Hey everyone,

I am completely stripping my house and am currently thinking about how to set up the home network.

This is my usecase:

  • home server that can access the internet + homeassistant that can access IoT devices

  • KNX that I want to have access to home assistant and vice versa

  • IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)

  • 3 PoE cameras through a PoE 4 port switch

  • a Chromecast & nintendo switch that need internet access

Every router worth anything already has a guest network, so I don’t see much value in separating out a VLAN in a home use case.

My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn’t kill its battery retrying until home assistant polls.

The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR

I already have PiHole blocking most phone homes from the chromecast or guest devices.

So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.

Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.

Am I completely wrong on this?

  • rentar42
    link
    fedilink
    18
    edit-2
    8 months ago

    Like many other security mechanisms VLANs aren’t really about enabling anything that can’t be done without them.

    Instead it’s almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.

    So if your question is “do I need VLAN to enable any features”, then the answer is no, you don’t (almost certainly, I’m sure there are some weird corner cases and exceptions).

    What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don’t normally talk to each other anyway. Right. That “normally” is exactly the case: one major benefit of having VLANs is not just stopping “normal” phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you’re out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone …

    So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.

    • @[email protected]
      link
      fedilink
      English
      7
      edit-2
      8 months ago

      And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.

      The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.

    • @[email protected]
      link
      fedilink
      English
      38 months ago

      Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network

      • BlueÆther
        link
        fedilink
        English
        18 months ago

        I had my home setup like that for years. ONT <-> Switch <-> Opnsense <-> Back to Switch

    • FalseMyrmidon
      link
      fedilink
      28 months ago

      In larger networks VLANs let you do network segmentation across switches, which you can’t really do otherwise.

      I wouldn’t bother at home.

  • @anamethatisnt
    link
    English
    158 months ago

    I consider client devices to be a big risk factor and if I can keep them from having direct access to the Backup NAS and the IoT I consider that a big win. A simple ransomware attack on a client device would find any NFS/SMB shares the client can access and start encrypting - having the Backup NAS on a separate VLAN that only the server can access stops most of those from affecting the backup and makes restoring a lot easier. I would definitely recommend having an offline backup of the NAS as well in case of the server being breached.

    • @[email protected]
      link
      fedilink
      English
      7
      edit-2
      8 months ago

      Yeah, 100% agree on the client devices. One of my VLANs is for the kids’ devices. I don’t trust their schools’ admins or their shitty BYOD policies, so I just let them access Plex (via Nginx reverse proxy); Pi-hole; and the internet.

  • @AA5B
    link
    English
    8
    edit-2
    8 months ago

    Yes, you should not be thinking about security in terms of an outside intruder here. Think about untrustworthy or potentially compromised devices.

    • WiFi smart devices are notorious for calling home, possibly collecting data, even if you’re trying to use them locally.
    • There have been botnets from unsecured video cameras, and even some compromised from before import.
    • TVs report back what you’re using them for and when, even playing through hdmi, and some have been caught listening in to your private conversations.

    How do you prevent these from happening, or limit what they can do? One way is to put them on a separate vlan without internet access (your HA or other hub can listen on multiple VLANs and be the gatekeeper) and without access to your computers.

    That being said, for similar requirements, I found managing the more complex network to be too much hassle, and went back to a simple flat network

  • @[email protected]
    link
    fedilink
    English
    8
    edit-2
    8 months ago

    It all comes down to what you trust each type of device to do and how you want to handle their traffic.

    I have seven VLANs, with each one’s traffic being treated very specifically. The subnets for each VLAN route to specific interfaces on a virtualised OPNsense firewall, which is where my traffic handling and policy enforcement takes place.

    Also remember VLANs are just plain useful for segregating traffic, particularly broadcast traffic, without having to invest in separate switching/routing for each subnet. Having a single managed switch that limits the broadcast domains for you is a really efficient way to (physically) setup your network.

    • @CMahaff
      link
      English
      4
      edit-2
      8 months ago

      Out of curiosity, what switch are you using for your setup?

      Last time I looked, I struggled to find any brand of “home tier” router / switch that supported things like configuring vlans, etc.

      • @[email protected]
        link
        fedilink
        English
        28 months ago

        Believe it or not, a Netgear. Specifically this one. I don’t have any fibre connected gear (yet!) and 180W of PoE+ was more than enough for my few PoE cameras and WAPs.

  • @[email protected]
    link
    fedilink
    English
    78 months ago

    In general terms, if you are not sure if you need a VLAN, you do not need a VLAN.

