Advice on setting up VLANs for IoT segment and self-hosted web server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Advice on setting up VLANs for IoT segment and self-hosted web server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Advice on setting up VLANs for IoT segment and self-hosted web server
Advice on setting up VLANs for IoT segment and self-hosted web server
2019-03-31 20:43:36 - last edited 2021-04-19 11:50:28
Model: TL-R470T+  
Hardware Version: V3
Firmware Version: 5.2.2 Build 20140422 Rel.59140s

I'm about to go from "ordinary home network" to "advanced home network" - even though my knowledge level isn't really adequate! I'm going to buy a couple of EAP245 access points (one for each end of my house) and use them in conjunction with my TL-R470T+ router to create multiple SSIDs/VLANs for different devices/purposes.

 

My main network should consist of my audio/video components (all of which have wired connections or don't need a connection at all), all the PCs in my office/lab (all wired), a handful of smart/mobile devices, and a few laptops/Chromebooks that don't see much use. I like the idea of whitelisting MAC addresses for this network and disallowing everything else. If we get a new device, I'll add it to the whitelist, but I don't want anything getting in unless I let it in.

 

My guest network should give guests access to the internet - and nothing else. I'd like to get notifications whenever new devices connect so I know if a neighbor or someone parked on the street has managed to hack their way in.

 

My IoT devices should all be on their own VLAN (2.4GHz SSID), with no access to my main network. And here's where things start to get confusing for me... All of my IoT devices need to be able to talk to my hub (Home Assistant on a RasPi) - but in order to control all those devices, some of the (smart/mobile) devices on my main network also have to be able to connect to my Home Assistant box. What's the right way to enable that such that I can connect to my HA server from my iPad to turn lights on and off - and yet a malicious intruder who gains access to my IoT VLAN can't get at my iPad?

 

Similarly, the vast majority of my IoT devices have firmware that allows all control to take place locally so that these devices don't need to connect to the big, scary Internet (AND I can still have my smarthome functionality even if my internet connection is down) - so I'm inclined to isolate my IoT VLAN from the internet entirely. But there are probably devices that I haven't thought about which still require internet connectivity (maybe on Home Assistant's end) in order to work. And then there's Alexa...... So I'm thinking about having TWO IoT VLANs - one for devices that don't ever need an internet connection and one for devices that do. Of course, devices on both of these VLANs will still need to talk to Home Assistant. I have NO CLUE how to pull all that off. Not really sure how to even start.

 

A final consideration is that it's nice to be able to access IoT devices remotely. I think that's just a matter of setting up a VPN connection or a reverse proxy to Home Assistant. Clearly, my Home Assistant server is going to be my biggest vulnerability. How do I lock it down and keep all the functionality I want, while also preventing security breaches?

 

What's the right way to set all this up?

 

Sorry that was so lengthy, but it's a complicated setup. If you've read this far, THANK YOU! I'd really appreciate your input and guidance.

  0      
  0      
#1
Options
5 Reply
Re:Advice on setting up VLANs for IoT segment and self-hosted web server
2019-03-31 21:13:46 - last edited 2021-04-19 11:50:28

I should probably add that my house is prewired with 2 runs of CAT5e to each room and a smart panel.

  0  
  0  
#2
Options
Re:Advice on setting up VLANs for IoT segment and self-hosted web server
2019-10-14 15:38:35 - last edited 2021-04-19 11:50:28

@ErniePantuso 

 

I would also like some help with configuring my TP-Link TL-ER6020 and T2600G-28TS. I just want to configure an IoT VLAN that does not have access

to my main vlan, but access to the internet. Have my devices like iPhone and laptop communicate with devices on the IoT VLAN.

Configuring EAPs are pretty stright forward. 

I have used Ubiquiti products and there are a ton of videos showing how to isolate your IoT devices and it works well.

It would be nice if someone who has better knowledge of SMB routers and managed switches, would do a video or publish a step-by-step guide on how to

accomplish this. It would be very helpful for the novice users. I believe the biggest issue is setting up firewall rules on the routers. Where does one go?

  0  
  0  
#3
Options
Re:Advice on setting up VLANs for IoT segment and self-hosted web server
2019-10-15 03:33:23 - last edited 2021-04-19 11:50:28

@Rojoone2 

 

If your ER6020 is version 2, I think just need to set up the VLAN on switch and router. If you still need to isolate wireless client, you need to set up multi-SSID.

Suppose that your main VLAN is 10 and IoT VLAN is 20. And topology is ER6020 port 5 <-----> port 1 Switch port 2<-----> EAP

 

EAP SSID1-VLAN10, SSID2-VLAN20 (when you set SSID, it should be able to set VLAN on the same interface as well)

Switch port 2, VLAN10 / tagged,  VLAN 20 / tagged

           port 1, VLAN10 / tagged,  VLAN 20 / tagged

Router port 5, VLAN10 / tagged,  VLAN 20 / tagged

 

 

  0  
  0  
#4
Options
Re:Advice on setting up VLANs for IoT segment and self-hosted web server
2019-10-15 11:14:30 - last edited 2021-04-19 11:50:28

Rojoone2,

 

there is a step-by-step guide in this FAQ: https://www.tp-link.com/us/support/faq/887/. You need multi-nets NAT on the router for Internet access of both subnets, two DHCP servers on your T2600G switch for separate subnet IPs, inter-VLAN routing on the switch to be able to reach your IoT devices from the local net but not vice-versa and multi-SSID feature as well as client isolation (now called »guest network«) on your EAPs for wireless connectivity to both subnets.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#5
Options
Re:Advice on setting up VLANs for IoT segment and self-hosted web server
2019-10-15 13:54:27 - last edited 2021-04-19 11:50:28

@R1D2 , @Andone . Thanks for your posts! I will give this a shot when I get home this evening. 

  0  
  0  
#6
Options