Hey everyone,
I am completely stripping my house and am currently thinking about how to set up the home network.
This is my usecase:
-
home server that can access the internet + homeassistant that can access IoT devices
-
KNX that I want to have access to home assistant and vice versa
-
IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)
-
3 PoE cameras through a PoE 4 port switch
-
a Chromecast & nintendo switch that need internet access
Every router worth anything already has a guest network, so I don’t see much value in separating out a VLAN in a home use case.
My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn’t kill its battery retrying until home assistant polls.
The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR
I already have PiHole blocking most phone homes from the chromecast or guest devices.
So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.
Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).
I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.
Am I completely wrong on this?
Like many other security mechanisms VLANs aren’t really about enabling anything that can’t be done without them.
Instead it’s almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.
So if your question is “do I need VLAN to enable any features”, then the answer is no, you don’t (almost certainly, I’m sure there are some weird corner cases and exceptions).
What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don’t normally talk to each other anyway. Right. That “normally” is exactly the case: one major benefit of having VLANs is not just stopping “normal” phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you’re out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone …
So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.
And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.
The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.
Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network
I had my home setup like that for years. ONT <-> Switch <-> Opnsense <-> Back to Switch
In larger networks VLANs let you do network segmentation across switches, which you can’t really do otherwise.
I wouldn’t bother at home.