So i am looking to organize my network better by separating my IoT devices into a separate VLAN. I am using an OPNsense router with Unifi switch and APs.
My setup is really a mix of everything, so I’m using
- ESPHome devices
- some non-ESP Tuya devices that can’t be flashed by Tasmota/Esphome that i want to use both by the Tuya app as by the localTuya integration
- Shelly devices with stock FW
- Yeelight / Xiaomi MIIO lights
- also some Zigbee devices (probably not relevant for VLAN setup)
My question is:
1) What firewall strategy should i use for different devices groups?
I really don’t want to separate them into multiple VLANs, but my devices are really a mixed bunch.
- ESPHome and Shelly devices can probably work just fine locally and don’t need internet, but need to see home assistant.
- Tuya devices need to communicate with their cloud AND HA for the LocalTuya integration.
- Yeelights probably need internet access temporarily until enabling LAN control on them.
- Xiaomi MIIO lights seem to be controlled over the cloud by the MIIO integration (?) so probably cloud access is needed
So far i think enabling my IoT VLAN to connect to specific HA and ESPHome ports and the internet would be the solution, however initially i wanted to restrict internet access as much as possible. Also I want to access all my IoT devices WebUIs from my devices on the LAN network (desktop PC, laptop, phone, iPad). I understand this should work, as LAN-> VLAN access is not restricted.
2) How do i reset my Yeelight / MIIO lights to update their SSID?
They are hardwired and not connected to a switch, so i can’t just turn them on/off 5 times to put them in pairing mode. Probaly less a problem for Yeelights that can pair via bluetooth, but for the ESP8266 based MIIO lights that will be an issue
3) I am having some trouble with ESPHome devices connecting
For testing I have put a few ESPHome devices on the IoT VLAN/SSID. They use the same config, but one device is not reachable via hostname, only by IP address. The configuration is the same, pulling the domain name from the secrets.yaml file.