    It dramatically complicates your home networks (yes, plural at that point), which is fine if IT serves a purpose.

    But if there isn’t a compelling reason for them you are just imposing a management cost for no benefit.

    • @just_another_person
      link
      English
      68 months ago

      Disagree here, since OP’s case is strong enough for a VLAN if they want segregated traffic.

  • @[email protected]
    link
    fedilink
    English
    48 months ago

    It looks like you’re not understanding what a VLAN is. It is a virtual LAN, it’s near physical separation of traffic.

    In your example, your IoT devices and HA would sit in their network. Your PCs and phones on another, reaching outside through PiHole. Your *arr suite in a third, only routed outside through a VPN. You get the gist. And then you set rules on how these subnets talk to each other in a router, like you would do if they were physically separate.

    • JustEnoughDucksOP
      link
      fedilink
      English
      38 months ago

      Yes, that is why I gave an example of how i thought it worked, but i have a single physical server with *arr suite, HA, reverse proxy, and all of my other services.

      If it is a near physical separation of traffic, how can 1 device with 1 MAC and 1 IP be isolated on multiple parts of the VLAN?

      • Dran
        link
        English
        2
        edit-2
        8 months ago

        You would expose a single port to multiple vlans, and then bind multiple addresses to that single physical connected interface. Each service would then bind itself to the appropriate address, rather than “*”

      • @[email protected]
        link
        fedilink
        English
        1
        edit-2
        8 months ago

        Oh, it can’t. You’d need more ETH ports. One for each VLAN a device is connected to. You can find multiport low speed expansion cards for cheap, even more so used. Many people think it’s a worthy investment. You learn a valuable skill and have a more resilient, secure network.

        Of course that assumes you have spare expansion connectors on your server. I might be wrong, but I’m pretty sure you can find ETH boards for that “Wi-Fi” M.2 connector, so that’s an option if you don’t have PCI. That way you can at least segregate Internet and local traffic.

        Edit: apparently you can. Time for me to update my knowledge.

  • @[email protected]
    link
    fedilink
    English
    38 months ago

    If you want to learn about VLANs and spend some time setting everything up (and more time each time a new device joins your network) then you should go for it.

    I for myself decided it’s not worth it for my little home network and instead just use a /16 net and group devices into different ranges. E.g. computers are xxx.xxx.1.yyy, phones are .2.yyy, etc. All unknown devices get a .99.yyy from the DHCP, so they are easily identified.

    All public facing stuff is in some Docker container, so there’s at least a small hurdle should something/someone get access.

    Cameras are mirrored into Apple HomeKit via Home Assistant, so I can use Apple Home to watch them from afar. Or VPN into my home network.

  • Possibly linux
    link
    fedilink
    English
    38 months ago

    Vlans are really only useful with firewalls. If you setup VLANs by themselves it does nothing (mostly)

    • yeehaw
      link
      fedilink
      English
      28 months ago

      Unless you have a shit ton of hosts, to limit broadcast domains.

  • @[email protected]B
    link
    fedilink
    English
    1
    edit-2
    8 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
    DNS Domain Name Service/System
    HA Home Assistant automation software
    ~ High Availability
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    IoT Internet of Things for device controllers
    NAS Network-Attached Storage
    NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency
    PiHole Network-wide ad-blocker (DNS sinkhole)
    Plex Brand of media server package
    PoE Power over Ethernet
    SMB Server Message Block protocol for file and printer sharing; Windows-native
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    VPN Virtual Private Network

    [Thread #709 for this sub, first seen 24th Apr 2024, 09:15] [FAQ] [Full list] [Contact] [Source code]

  • @CMahaff
    link
    English
    1
    edit-2
    8 months ago

    Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

    I think of it like this: grouping several physical switch ports together into a private network, effectively like each group of ports is it’s own isolated switch. I assume there are routers which allows you to assign vlans to different Wi-Fi access points as well, so it doesn’t need to be literally physical.

    Obviously the benefits of vlans over something actually physical is that you can have as many as you like, and there are ways to trunk the data if one client needs access to multiple vlans at once.

    In your setup, you may or may not benefit, organizationally. Obviously other commenters have pointed out some of the security benefits. If you were using vlans I think you’d have at a minimum a private and public vlan, separating out the items that don’t need Internet access from the Internet at all. Your server would probably need access to both vlans in that scenario. But certainly as you say, you can probably accomplish a lot of this without vlans, if you can aggressively setup your firewall rules. The benefit of vlans is you would only really need to setup firewall rules on whatever vlan(s) have Internet access.