You do not need separate VLANs, just as you do not need to use different passwords on all your accounts on different websites. But keeping it simple is rarely the most secure approach.
AS for HA HA I do have VPN connected HA instance I used before getting HA yellow, but dunno how I can make it replicate and switch as failover
Virtualize HA and replicate is a solution.
I missed that post from OP. My bad. I still stand by my stance that VLAN is hard. Not the VLAN itself but setting up the firewall rules that allows the two VLANs to communicate without giving access for an attacker to abuse. That is hard.
You are better off inviting attackers in in the first place by only buying IOT devices that have a good reputation and are maintained with updates if they are in any way cloud based. And I am not at all nervous about my ESP devices that I programmed myself. I am 10000 times more nervous that someone in the household clicks on a bad link in an email or looks at a bad website. If I get attacked with ransomware it will be via a normal computer and not from a D1 mini controlling the fan in my bathroom.
And if you have a very relaxed attitude towards your security that ransomware could spread to your shares, other computers, your backup and so on.
Clicking on a bad link can also expose your device to outsiders.
I donât have relaxed attitude to security. On the contrary. I just focus my time where it matters. And putting my ESP8266 devices in their own VLAN does not give me any additional peace of mind.
Why donât you share with the community how you have setup your VLANS, which devices you have on each VLAN. Is your HA on same VLAN as your IOT? Is your super secure NAS on its own VLAN?
Which firewall rules have you setup so HA can discover IOT devices. Do you have any cloud connected devices and if so how do you secure them?
The link you pointed to stops where the VLANs are created but only touches the surfacd on how to enable communication safely between them. If it is so easy you must be able to educate us.
I never specified your ESPs, I said iot devices and especially cameras should be seperated. A good start is segregating local non-cloud devices (devices that do not need internet should not have internet access) cloud devices (if you talk to them through the cloud they donât need access to your other devices through LAN) and your servers etc. If you really want to educate yourself you can start here, and thereâs a ton of other vidoes on the subject too. This is a long proven consept so I donât quite get why you are grumpy about it. Part 1 | Ultimate Home Network 2021 | WiFi 6 and UniFi Dream Machine Pro - YouTube
I still want to know how YOU put your devices in VLANs and which firewall rules you setup to enable local discovery and local communication. You say it is easy. Tell us.
edit - the link you put says NOTHING about how to setup VLANs and firewall rules. I follow The Hook Up and he makes excellent videos and this is no exception. But it does not address the issue.
See above. Add ports needed.
I just continued with his part 2. I have seen these last year. And part 2 proves my point. It is not at all easy. Yes you can follow his steps to the last detail, but then you get a new device and it needs some mysterious undocumented port and you are in trouble again. It is not easy. And if you do not have an all Unifi based network then you need to learn how to do the same, often using CLI. My router is not a Unifi router. I cannot follow his steps. It is not easy.
Like I previously said, VLANs are not a Unifi specific concept, itâs been around many years before Ubiquiti was even founded. For example I have a Zyxel XS 1920-12 here at home running different VLANs. I understand that things can be a bit off-putting if you need to do config by cli, but from experience once you get it in your fingers you will likely prefer it over gui. You can probably find guides on this on almost every brand. I also agree that the initial config when you get a brand new device can be a hurdle compared to just running it in a flat LAN, but as long as you have a working architecture this can usually be solved / configured right in a matter of minutes. Does the device need internet? If no, block it. If yes, put it in the VLAN that only gives internet access, not access to the rest of your network. (A bit over-simplified but you get the idea).
To end the discussion - Yes, setting up VLANs and other âsecurity featuresâ is more difficult and cumbersome than just using a flat LAN where everything can talk to everything. Using MFA is more cumbersome than not, for example. Yes, it wouldnât be the end of the world if someone got access to a camera pointed at your garden (loads of examples of this). But the day someone ransomwares your whole family picture folder and the backup of it because of some weakness in an internet attached device that suddenly gets more serious. I at least like the idea of making it as hard as possible for people to attack me and my data.
Good we get closer to each other.
