Hey everyone,

I am completely stripping my house and am currently thinking about how to set up the home network.

This is my usecase:

  • home server that can access the internet + homeassistant that can access IoT devices

  • KNX that I want to have access to home assistant and vice versa

  • IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)

  • 3 PoE cameras through a PoE 4 port switch

  • a Chromecast & nintendo switch that need internet access

Every router worth anything already has a guest network, so I don’t see much value in separating out a VLAN in a home use case.

My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn’t kill its battery retrying until home assistant polls.

The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR

I already have PiHole blocking most phone homes from the chromecast or guest devices.

So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.

Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.

Am I completely wrong on this?

  • JustEnoughDucksOP
    link
    fedilink
    English
    38 months ago

    Yes, that is why I gave an example of how i thought it worked, but i have a single physical server with *arr suite, HA, reverse proxy, and all of my other services.

    If it is a near physical separation of traffic, how can 1 device with 1 MAC and 1 IP be isolated on multiple parts of the VLAN?

    • Dran
      link
      fedilink
      English
      2
      edit-2
      8 months ago

      You would expose a single port to multiple vlans, and then bind multiple addresses to that single physical connected interface. Each service would then bind itself to the appropriate address, rather than “*”

    • @acockworkorange@mander.xyz
      link
      fedilink
      English
      1
      edit-2
      8 months ago

      Oh, it can’t. You’d need more ETH ports. One for each VLAN a device is connected to. You can find multiport low speed expansion cards for cheap, even more so used. Many people think it’s a worthy investment. You learn a valuable skill and have a more resilient, secure network.

      Of course that assumes you have spare expansion connectors on your server. I might be wrong, but I’m pretty sure you can find ETH boards for that “Wi-Fi” M.2 connector, so that’s an option if you don’t have PCI. That way you can at least segregate Internet and local traffic.

      Edit: apparently you can. Time for me to update my knowledge.