I know this has been covered many times but I couldn't find an exact match for my situation so here goes.
My setup:
UniFi network with VLANs: Trusted, IoT, Server, Management, CCTV and Guest
Home Assistant running on a dedicated mini PC on my Server VLAN
SLZB-MR4U as my Thread border router
NPM (Nginx Proxy Manager) on my Server VLAN handling reverse proxy for HA
The problem: I want to get Matter over Thread working, but from my research this requires HA and IoT devices to be on the same VLAN. My HA is currently on my Server VLAN.
I'm thinking of move HA to the IoT VLAN and add a single firewall rule in UniFi allowing NPM (Server VLAN) to reach HA (IoT VLAN) on port 8123 only. Everything else on IoT would remain blocked from the Server VLAN.
HA will be sitting on the same VLAN as all my IoT devices, which I don't trust. I'm also currently exposing HA externally through NPM, so I want to make sure this setup doesn't make things worse.
Is this a reasonable approach or am I missing something?
I think if you are across all the issues, you may have success. You have enough variables to keep an AI Bot busy for weeks! Careful perusal and deep understanding of the respective vendor documentation is a must - there are no lucky short cuts in the long run.
Simply, how does each desired device talk to others, and undesired devices don't. That is your challenge. Plan carefully, and recognise when you have or have not achieved necessary milestones on your path.
I would start stating your security assumptions - you are free to disagree with mine, but the point is - start with your assumptions then build your setup based on those:
My assumptions are:
HA Has been hacked.
All IOT devices have been hacked.
My WIFI and everything connected to my primary VLAN are trusted - at least I can't be bothered to create a more specific set of trust levels between those devices.
I don't want to police the internet - meaning I accept the risk of having unrestricted access to the internet from my trusted VLAN (outbound connections are allowed).
So the trusted VLAN is allowed to initiate connections to both the Internet and the IOT VLAN.
I don't see value in restricting to specific ports.
Neither the internet or IOT can initiate connections to the trusted VLAN.
Only devices that need internet access in the IOT VLAN get it (outbound only).
Hence the firewall rules for IOT are:
Default rule - Nothing in, Nothing out.
My trusted VLAN can initiate connections to anything in IOT.
HA and one Device (AC Unit) have a rule allowing internet access.
With respect to your Server VLAN I wouldn't treat the Internet and your IOT VLAN differently.
If you lock down all access to the internet from the your server VLAN then sure lock down access to the IOT VLAN, however if you allow unrestricted access from your servers to the internet, you are not buying anything locking down connections FROM the server VLAN TO the IOT VLAN.
Thanks, this is a sensible approach assuming the worst and building from there keeps it simple. Most of my IoT devices don't need internet access anyway, only a few like HA and Apple TV need outbound.
First question: Is the SLZB-MR4U being used as an RCP or as a Thread Border Router? In other words is the actual border running in the device in the ESP32-S3 chip oris the router running in a docker container in the Home Assitant server? The device can run in either mode. If it is running an on-device border router then ther Thread network is on whatever VLAN you plugged into the device. If the router is running as a Home Assitant “app” (in Docker) then the Thread network is on the virtual network that docker and the HA server are on. On a flat network these woul all be the same 192.16.xxx.0/24 but maybe not in your case.
You were right about HA and IoT devices on the same VLAN but it is worse. Your phone also has to be on the same VLAN and you phomne has to have Internet copnnection all at the same time. At least for commisioning new Matter devices. The reason is that commisioning involve accessingto a public blockchian “ledger” that tracks and authenticats devices. This ensures that the Aqara radar you bought on Amazon was not scretsly swapped out for a hacker spy device that pretends to be a radar.
Of course you phone does not need to live in the IoT VLAN perminently, only while installing Matter devices. And with effort (and a bluetooth dongle) can ca use something other than a phone.
Some IoT devices, for example Shelly, Need to allow incomming connects on Port 80 from devices on your normal LAN because that are configured using a web interface.
One more point. If you want a robout Thread network, I think you want more than just one Border Router. Two or four is not unreasonable. But over time as you buy consummer electronics more and more of them will inslude border routers. Many Google devices have them and some Apple devices too. YOu might find you have half a dozen already and more will sneek in. I think Eros WiFi routers have Thread now and over time this is be common.
I want to do somthing like this too. But I plan to do it differently. i havemany IOT devices on a flat network. I will n=move them one device at a time to a VLAN. I think I have a much bettr chance of gettig it to work this way
My SLZB-MR4U is currently running in RCP mode with OTBR as a HA add-on. I have considered switching to running OTBR directly on the device but haven't looked into how reliable that is yet. If I do run OTBR on the device itself would I be able to leave HA on my server VLAN and just put the SLZB on the IoT VLAN? I also have two Apple TVs which act as additional border routers so I should have a reasonably robust Thread mesh.