How to VLAN iot? - eviltoast

Hello, this is not a question on how to configure my router (maybe) it’s more for the concept that I can’t understand.

By the way, I only have a default isp router, that I can’t even modify the dns, so I assume I’ll have to buy my own.

So o want to have all my IOT devices on a different network, so as to not compromise my newly made homeserver, but what I don’t get is how will I be able to turn on and off my light bulbs.

All the articles I see on creating VLANs tell something like “devices on port 2 can communicate with port 1 (internet) but cannot communicate with devices on port 3,4,5, 6…” and so on.

But if my IOTs are on a VLAN A and my Phone, computers, server are on VLAN B, how can I turn the lights on and off from my phone?

Maybe I’m getting it wrong, and my phone should also be on the same VLAN as the IOT, but then how will I connect to my server?

Thanks.

  • dlchase24@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Basic concept is VLAN A can only communicate to your VLAN B through routes you configure. But, anything on VLAN B can reach anything on VLAN A. So your phone could see all your IOT devices but your IOT devices couldn’t see your phone, unless you want them to.

    My setup has changed since, but to help illustrate, I used to have an MQTT server on VLAN B, so I had setup a rule that VLAN A could reach the MQTT server on VLAN B through the MQTT port, but blocked everything else.

    It’s possible you don’t need to do that and only need to allow VLAN B to reach VLAN A.

  • Thegodfather-1@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    i aint no expert but i have separate VLANs for my phones & pcs and a separate one for IOTs.

    I noticed most IOTs do not just communicate locally, but also via internet. So even on separate VLANs, as long as they are all connected to internet, they will work. My Meross smart plugs, garage doors and a TP Link light bulb work this way.

    Just make sure you research in advance for your IOTs. Things like a Chromecast, Apple TV and a printer like to be on the same network as your controlling device like your phone.

    • fakemanhk@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      As long as you are able to deal with mDNS (either allowing broadcast through VLAN, or with reflector), your Chromecast and/or Apple TV can be on a separate network without problem.

  • bufandatl@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You basically need a router between the networks. I would recommend pfsense or opnsense or if you like cli vyOS. I run a pfsense that has my ISP router on the WAN port and a network interface for all VLANs and then I configured the firewall to allow specific traffic to specific devices in specific VLANs. For example my PC can reach the smart home controller website but no other device. And the samrthome devices only can reach the DNS in the ISP network (my kinda DMZ) and the router to reach the internet. And for every VLAN there are own rules where goes what communication.

    You also can setup that on the managed switch which you would need for setting up VLANs.

  • Germainshalhope@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    They’re still internet connected. Just not on the same local network. And you should be able to change your dns server in the advanced settings on your ISP router. At least I could with Verizon.

    “Internet of Things”

  • b100jb100@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    As others have said: most IoT devices “phone home” using the internet. Your phone connects to a server on the internet which then communicates with the IoT device. That’s why it keeps working even when you are not home.

    For devices that only work locally you can still make it work. More advanced routers (eg running OpenWRT) can be set up to allow ‘one-way’ traffic between two VLANs. So a device on your home wifi can still connect to the IoT device but not the other way around.

  • autogen_usrname@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’d be very surprised if your isp router did not have at least a basic vlan and firewall but that is all I use, separate vlans and then firewall rules to allow my phone to communicate with the iot devices.

    Routers can be virtualized in your server or if you want to buy a separate device anything that runs openwrt will work, doesn’t have to be a huge expensive one.