I know @LTS_Tom says in his videos that he doesn’t put Home Assistant on the IoT VLAN, and instead places it on one of his main networks (management, server??)
It’s been asked before about 3 years ago here on the forum but I want to know what the general consensus is these days.
I am considering putting it in my “server network” VLAN, with access out to the designated IoT VLANs I have with only return traffic allowed.
This seems safe to me, as long as I vet the addons I install onto HomeAssistant from HACS and such.
My main issue is that even with mDNS enabled I feel like I might be missing out on some smart device communications. For example, UDP broadcast or such that might not be able to reach HomeAssistant for sensors or whatever. I’m just guessing here, as I don’t have many smart devices just now and none broadcast like that.
What I do is put home assistant in the same VLAN due to the issue you explained in your post. That way your devices you want to connect to home assistant doesn’t need mDNS. Then create firewall rules to allow traffic to home assistant.
I have a full UniFi system that my IoT stuff runs on, and have mDNS Proxy enabled, so I think the mDNS stuff should be okay. It’s whatever “other” stuff I’m not sure about … like if a smart device only communicates on the same subnet.
Home Assistant is a tricky one. It depends several factors, e.g. if you need to access your HA instance from the Internet while you are not at home (e.g. for geo fencing). If you access your home network via “always-on” VPN, you may choose an internal VLAN, but if you use it via a reverse proxy I’d rather put it on a DMZ.
Personally I am running HA on a different VLAN than the IoT devices and the entertainment devices (like Kodi, gaming consoles). The mDNS, SSDP, LLMNR, CoAP and other stuff e.g. MusicCast can be allowed on a per-need basis between the VLANs. This works fine for me. However, doing this is slightly questionable as some protocols do not allow you to nail them down to a few port numbers and require rather broad port number ranges to be allowed.
Thanks xerxes for the reply, good input there as with the other replies too. I won’t have it publicly accessible, but via a VPN yes. I kind of forgot I will be having different VLANs for different IoT devices anyway (internet, no internet, completely isolated), so I guess my HA will be on a different VLAN for at least some of my devices so I might as well put it in a different VLAN (its own or management, not sure yet)