Can you also agree that the best beginner advice for people that are not network experts is to avoid buying or installing IOT products from some Chinese manufacturers and choose products that are 100% locally controlled with no need of cloud OR products where you can put alternative software on them like Tasmota, ESPHome, or your own software. So the original question about buying 50 Wifi plugs, avoid Tuya cloud, buy some that are local. I will personally rather have 50 ESPHome plugs and no VLAN than 1 Tuya cloud controlled device protected by a swiss cheese holed VLAN firewall.
And if you have to buy IOT that requires cloud, stay with companies with a good reputation and frequent updates. That is an advice all people can understand and follow. And if programming these devices (can also be hard for many) buy then preprogrammed and upgrade them when you get them.
I have no insight in what wifi-plugs are better than others and havenât given any advice on the matter, my only comments have been that I would recommend going another route than wifi. I followed up stating that if one were to buy 50+ wifi devices I would look into VLAN seperation.
The thought about reputable vendors and/or firmware you control is a good one, but even reputable vendors have weaknesses. The best practice is to assume that stuff is or will be exploitable regardless and do an effort to mitigate the consequences as best as you can.
To use an example in the not so distant past: weaknesses like the log4shell can and will happen in the future. Log4Shell - Wikipedia (take a look who discovered it) 
People hate this common trick where others just use 4 non* overlapping channels on 2.4GHz and many of them even legally 
*In fact nether the 3 or 4 channel arrangement is actually free from âoverlappingâ parts. Both have interference with neighbouring channels - specially (but not limited) to the start and end frequency of each channel. 
When we talk reliability then I have some experience to share because I have tried both Zigbee and Wifi.
Zigbee plugs are surely by nature secure. But their reliability depend on multiple things
Zigbee plugs consume very little idle power. Typically 0.25 W. That also counts as this is 24 hours/365 days. 50 times 0.25 W is 109 kWh per year, just idle, relay not engaged! But you can quickly save even more by using them wisely. But think about it. They are normally not capable of power monitoring but we see some off-brand ones now with power monitoring. I think these consume more power and surely often not supported by the coordinator software
Wifi plugs. I will always buy an ESP8266 or ESP32 based unit that I know can be reprogrammed. You can get then with or without power monitoring. As long as you have Wifi coverage each plug will work independent of the others. Most people will put Tasmota or ESPHome on them. I have tried both and my experience is that Tasmota is incredibly stable and easy to use. But requires MQTT. But surely ESPHome is a really good option also.
The typical consumption is 0.9 to 1 W with power monitoring and a little more when relay is pulled.
That is 400 kWh per year for 50 devices. In our current crisis time that is 1200-1500 Danish kroner in electricity per year. No issue with a few devices. But with 50 Zigbee may be a better option just from that perspective.
Watch out. Many Tuya devices are changing from ESP to another ARM based device. The last one I got all needed a full narcosis surgery where I swapped the brain for an ESP. This is Hard â˘. Often glued shut and they are not pretty once opened. But the company Athom makes plugs that are already programmed with Tasmota. You can easily upgrade them from a webbrowser. You can even change the software to ESPHome if so desired. There is a hack where Tuya devices can be fooled to reprogram alternative software but it may not always work and requires some effort.
Shelly makes Wifi devices that can run local MQTT out of the box and no cloud needed. And they provide access to programming pins if you want Tasmota or ESPHome. Prices are much higher than Chinese devices. Maybe also a tad safer!
Most Sonoff wifi devices are still ESP8266 based. But I think there are a few that are not. They are normally not glued shut and not too difficult to reprogram. Not easy. Needs a little skill to flash them. They ship with cloud based crap software that I would not use ever.
The communication with a wifi plug is very low traffic if it is a pure on off plug. If it has power monitoring then traffic increases with how you set the update interval. Tasmota defaults to 300 seconds. But it is still a low traffic. But if you change to 30 seconds and have 50 of them, then traffic goes up significantly.
Power monitoring is very useful. Initially for chasing power consumption. But you can also create automations that depend on power consumption. Example, I had an amplifier that I turned on and off with an IR blaster. It was a toggle signal. If the amplifier got out of sync (wife pressed the physical button) the amplifier would turn off when the TV turned on. By using a wifi smart plug with power monitoring and setting update reports when power changes 30 % (standard Tasmota feature) I could make my automation so it would only send the IR signal when the Amplifier was the opposite of what I wanted. None of my Zigbee power plugs can do this.
