this post was submitted on 24 Apr 2024
71 points (100.0% liked)

Selfhosted

40305 readers
470 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey everyone,

I am completely stripping my house and am currently thinking about how to set up the home network.

This is my usecase:

  • home server that can access the internet + homeassistant that can access IoT devices

  • KNX that I want to have access to home assistant and vice versa

  • IoT devices over WiFi (maybe thread in the future) that are the vast majority homemade via ESPHome. I want them to be able to access the server and the other way around. (Sending data updates and in the future, sending voice commands)

  • 3 PoE cameras through a PoE 4 port switch

  • a Chromecast & nintendo switch that need internet access

Every router worth anything already has a guest network, so I don't see much value in separating out a VLAN in a home use case.

My IoT devices work locally, not through the cloud. I want them to work functionally flawless with Home assistant, especially anything on battery so it doesn't kill its battery retrying until home assistant polls.

The PoE cameras can easily have their internet access blocked on most routers via parental controls or similar and I want them to be able to send data to the on-server NVR

I already have PiHole blocking most phone homes from the chromecast or guest devices.

So far it seems like a VLAN is not too useful for me because I would want bidirectional access to the server which in turn should have access from the LAN and WiFi. And vice versa.

Maybe I am not thinking of the access control capability of VLANs correctly (I am thinking in terms of port based iptables: port X has only incoming+established and no outgoing for example).

I figure if my network is already penetrated, it would most likely be via the WiFi or internet so the attack vector seems to not protect from much in my specific use case.

Am I completely wrong on this?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 7 months ago* (last edited 7 months ago) (2 children)

It all comes down to what you trust each type of device to do and how you want to handle their traffic.

I have seven VLANs, with each one's traffic being treated very specifically. The subnets for each VLAN route to specific interfaces on a virtualised OPNsense firewall, which is where my traffic handling and policy enforcement takes place.

Also remember VLANs are just plain useful for segregating traffic, particularly broadcast traffic, without having to invest in separate switching/routing for each subnet. Having a single managed switch that limits the broadcast domains for you is a really efficient way to (physically) setup your network.

[–] CMahaff 4 points 7 months ago* (last edited 7 months ago) (1 children)

Out of curiosity, what switch are you using for your setup?

Last time I looked, I struggled to find any brand of "home tier" router / switch that supported things like configuring vlans, etc.

[–] [email protected] 2 points 7 months ago

Believe it or not, a Netgear. Specifically this one. I don't have any fibre connected gear (yet!) and 180W of PoE+ was more than enough for my few PoE cameras and WAPs.