Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Home automation on separate VLAN: How to control with apps?

    L2/Switching/VLANs
    5
    11
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • keyserK
      keyser Rebel Alliance @DominikHoffmann
      last edited by keyser

      @dominikhoffmann said in Home automation on separate VLAN: How to control with apps?:

      I do understand the notion that one can set up a VLAN for home automation components and firewall them from the Internet. That way, these components can’t phone home and potentially be used to spy for a nation state on my home or be used to in a cyber war on the U.S.

      However, most home automation needs to be controlled by an app. How do I make sure that I can still have my phone, iPad or computer on my regular network while being able to communicate with and control the home automation equipment on the segregated VLAN?

      Yeah, that can be a rather big challenge… The trouble with a lot of IoT automation/speaker/multimedia devices is they are used by client devices that needs to be able to discover them by using multi/broadcast methods like mDNS. When using VLAN separation between the client (fx. Phone with App) and the IoT device, that no longer works - regardless of firewall rules.

      The key is to enable a “repeater” service that repeats broad/multicast packets from one VLAN to another. Once those packets are repeated and seen by the devices, they can discover each other - But now you need to open the needed firewall rules between the VLANs, to actually allow traffic between the client and IoT device.

      The easiest way to enable a repeater on pfSense is to install the “AVAHI” package and enable repeater mode.

      Find some inspiration here:
      https://www.reddit.com/r/PFSENSE/comments/jn3y7q/help_with_mdnsavahi_across_vlans/

      But it will be a hassle to open only the needed ports and services between the VLANs :-)

      Love the no fuss of using the official appliances :-)

      D 1 Reply Last reply Reply Quote 1
      • NogBadTheBadN
        NogBadTheBad @DominikHoffmann
        last edited by

        @dominikhoffmann said in Home automation on separate VLAN: How to control with apps?:

        I do understand the notion that one can set up a VLAN for home automation components and firewall them from the Internet. That way, these components can’t phone home and potentially be used to spy for a nation state on my home or be used to in a cyber war on the U.S.

        However, most home automation needs to be controlled by an app. How do I make sure that I can still have my phone, iPad or computer on my regular network while being able to communicate with and control the home automation equipment on the segregated VLAN?

        Have you looked at homebridge?

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        N 1 Reply Last reply Reply Quote 1
        • N
          netblues @NogBadTheBad
          last edited by

          Homebridge is nice, however, simplicity and ease of use isn't working along security.
          All these nice devices phone home to some cloud service in order to operate.

          Having a personal cloud localy available for them to phone to, is secure, but certainly does require knowledge, resources and TIME, which in most cases isn't worth it.

          1 Reply Last reply Reply Quote 1
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @DominikHoffmann
            last edited by

            @dominikhoffmann said in Home automation on separate VLAN: How to control with apps?:

            most home automation needs to be controlled by an app

            What specific home automation are you using? Many devices actually require ability to phone home to work..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            D 1 Reply Last reply Reply Quote 1
            • D
              DominikHoffmann @johnpoz
              last edited by

              @johnpoz:

              I have two Chamberlain garage door openers, whose home automation primarily is operated through their proprietary cloud-based communication. A Chamberlain bridge makes them available in HomeKit. Chamberlain is a U.S. company, which hopefully qualifies their chipsets to not contain nefarious functionality.

              My Rachio irrigation controller ipso facto has to phone home, in order to get instructions on how to adapt the irrigation schedule to seasonal changes and short-term weather patterns. It’s also a U.S. company.

              I have various IKEA Trådfri smart plugs. I don’t know, whether that system requires communication with IKEA servers. I don’t think so. The gateway uses a Japanese Ethernet chipset.

              I also have Lutron light switches, which in my experience have provided the most solid performance among the home automation brands I use. I don’t think, I have ever had to power-cycle the Lutron bridge to regain functionality in the Apple Home app. Given that the light switches operate apart from the LAN being operational, I don’t think they have to phone home. Lutron is a U.S. company.

