I am at work but when I get home, I plan to start setting up my Omada SDN system.
I plan to follow this guide which sets up three VLANs (secure, guest and IoT).
My question is: should my Home Assistant server (a Thin Client) be on the “Secure” VLAN or the “IoT” VLAN? I’m not super familiar with VLANs so putting it on the IoT VLAN seems the easiest route but I also don’t want to open it up to security vulnerabilities.
If useful, I have a handful of Wifi IoT devices along with a zigbee network and hardwired IoT devices.
Following. I used to have everything on the same VLAN (including HA on a RPI) and moved all of my devices to the IOT vlan. I also have Omada equipment. Omada has the VLANs wide open access to each other so I first set up firewall rules to completely block the vlans from each other, and since I has static IP’s for all devices I then set up firewall rules for the IOT devices to talk to HA.
Within Linux, you can set up an ethernet connection to have a separate IP on each VLAN (more than one IP through the same physical ethernet port) and was going to go that route but I found a reason to not do that (unfortunately I cannot remember why!). It did work though. As you know the networking hardware on each physical device on any network has a unique MAC (machine) address. As Omada uses that when you set a device to have a static IP, it does not allow the device to have a second static IP. I am not sure if that would cause you any issue.
Ideally on the IOT you would block most devices from having internet access as much as possible (I have not done that though).
I have hesitated putting my HA on my IOT vlan but might do that at some point. Note, there is some kind of an issue for HA to talk to Matter devices if the Matter devices are on a separate vlan. I have over 100 devices but only 2 are matter, which unfortunately therefore are no on my IOT vlan. There is a thread here about Matter devices on a different vlan than HA. It gets complicated.
Thank you!! So this is another thing I’m (embarrassingly) struggling with:
I then set up firewall rules for the IOT devices to talk to HA.
I’m struggling with understanding what IoT devices need to be have two way communication with HA if on separate VLANs.
For instance, I have a ratgdo that is controlling my garage door. If my HA server and the Ratgdo are on seperate VLANs, does the ratgdo need to have two way communication enabled in order for it to tell HA the status of the garage (open/closed)? Or is one way communication from HA to the ratgdo sufficient to determine the door’s status, open the door, etc.?
Again, I’m sorry this is probably a very silly question. I’m familiar with VLANs but how they work with a HomeAssistant ecosystem is all new to me.
“one way communication from HA to the ratgdo sufficient to determine the door’s status, open the door, etc.?” Yes (comms is two way but I believe would be initiated by HA)! Try it out - trial and error my friend, trial and error. The only thing I hate about trial and error with networking is the long wait when one has to reboot after making changes - and then after 500 reboots everything is finally working perfectly :-/
SECURE
Network equipment and servers
Full access to internet and all vlans. For me this is untagged traffic
IOT
Cameras, sensors, relays, and other IOT products
No access to WAN, no access out to LAN, only devices on SECURE can connect to retrieve data. Once SECURE device connects IOT device can reply
GUEST
Media devices and guest devices
Defined acces to ports on SECURE and no access to IOT.
Access to WAN since these devices need access to web media
Printers I think work best on GUEST but you must block it from internet seperatly