Hey everyone,
I am completely stripping my house and am currently thinking about how to set up the home network.
This is my usecase:
-
home server that can access the internet + homeassistant that can access IoT devices
-
KNX that I want to have access to home assistant and vice versa
-
IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)
-
3 PoE cameras through a PoE 4 port switch
-
a Chromecast & nintendo switch that need internet access
Every router worth anything already has a guest network, so I don’t see much value in separating out a VLAN in a home use case.
My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn’t kill its battery retrying until home assistant polls.
The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR
I already have PiHole blocking most phone homes from the chromecast or guest devices.
So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.
Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).
I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.
Am I completely wrong on this?
Yes, you should not be thinking about security in terms of an outside intruder here. Think about untrustworthy or potentially compromised devices.
- WiFi smart devices are notorious for calling home, possibly collecting data, even if you’re trying to use them locally.
- There have been botnets from unsecured video cameras, and even some compromised from before import.
- TVs report back what you’re using them for and when, even playing through hdmi, and some have been caught listening in to your private conversations.
How do you prevent these from happening, or limit what they can do? One way is to put them on a separate vlan without internet access (your HA or other hub can listen on multiple VLANs and be the gatekeeper) and without access to your computers.
That being said, for similar requirements, I found managing the more complex network to be too much hassle, and went back to a simple flat network
Yeah, for that threat model, a VLAN is not needed in my opinion:
-
esphome devices are for sure not data collecting and pihole will block most of the phone homes with a good block list, where possible (like simple smart devices) they are flashed with a local open source version. Still the vast majority are KNX and Zwave which are local only
-
video cameras are local-only always and have completely blocked internet access via the router
-
This is probably the biggest threat unpreventable in other ways. Though definitely citation needed for them actually being caught recording conversations lol. People think phones do that too, but it is simply a lot easier (and more importantly, cheaper with a much higher ROI) to make a complete data picture through search/watch history + proximity to other devices.
Pihole by itself can’t really block all the traffic as some device may be set to use different DNS server from factory. And with DNS over HTTPS, to block phoning home, you’d most probably have to completely block internet access for that device.
I’m looking at VLANs as groups of devices which shares the same access policies. So e.g. you create VLAN for cameras, create rules for accessing the NAS, HA, etc. and then just assign each camera to that VLAN. You don’t need to recreate same rules for every new camera.
-