Home network, pfsense, Sonos, Lutron, VPN

Hello. I’m looking for some suggestions on how to deal with accessing a Lutron light bridge, Sonos, and pihole DNS through my pfSense VPN as well as suggestions on a redesign of the home network, if necessary.

I have a pfSense/Netgate SG-3100 firewall/router, Netgear MR60 Mesh wifi router w/satellite, Sonos Speakers, Caseta/Lutron Lights, a raspberry pi with access to my burglar alarm, another pi running pihole DNS, and a boatload of cameras. I also have a house that is built like a Faraday cage.

I have tried multiple Unify solutions but so far the only wifi solution that penetrates my walls from room to room is the Netgear Mesh Satellite system (kinda scary when you think about it). I’m also giving the next door neighbor wifi access through the Netgear “guest” network to keep her off my network and make a few bucks.

I have seen a lot of videos, Tom’s included, that suggest a separate IOT network. I currently have a single flat network that my IOT and home stuff are all on. My first problem was 15 various cameras that all wanted to phone home to China. I took care of that with a firewall rule as they are all accessed by Blueiris and do not need internet access.

My current problem is accessing the Caseta Lutron Light system bridge from my VPN. Since I have an inherent lack of trust of any organization that wants me to go through their “secure” servers into my own home light switch I blocked their device from internet access. Access is fine while at home with the mobile app but I’d really like to be able to VPN into the house while away, and control the lights.

Right now I can get into all of my devices (spotweb server, emby server, home webserver, burglar alarm webserver, blueiris server, etc.) from VPN except for Sonos and Lutron. I recently saw Tom’s video on Avahi and think this might be the solution to the Sonos and Lutron app issues but as I initially said I would also consider redesigning the network if necessary. And because I want to have my cake and eat it too, I want to use my pihole DNS server through my VPN.

Any and all solutions will be entertained. Is this all possible with the equipment that I have? Thanks!


For what it’s worth here are my thoughts on your setup.

I’d purchase a managed switch, any decent one will do, but read the manual. With the switch and pfsense you basically have all you need. Your Netgear mesh can still be used, though if it can’t handle multiple vlans/SSiDs then you might have to decide on buying an access point or just sticking with one vlan on it.

You can create your vlans easily enough for ISP, CAMs, IoT, Guest etc.

You don’t need a pihole you can run pfBlocker with the same lists as pihole, then you can run that across all your interfaces including your own VPN.

When you setup your OpenVPN server you ought to be able to dial home and access your network as if you were at home.

If you change your mind and purchase a new AP, then I will say my TP-Link EAP245 has a great guest portal similar setup to hotels. No idea if it will work in your home though.

Not sure why the Sonos won’t work but again if the OpenVPN server is setup correctly with the firewall rules working then it ought to work unless it’s by design.

I have not used the Lutron devices but the Sonos app will give you lots of problems if you are not on the same network as the Sonos devices, even with mDNS. Also not likely the Sonos would work over the VPN either.

As far as switches go, I do have two Netgear GS POE managed switches with Vlan support, but I was hoping the Netgear Mesh wifi was the last wifi I was going to buy (for a while at least). Unfortunately I don’t think the MR60 series supports Vlan but I will look.

Since I am the only user of the VPN with either a laptop, mobile, or tablet, but typically only one device at a time, can I configure the VPN so that my IP is on my same home network (i.e. 192.168.0) and bypass this hassle?

No, OpenVPN has to use routing so it can simply be bridged on to the network. Someone might call me out because there are some ways to make it work, but trust me when I say it does not work well.

At this point the network is reasonably solid, though flat. The neighbor is happy with her little Google Home device telling her the time and weather and I can still do what I want, for the most part, when I am outside coming in through the VPN. The cameras are blocked from calling home and I can get to the burglar alarm webserver. I really have no need to fool around with Sonos when I’m not in the house anyways, but I still want to be able to control the lights.

Does anyone have any suggestions on how to deal with the Caseta Lutron bridge through VPN? FWIW I am poking around the Lutron support forums as well…

I tossed out all my grand ideas and plugged a 2nd wifi router into my switch. That got me a different DHCP subnet for the Lutron as well as a wifi Guest network for my Simplisafe. Problem solved. I hope.