Hey everyone,

I am completely stripping my house and am currently thinking about how to set up the home network.

This is my usecase:

  • home server that can access the internet + homeassistant that can access IoT devices

  • KNX that I want to have access to home assistant and vice versa

  • IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)

  • 3 PoE cameras through a PoE 4 port switch

  • a Chromecast & nintendo switch that need internet access

Every router worth anything already has a guest network, so I don’t see much value in separating out a VLAN in a home use case.

My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn’t kill its battery retrying until home assistant polls.

The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR

I already have PiHole blocking most phone homes from the chromecast or guest devices.

So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.

Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.

Am I completely wrong on this?

  • rentar42@kbin.social
    link
    fedilink
    arrow-up
    16
    ·
    edit-2
    7 months ago

    Like many other security mechanisms VLANs aren’t really about enabling anything that can’t be done without them.

    Instead it’s almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.

    So if your question is “do I need VLAN to enable any features”, then the answer is no, you don’t (almost certainly, I’m sure there are some weird corner cases and exceptions).

    What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don’t normally talk to each other anyway. Right. That “normally” is exactly the case: one major benefit of having VLANs is not just stopping “normal” phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you’re out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone …

    So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.

    • 4am@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      7 months ago

      And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.

      The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.

    • Sethayy@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network

  • anamethatisnt@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    7 months ago

    I consider client devices to be a big risk factor and if I can keep them from having direct access to the Backup NAS and the IoT I consider that a big win. A simple ransomware attack on a client device would find any NFS/SMB shares the client can access and start encrypting - having the Backup NAS on a separate VLAN that only the server can access stops most of those from affecting the backup and makes restoring a lot easier. I would definitely recommend having an offline backup of the NAS as well in case of the server being breached.

  • AA5B@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    7 months ago

    Yes, you should not be thinking about security in terms of an outside intruder here. Think about untrustworthy or potentially compromised devices.

    • WiFi smart devices are notorious for calling home, possibly collecting data, even if you’re trying to use them locally.
    • There have been botnets from unsecured video cameras, and even some compromised from before import.
    • TVs report back what you’re using them for and when, even playing through hdmi, and some have been caught listening in to your private conversations.

    How do you prevent these from happening, or limit what they can do? One way is to put them on a separate vlan without internet access (your HA or other hub can listen on multiple VLANs and be the gatekeeper) and without access to your computers.

    That being said, for similar requirements, I found managing the more complex network to be too much hassle, and went back to a simple flat network

  • acockworkorange@mander.xyz
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 months ago

    It looks like you’re not understanding what a VLAN is. It is a virtual LAN, it’s near physical separation of traffic.

    In your example, your IoT devices and HA would sit in their network. Your PCs and phones on another, reaching outside through PiHole. Your *arr suite in a third, only routed outside through a VPN. You get the gist. And then you set rules on how these subnets talk to each other in a router, like you would do if they were physically separate.

    • JustEnoughDucks@feddit.nlOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      Yes, that is why I gave an example of how i thought it worked, but i have a single physical server with *arr suite, HA, reverse proxy, and all of my other services.

      If it is a near physical separation of traffic, how can 1 device with 1 MAC and 1 IP be isolated on multiple parts of the VLAN?

      • Dran@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 months ago

        You would expose a single port to multiple vlans, and then bind multiple addresses to that single physical connected interface. Each service would then bind itself to the appropriate address, rather than “*”

      • acockworkorange@mander.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        7 months ago

        Oh, it can’t. You’d need more ETH ports. One for each VLAN a device is connected to. You can find multiport low speed expansion cards for cheap, even more so used. Many people think it’s a worthy investment. You learn a valuable skill and have a more resilient, secure network.

        Of course that assumes you have spare expansion connectors on your server. I might be wrong, but I’m pretty sure you can find ETH boards for that “Wi-Fi” M.2 connector, so that’s an option if you don’t have PCI. That way you can at least segregate Internet and local traffic.

        Edit: apparently you can. Time for me to update my knowledge.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 months ago

    Vlans are really only useful with firewalls. If you setup VLANs by themselves it does nothing (mostly)

  • CMahaff@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    7 months ago

    Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

    I think of it like this: grouping several physical switch ports together into a private network, effectively like each group of ports is it’s own isolated switch. I assume there are routers which allows you to assign vlans to different Wi-Fi access points as well, so it doesn’t need to be literally physical.

    Obviously the benefits of vlans over something actually physical is that you can have as many as you like, and there are ways to trunk the data if one client needs access to multiple vlans at once.

    In your setup, you may or may not benefit, organizationally. Obviously other commenters have pointed out some of the security benefits. If you were using vlans I think you’d have at a minimum a private and public vlan, separating out the items that don’t need Internet access from the Internet at all. Your server would probably need access to both vlans in that scenario. But certainly as you say, you can probably accomplish a lot of this without vlans, if you can aggressively setup your firewall rules. The benefit of vlans is you would only really need to setup firewall rules on whatever vlan(s) have Internet access.