The right solution may be a combination of Zigbee and Wifi. Zigbee for dumb turning lights on and off and Wifi with power monitor where you can take advantage of it. And if a plug is super important that it works, my choice is wifi.
I personally have a bit of both. Mainly zigbee for lights and wifi with power monitoring where I have consumers with variable loads connected and where I either monitor health or base automations on the information. I have yet to find a good reliable zigbee smart plug with power monitor. But the market changes all the time so look around
Good advice. I started to move away from Hue and over to wall boxes that control dumb bulbs. Instead of buying 40-50 Hue spotlights I got the dimmers and switches changed to zigbee ones, now my living room with 16 dumb dim2warm spots are controlled by two in-wall dimmers that cost around the same price as a coloured Hue bulb. Same goes inn all the other rooms in the house too.
Thanks,
I donât know why I didnât google unfi and home assistant first :). I have 5 AC pro access points and 3 more in boxes in case I were to ever need more coverage. Should be more than good to go.
Wow,
I didnât expect this question to get so many heated responses. This is a ton of good information for someone that is looking for good info on trying to setup tons of IOT devices on wifi. My thoughts on all of the conversations below.
I am going to proceed with my original plan of putting everything on the Wifi network. I wouldnât suggest this method for a normal home user. The reason why I am doing it is that I have several thousand dollars of enterprise-class networking equipment in my house and I have been installing/configuring corporate networks for a VERY long time. I believe it is possible that a networking novice with much less equipment could setup a decent network for automation devices but you should expect to spend a significant (maybe days) amount of time learning and configuring your network.
I fully acknowledge that these devices are exploitable. That is why they are going to be on a completely different network that will have no access to all of my regular devices (Laptops, phones, desktops, etcâŚ).
All of the automation I am building are Nice to haves and not critical. It doesnât really matter to me if they donât work if the internet goes down. I have a full house generator and a bonded dual ISP connection to the internet so it is highly unlikely that my internet will go down anyway.
Ideally, I would love to be able to have local control of everything but from everything I have looked at this is cost prohibitive and all of these companies are moving more and more to the cloud. That shift seems inevitable to me. The treatlife switches I am buying are about $11 dollars each. All of the other wifi switches I found started at about double this price.
I donât want to get any other gateways (zwave, zigbee, etc.) if I can help it. I already have a ton of equipment to maintain and adding anything else is just another point of failure and maintenance hastle.
All of the info on wifi setup and overlapping bands is great. Anyone wanting to set up a multiple access point setup should pay close attention to band overlap and Antena strength of all of your access points. In general, you want to prevent overlapping networks as much as possible. To do this you need to do a full wifi survey, a good plan for AP placements and then proper configuration and testing after installation. This isnât a trivial task to do properly.
I originally tried to flash the treatlife switches to make them locally controllable with Tuya but this trick only works for the older switches. The newer treatlife switches are not flashable anymore from what I have read.
Thanks for all of the awesome discussion and info.
Take a last look here
Their devices are in the 12-15 dollar range and shipped with Tasmota. I would really advice against cloud dependency to save a few dollars per smart plug.
You donât need a full fledged gateway, just a USB dongle. Keep that in mind for when in the future, devices randomly dropping off your wifi, the lack of direct association (where, for example, switches can be directly linked to lights and function even without the network or controller being available), range issues (wifi is not a mesh network), the lack of good long lasting battery powered devices, etc, will inevitably drive you crazy 
The Z-networks (Zigbee and ZWave) are much better suited for IoT devices than (pre-6) wifi, because they were specifically designed for this. Even with wifi6, theyâre still way ahead. They offer much better stability and range (self healing mesh networks and higher penetrating RF frequency for zwave), much less security worries (theyâre physically unable to access the internet) and long battery life for devices that donât have a permanent power connection, and direct association making your home automation setup much more resilient in case of failures.
Hey Kenneth,
This is exactly what I was looking for but these are 20$ each plus shipping. They also donât offer a no neutral switch (only touch panel), three way switch, dimmer or fan control⌠I am going to need all of those options.
my cable box in theory can run 10.0.0.0/8, my pfsense class box (celeron, 16G ram) can only handle a 16 bit netmask without running out of memory.