So I have a problem, I have segmented my home network in to multiple VLANS (main LAN, IOT, IOT_offline, Guest). The main LAN has access to other VLANs, while those VLANs do not have access to it and are separated. I’m running home assistant to make my home smart and since I want it to be able to work with devices on all VLANs I put it on the main LAN.
The problem is then that some devices seem to require to be in the same subnet as home assistant to be discovered (devices that are not using mDNS). My current work around for this is by having multiple Virtual network interfaces on my home assistant host (RPI4). However I feel like this solution is a black box and have no control/understanding of how home assistant uses the multiple interfaces.
I’m using pfsense together with unifi switches/aps. Ideally I would like to fix this with a smart solution on the firewall cause it feels like you have more control that way. How would you solve this problem and structure your smart home?
It’s a legitimate solution as long as you trust the devices in the VLANs with interfaces on your HA host. In fact, for some integrations it necessary in order to receive UDP broadcast status updates from devices.
So, allowing a guest network on there probably isn’t a good plan!
I separate my IoT VLANs into clean (where I’ve taken steps to verify all devices’ pedigree & behaviour) e.g. my Rako lighting rig and Texecom house alarm and dirty (where their provenance is unknown/unclear or where exploits are known or rumoured) e.g. mass produced sensors, buttons, cameras and the like.
Thansk for your input, yes the guest network is fully segregated not used at all. Do you have a interface for the dirty vlan on home assistant?
I have individual UniFi VLANs for Lighting, AV, Alarm, Cameras, Server management, NAS, Home automation & Hive. This allows me to create firewall rules allowing only expected traffic between them and out to the internet. Three of these VLANs have an interface on the HA host - devices on the others can’t talk to HA without going through the firewall.
The HA host will talk on the appropriate interface for a device if it has learned that its MAC address is local to that interface. This is an automatic behaviour of TCP/IP networking. Just be careful not to enable routing on your RPi. Sounds like you could do something similar but as you’re using pfsense the implementation will be different.