I’ve been playing around with my HA setup and want to expose it on a number of VLANS.
I have 3 VLANS - Servers, IoT and Main.
IoT is where I ring fence all my un-trusted devices, Main is where my laptops, computers live and Servers is management / server interfaces.
I’m going to be putting more of my network including my pfSense router to sleep at night owing to the great robbery happening here in the UK by government and energy companies.
I want to therefore expose my HA to my IoT VLAN directly as well as my Main network which I can do.
It seems to me that in doing this, there is a security risk that this machine could bridge the networks.
I have little control over my IoT devices talking to HA if it is exposed directly. and if HA is compromised then in theory the rest of the network is.
how do you figure that? each VLAN is a pipe, distinct & independent from the other. If you expose VLAN30 (IoT) to the Internet, why do you think your network can be compromised? VLAN30 cannot talk to VLAN10 (servers) or VLAN20 (Main), right?
I’ve taken few steps within my HA set up and VLANs to mitigate few of these risks.
Removed all untagged interfaces from the router (OPNSense) - this has significantly reduced broadcast traffic and improved performance as well!
Standardized most of the IoTs to Sonoff or one with ESP8266 chip, flashed it with Tasmota/ESPHome.
All the flashed firmware has no need to go outside the home LAN for anything (ntp, dns etc)
Standardized IP cameras to V380 versions which works well with HA, after initial configuration, created an alias for cameras and blocked it from going outside. As firmware updates are needed, I manually turn off the rule for the purpose.
Installed OpenVPN on the router and use it to access the HA and home LAN from outside. There are lots of YT videos showing port opening for accessing HA from outside, I think it is a terrible idea.
But there are few IoTs (mostly proprietary like Ring door bell that I have no choice but allow access to WAN.
Its not fool proof but hopefully have lot fewer chinks in the armor!
Thanks. Useful tips and we are aligned on most of them.
I hadn’t thought about point 1. I pass the Trunk network through to my router (pfSense). I had broadcast issues with XCP-NG and LACP connections. Unifi kept shutting my ports down. I wonder if this might help that too. Something weird was going on with STP which I never quite got my head around.
2 bit of a non-starter for me. If I had the money and was starting over I would love to do this.
3 yes, I do this, nothing goes outside the IoT VLAN without my say so. My TV is one such example. I’d like to lock it down further via a proxy but haven’t worked that out yet.
4 I’ll have to read up about this, as this is new info. I’m using HikVision and Reolink mainly.
5 everything goes via pfSense, also using OpenVPN. Nothing comes in except ports I’ve mapped for torrenting and even that is via my VPN interface. I try to avoid exposing my IP.
As it happens I’m thinking of switching to OPNSense after my pfSense HAProxy. So ugly it’s own mother would disown it!
I think one to add to your list (which was a result of my HAProxy experiment) is to put home assistant on the IoT vlan and isolate it and proxy to it from my other networks via HAProxy.