              I have one Meross outdoor plug-in switch, which I use for Christmas lighting. I am most worried about that one. Again, once set up, I don’t think it has to phone home to work, as, since setting it up, it has functioned great without my ever having had to touch the Meross app.

              The Meross device lives directly on the WiFi network, however, which means that any DOS activity originating from it wouldn’t even have to hop from a Zigbee network to my LAN. Also, they are Chinese, and, I think, it’s indisputable that China is at best a strategic adversary of ours. Nothing against the Chinese people, as they live under a totalitarian government for which coercion is the most natural way of projecting power.

              johnpozJ N 2 Replies Last reply Reply Quote 0
              • D
                DominikHoffmann @keyser
                last edited by

                @keyser:

                I had such an AVAHI repeater set up at one point. I turned it off again, because it wreaked havoc on my IKEA Trådfri components. Not sure, whether it would, still, if I turned it on again, because pfSense, the various Trådfri firmware instances, the Trådfri app, and iOS (and thus the Home app) have been updated since. It is also possible that I did not set it up correctly.

                I will look at that link you provided. Thank you!

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @DominikHoffmann
                  last edited by johnpoz

                  @dominikhoffmann I have a chamberlain bridge and also a lutron..

                  I have no issues with any of these being on a vlan. But then again I do not block their phoning home.

                  I am also a fan of the lutron - I would like to have all my lights using this - but price and effort made just using cheap wifi bulbs in some locations a cheaper easier option.

                  All of my iot stuff sits on a vlan isolated from my other networks. I can control anything from my phone be home on my trusted wifi (different than iot vlan) or just out and about in the world just via internet from my phone.

                  I also control all devices from my alexa devices, which also sits on my iot vlan.

                  For devices to work from another vlan - most likely you would need to be able to discover them. If this is just mdns then avahi can be setup, keep in mind this does break your L2 barrier. If you can put in the IP of the device then you wouldn't need discovery across vlans.

                  And you could for sure just allow all access from lan into your vlan, but not let the vlan talk to your lan.

                  Here is the thing you quite possible could restrict specific iot devices on your network from phoning home and still get stuff to work. I could prob for example only allow my alexa out, and still control my devices via alexa while remote, but I doubt I could directly control the lights with their app if the devices can not phone home.

                  Other than security one of the other reasons I isolate my iot devices to their own vlan - is they are chatty little bastards, they just spew broadcast traffic and multicast.. I have no desire for that traffic to be on my other networks.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 1
                  • N
                    netblues @DominikHoffmann
                    last edited by

                    @dominikhoffmann said in Home automation on separate VLAN: How to control with apps?:

                    I have one Meross outdoor plug-in switch, which I use for Christmas lighting. I am most worried about that one.

                    Now really? Christmas lighting is mission critical if you are expecting a visit from santa claus.
                    And what makes you think that us based companies don't source components/systems etc from chinese companies.

                    Its funny to thing that if this don't work out well, china would fire up bots.
                    Cutting supply chain would be far more efficient and devastating, hands down.

                    I doubt there is one us major manufacturer that can't be affected without access to chinese fabs etc.

                    The real issue with all this is.
                    a) obsolense. China factories seem to update their products often and they don't seem to support old stuff well. Having something that needs cloud access to function, makes it a piece of junk, the moment cloud service is no longer available.

                    b. Reliability. Having to communicate to the other side of the globe adds uncertainty.
                    c. Support. Good luck with that. There are exceptions, but still.

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      DominikHoffmann @netblues
                      last edited by

                      @netblues: Stuxnet used Siemens industrial controls to mess up Iranian uranium enrichment centrifuges.

                      N 1 Reply Last reply Reply Quote 0
                      • N
                        netblues @DominikHoffmann
                        last edited by

                        @dominikhoffmann said in Home automation on separate VLAN: How to control with apps?:

                        @netblues: Stuxnet used Siemens industrial controls to mess up Iranian uranium enrichment centrifuges.

                        Indeed.
                        Siemens is a German manufacturer, and there is strong speculation than stuxnet was made especially for that, by israeli spooks.

                        So I guess xmas lights are nuclear powered or something?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.