How many VLANS for my home network?

Simply said I have a vlans for LAN, Guest and IOT today.

LAN is where everything is today.
IOT has one device that monitor electricity and puts info back to Home Assistant via MQTT. (No WAN access on IOT vlan)

I struggle with putting entertainment devices in LAN (but they are) so I think a new entertainment VLAN could be smart. For instance apple tv, chromecast, netatmo, sonos, printer (maybe?)
Would a IOeT (Internet of entertainment Things) VLAN with access to WAN be smart? Or plain stupid? :slight_smile:

My server hosting different VM's (windows on bare metal) and vmware workstation on top.
I want to keep that one as secure/safe as possible. H
Home Assistant use a lot of the mentioned systems already, and yesterday came info about a huge security breach that's been active for several years.
Would it be smart to put the VM's on seperate VLANS and the windows server on LAN maybe?

Thanks, as you probably already understand, I find this very interesting and important, but I lack the full picture of what's possible and why to segregate on vlans.

Then you'll find out that features like casting or printer finder are not working. It's not terrible, just saying.

I don't see why you need need to go into all that fuss for a home deployment. If you don't trust a device, like a no-name smart light bulb, connect it to the iot. Everything else can be connected to lan.

Casting is much needed. So it's not a one-way traffic rule for that like lan => IoeT ..
What about DMZ - is that something I could use? I don't have a proxy/nginx or anything like that, I'm using dnscrypt-proxy for dns and ad-blocking.
Make my home network safer is my end goal I assume.. :slight_smile:

Also, simply do not consider your LAN to be unconditionally trustworthy and activate firewalls in all end hosts...

And by that you mean windows/mac fw? Yes, those are activated. Not sure how good they are..

What I don't trust is my xiaomi roborock vacuumer, but without WAN it will fail to work. Will it be safer to put that on a IoeT vlan - no access to LAN but to WAN? (Kind of the same as Guest )

Yes, as well as Linux. These tend to be significantly better than no firewall.

It depends on your threat model, if you assume roborock is used as a platform to snoop on your internal traffic then moving it to the IoT vlan would help (in that it will only be able to snoop other IoT traffic, but that could already be problematic), however it will already exfiltrate some stuff/information to its mothership, likely its course and something resembling a ground plan of your apartment (I think irobot vacuums have been found to also upload photos from inside customers apartments). Personally, I try to not use IoT devices at all (so far I managed, but It is not that I can vouch for all of the devices in my network either). I still like the adage 'the "S" in IoT stands for security" which does have some truth to it (and no there is no S in IoT just as there is (little) robust and reliable security*).

*) All cloud based offers will spy on you one way or the other, if you are lucky, they describe the spying veridically and offer some service that is a decent trade-off; I fear that a lot of these devices do not make the trade-offs clear and try to avoid telling you what the exfiltrate. But then I use no IoT, so this is an episode of "old man, yelling at the cloud".

1 Like

I'm just adding another opinion in agreement with others here, but FWIW I use a single IOT VLAN, it has WAN access and my robot vacuum is connected to it. I do keep my security system on its own VLAN.

Taken to extremes, every device could have its own VLAN. But risk is probability times consequences, and the consequences of a vacuum hacking an electricity monitor or smart light bulb seem like they would be survivable.

I would give your IOT WAN access and add the vacuum to it.

I just added another IOTW network and put them there :slight_smile: IOT-wan...
The vacuums work fine with local polling actually, but the App is of course depending on WAN.
I use Home Assistant to automate schedules and emptying (send it to location of the trash) so it could be placed in my IOT network. But WAF is something to work for. (wife acceptance factor)
They are off my LAN so I'm happy with that - and I might be paranoid doing that, but I do feel that with some compentence and some effort I can make me network at home a little more rescillient.
Regarding the Home assistant security breach I really feel like I exposed my network, devices, file servers, phones.. and if I can do something to tighten things I want to.

So next up would be to isolate HA from accessing everything it wants, I think