Just would like to ask the experts how to improve network protection.
I do use lots of smarthome devices most of these flashed with TASMOTA firmware
but couldn´t avoid now also some TUYA device, IP CAM devices and air conditions all using there unique apps for (calling home) internet access - headache
Can I somehow protect my network?
I thought about using a guest network for these devices.
Can I access these devices using there apps when not connected to the guest network?
When using MQTT for sending and receiving payloads for at least some of these devices, will that work?
Hi, that sounds good.
I assume your router is connected via WAN port to the internet in PPPOE mode, correct?
I am just playing a bit with the guest network settings trying to understand the two documents existing for setting up guest network. There is the one you have linked when the router is the main router to the internet and another doc when the router is a dumb AP.
Can you access with these devices in Guest network your LAN devices or vice versa can you access from LAN the devices in Guest - or is this not necessary cause you just use the app for the TUYA devices?
Tuya-Zigbee is usually fine (using ZHA or zigbee2mqtt, works fine completely offline with your own zigbee coordinator), Tuya-WiFi is better avoided at all cost - you can't really avoid their cloud here (yes, there is local-tuya, but calling that complex, constantly changing and temperamental would be an understatement). Yes, I realize that zigbee is not an option for surveillance cameras - my advice would be to look for pure network cameras (without cloud integration) instead, yes those firmwares are not to be trusted either, but at least you can lock them into a jailed-off/ no-internet network.
Back to your inquiry…
Yes, you can put it into a guest-network - but you can't cut it off from the internet and need to rely on their cloud services (so when they discontinue services for your devices, it's dead - and they get to see your video streams completely, to do with whatever they want).
If the tuya-smartlife app requires you to be part of the same broadcast domain (at least for onboarding?) or if it's exclusively cloud based is something you will have to find out.
Either way, it's not a pleasant situation.
OK, more or less what I've expected.
So that means doesn't help when I put these calling home devices into a separate network, right?
But for zigbee2mqtt devices, what about these when the server, in my case Openhab is in the main LAN Network. What ports need to be opened in the firewall traffic rules, did you try that already?
It does, and it's still a good idea (at least keeps them away from your internal network - then giving the smartlife android app access to your internal WLAN does slightly defeat the purpose though, but then you probably have quite a few other apps on your network that probably shouldn't be).
It's zigbee, there are no IP addresses or ports.
The zigbee devices talk, though the zigbee coordinator, to zigbee2mqtt - you only need somehow access to this server instance (haos, openhab, etc. pp.). That's actually great here, as it means the functionality is all local and you don't need internet access for them.
Yes correct that is the cool thing for zigbee2mqtt.
I didn't clearly mention I do have lots of tasmota flashed devices and maybe didn't need to have these in a separate network cause just local no Internet required.
But if I would push these to the IoT network I would need the traffic at least I think port 1883 for mqtt from IoT to LAN and full access from LAN to IoT. Is that possible and if yes, would that be possible with a specific traffic rule?
