Hey everyone,
I am completely stripping my house and am currently thinking about how to set up the home network.
This is my usecase:
-
home server that can access the internet + homeassistant that can access IoT devices
-
KNX that I want to have access to home assistant and vice versa
-
IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)
-
3 PoE cameras through a PoE 4 port switch
-
a Chromecast & nintendo switch that need internet access
Every router worth anything already has a guest network, so I don’t see much value in separating out a VLAN in a home use case.
My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn’t kill its battery retrying until home assistant polls.
The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR
I already have PiHole blocking most phone homes from the chromecast or guest devices.
So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.
Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).
I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.
Am I completely wrong on this?
Like many other security mechanisms VLANs aren’t really about enabling anything that can’t be done without them.
Instead it’s almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.
So if your question is “do I need VLAN to enable any features”, then the answer is no, you don’t (almost certainly, I’m sure there are some weird corner cases and exceptions).
What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don’t normally talk to each other anyway. Right. That “normally” is exactly the case: one major benefit of having VLANs is not just stopping “normal” phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you’re out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone …
So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.
And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.
The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.
Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network
I had my home setup like that for years. ONT <-> Switch <-> Opnsense <-> Back to Switch
In larger networks VLANs let you do network segmentation across switches, which you can’t really do otherwise.
I wouldn’t bother at home.
I consider client devices to be a big risk factor and if I can keep them from having direct access to the Backup NAS and the IoT I consider that a big win. A simple ransomware attack on a client device would find any NFS/SMB shares the client can access and start encrypting - having the Backup NAS on a separate VLAN that only the server can access stops most of those from affecting the backup and makes restoring a lot easier. I would definitely recommend having an offline backup of the NAS as well in case of the server being breached.
Yeah, 100% agree on the client devices. One of my VLANs is for the kids’ devices. I don’t trust their schools’ admins or their shitty BYOD policies, so I just let them access Plex (via Nginx reverse proxy); Pi-hole; and the internet.
Yes, you should not be thinking about security in terms of an outside intruder here. Think about untrustworthy or potentially compromised devices.
- WiFi smart devices are notorious for calling home, possibly collecting data, even if you’re trying to use them locally.
- There have been botnets from unsecured video cameras, and even some compromised from before import.
- TVs report back what you’re using them for and when, even playing through hdmi, and some have been caught listening in to your private conversations.
How do you prevent these from happening, or limit what they can do? One way is to put them on a separate vlan without internet access (your HA or other hub can listen on multiple VLANs and be the gatekeeper) and without access to your computers.
That being said, for similar requirements, I found managing the more complex network to be too much hassle, and went back to a simple flat network
Yeah, for that threat model, a VLAN is not needed in my opinion:
-
esphome devices are for sure not data collecting and pihole will block most of the phone homes with a good block list, where possible (like simple smart devices) they are flashed with a local open source version. Still the vast majority are KNX and Zwave which are local only
-
video cameras are local-only always and have completely blocked internet access via the router
-
This is probably the biggest threat unpreventable in other ways. Though definitely citation needed for them actually being caught recording conversations lol. People think phones do that too, but it is simply a lot easier (and more importantly, cheaper with a much higher ROI) to make a complete data picture through search/watch history + proximity to other devices.
Pihole by itself can’t really block all the traffic as some device may be set to use different DNS server from factory. And with DNS over HTTPS, to block phoning home, you’d most probably have to completely block internet access for that device.
I’m looking at VLANs as groups of devices which shares the same access policies. So e.g. you create VLAN for cameras, create rules for accessing the NAS, HA, etc. and then just assign each camera to that VLAN. You don’t need to recreate same rules for every new camera.
-
In general terms, if you are not sure if you need a VLAN, you do not need a VLAN.
It dramatically complicates your home networks (yes, plural at that point), which is fine if IT serves a purpose.
But if there isn’t a compelling reason for them you are just imposing a management cost for no benefit.
Disagree here, since OP’s case is strong enough for a VLAN if they want segregated traffic.
It all comes down to what you trust each type of device to do and how you want to handle their traffic.
I have seven VLANs, with each one’s traffic being treated very specifically. The subnets for each VLAN route to specific interfaces on a virtualised OPNsense firewall, which is where my traffic handling and policy enforcement takes place.
Also remember VLANs are just plain useful for segregating traffic, particularly broadcast traffic, without having to invest in separate switching/routing for each subnet. Having a single managed switch that limits the broadcast domains for you is a really efficient way to (physically) setup your network.
Vlans are really only useful with firewalls. If you setup VLANs by themselves it does nothing (mostly)
Unless you have a shit ton of hosts, to limit broadcast domains.
If you want to learn about VLANs and spend some time setting everything up (and more time each time a new device joins your network) then you should go for it.
I for myself decided it’s not worth it for my little home network and instead just use a /16 net and group devices into different ranges. E.g. computers are xxx.xxx.1.yyy, phones are .2.yyy, etc. All unknown devices get a .99.yyy from the DHCP, so they are easily identified.
All public facing stuff is in some Docker container, so there’s at least a small hurdle should something/someone get access.
Cameras are mirrored into Apple HomeKit via Home Assistant, so I can use Apple Home to watch them from afar. Or VPN into my home network.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network DNS Domain Name Service/System HA Home Assistant automation software ~ High Availability HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol IoT Internet of Things for device controllers NAS Network-Attached Storage NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency PiHole Network-wide ad-blocker (DNS sinkhole) Plex Brand of media server package PoE Power over Ethernet SMB Server Message Block protocol for file and printer sharing; Windows-native SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network
[Thread #709 for this sub, first seen 24th Apr 2024, 09:15] [FAQ] [Full list] [Contact] [Source code]
