creat specific WiFi SSIDs and switch ports. (Networking is not my background so correct me if I’m wrong). Point here is, vlans are not that big a deal and if you use them understand why they are useful. If you allow your lightbulbs onto internet don’t bother with this.
MDNS will haunt you but reflectors and other methods can get you by. It will prevent some things so be willing to deal with that.
I agree with @tmjpugh. Just learn about firewall and use them instead of VLANS otherwise you will get nothing but pain. Been there, done that. Not worth it unless you really know what you are doing.
If you want to look into this further, A firewall will not block traffic between devices without network segmentation (VLANs). Access control lists will block communication between devices on the same segment. Another way is Device isolation but this typically blocks communication between wireless clients on the same SSID and not between Ethernet devices.
Learning about and implementing firewall rules, then (and only then) ACLs, looks 10x more feasible than VLANs. I’m pretty sure that the firewall has sufficient horsepower for that. Luckily, I only spent $25 on a used switch and router. I’m just gonna write that off for the foreseeable future.
…that I won’t be using them!
I have to get back to the mindset that my spending $35 on a used NUC for HAOS and not bothering with containers was my best HA decision to date.
I wouldnt go quite this far. But it is worth considering good vs. bad.
I remembered that if on same lan device can see/monitor traffic. VLAN can prevent even this. Corporate network this could be big deal but home network, maybe who cares. There may be other purposes but cant think of them now.
My point was more that you should have a goal and do what necessary to meet that goal. Many people create IOT vlan and just throw all IOT devices on it and do not limit there network access. This is silly. Set a goal and accomplish it in best way that meets your needs, budget, and time.
And I moved to opnsense after my Unifi router failed for 5 time. USG had internal flashdrive that constantly failed and I had to make another. I grabbed a server a had lying about and 2yrs later I will never go back.
Your knowledge sounds very old.
That was a thing with Network hubs, but they are pretty much gone today.
It was a big thing with 10Mbit/s networks, because switches were expensive.
When the 100mbit/s networks became mainstream, so did the switches.
A few 100Mbit/s hubs were available, but to my knowledge there are none made for 1Gbit/s networks.
These events occurred like 20 or more years ago, so pretty old in technology terms.
I have multiple VLAN’s to sperate my devices and followed a now pretty old tutorial from The HookUp on YouTube. I had to make a few changes from memory but everything works nicely and HA even ‘finds’ new devices on my IoT VLAN (that was one of the changes I had to make from the tutorial because otherwise I was limited to manually adding new ESPhome devices for example)
No one on any forum has provided a citation of this ever happening. Lots of “I heard of…” Or occasions where cameras on the cloud were viewable by other cloud customers. (That is not hacking, that is a frack up by the cloud service).
That’s not how networks work. Your network bandwidth is a limitation of your gateway and switches, no matter how many VLANs you have.
Managed switches are also a waste of money for the average home network. They are for segregating corporate entities.
OK, so given your revision, would you recommend using 1) a single, flat network, or subnets 2) with or 3) without exploiting the multiple interfaces of the Sophos firewall?
I would recommend multiple segments utilizing vlans.
I kept one physical untagged network interface on opnsense just for backup purposes if ever needed (not to rely purely on vlans).
If you are afraid of potential issues related to mdns, just use mdns repeater on opnsense.
I have pfsense, set up a /22 subnet that has 1024 addresses and includes 4 /24 subnets of 255 addresses each. HA can see everything, and the IOT stuff can only see what’s in it’s smaller /24. One I use for DHCP, one for OK to go anywhere, one for IOT that is allowed nowhere, and the 4th I call jail for stuff like Googles that need to get to the internet, but don’t need to see my other devices.
Not complete security, but I can set firewall rules on the /24’s to not allow those out or whatever.
It’s a flat network that has different rules for different devices.
No special hardware or vlans to fight with and route stuff thru.\
I’m wondering about what is meant by “subnet” here, so may I ask, are you setting up on pfsense (and I think HA) with one IP-address/22 or are you setting it up with four different IP-address/24 that are in contiguous blocks?
That’s not technically true, your IOT devices see everything in the layer 2 broadcast domain, which includes all the other MAC addresses and IP address of the other subnets.
This architecture is a bit of security theatre, as it might deter a well-behaving device from communicating with other devices on your network (via IP only), it doesn’t prevent a malicious device from simply changing its subnet mask to /22 and gaining access to the entire LAN. It also doesn’t prevent changing its IP to one of your Internet capable subnets and communicating with anything.
At the least, with access to the broadcast domain, it knows everything about your network - all the other host IPs and the gateway IPs. It wouldn’t take much of a leap to sniff out the strategy in place and thwart it.
