Hello,
Has anyone secured their home automation with VLANs or a firewall (pfSense) or remote access via VPN, or is everyone connecting their sensors (full of vulnerabilities) to the same network as computers, phones, etc.?
Thanks in advance
Hello, if I’m not mistaken, isn’t it the Gateways that connect to the internet? Personally, I prefer everything that remains local or homemade, like zigbee2mqtt, and I’m good. @Totof will probably be able to answer you better on the subject, I think.
Hi @alex,
Personally, I don’t connect any of this to my network by principle to separate usage, but above all to prevent any access to home automation devices from the internet and the LAN.
My setup is as follows:
- a hostapd access point on the Raspberry with a « domo » SSID
- the Shorewall firewall that blocks all requests from the home automation Wi-Fi interface to the Raspberry LAN
Thus, all Wi-Fi devices connect to the Raspberry where Gladys is, but cannot in any way go to the internet or the LAN.
For devices with RJ45, they are on a shared LAN, but blocked by the firewall and cannot go to the internet or request on the LAN.
I will need to move them to the Raspberry with a USB network card to group the home automation devices on the Raspberry to have filtering in the same place.
For remote access, I use a WireGuard VPN on a server that gives me access to all the networks in my home.
WireGuard is not yet in the stable repositories and you need to enable a kernel module (which will be integrated into the kernel this summer I think) but it is fully functional ^^
I haven’t had much time recently, but I can possibly make a tutorial from A to Z on the installation of Gladys, WireGuard, Shorewall, and hostapd.
However, some devices like Xiaomi do not want to connect to the network if they don’t have internet access. So you have to open the internet and then close it again ^^
Hello @Totof,
What you’re explaining is very interesting. I was actually thinking of creating a dedicated Wi-Fi access point for home automation to cut off internet access.
I was specifically looking for affordable connected switches as an alternative to Legrand’s Céliane By Netatmo, and I quickly realized that Wi-Fi would be almost unavoidable (I saw switches from the brand Zemismart mostly in Wi-Fi and a few in Zigbee). So no choice but to create this dedicated Wi-Fi network for home automation.
How do you handle OTA updates for your connected devices?
Do you temporarily enable and then disable the internet?
Hi @lmilcent
Indeed, that will be the idea, even though I have never done device updates until today.
I had a small home automation setup, then I just moved, so I will start with a clean base.
The difference I will have compared to before is a full VLAN network. For now, I have identified 14 of them 
Since I will be reinstalling, I will create a doc/tutorial in case it interests someone.
Which router are you using to manage the VLANs?
Why do you have so many 
? One VLAN per sensor?
I have two servers that will be in a cluster, one on the floor and one on the ground floor.
I have a VDSL connection + a 4G box, and via Shorewall, I aggregate the link / separate the traffic according to the source devices to the 4G or VDSL.
It’s directly my servers that manage the VLANs, act as a firewall and the switches behind. So it works with one VLAN per use: Domotics, LAN, VDSL, LTE, DMZ-ext, net-internal, clusters etc etc 
Since I self-host all my services, mail, cloud & co, it makes a bit of redundancy 