With all the panicing about wifi vulnerability I was just wondering if anyone knows of some Ethernet based Arduino relays like the Sonoff ones which have some good firmware with built in mqtt…
1 Like
I got all my IoT Devices inside a VLAN which is completely isolated from my private network.
Actually I got 3 VLANs.
- for known,trusted and tested IoT devices
- for IoT devices that I can not trust 100% (Amazon Alexa, MiHome Xiaomi etc.) (with internet for specific MAC addresses)
- For completely new IoT devices that need testing (internet for specific MAC addresses)
Even if someone sneaks into one of my 3 VLANs he wont have much fun.
No Internet access, only known MAC addresses are allowed to “join” the VLAN.
@BrutalBirdie
Check this video, worries you should have using wireless iot devices. 
For some devices you should go wired
http://www.superhouse.tv/superhouse-vlog-58-wires-not-wifi-for-home-automation/
@TommySharp
http://sigma-shop.com/product/73/web-internet-ethernet-controlled-relay-board-arduino-compatible-rs485-usb-boxed-for-din-mount-rail.html
I think you can found some, but more expensive…
1 Like
Agreed 
Just be aware that there is no encryption separating your vlans unless you are also tunneling them through a VPN. Any host in promiscuous mode can read any packet from any vlan without joining them.
Vlans provide some protection from certain attacks but they are as vulnerable to KRACK as any other configuration. They really don’t provide much protection from snooping.
1 Like
I have the same setup as BrutalBirdie, separate SSID on my AP for IOT devices connected back via separate VLAN to a sub interface on my firewall, of which resides in a separate security zone which has no access to my other WiFi networks, Internet or LAN, therefore very secure. Even OH sits on a separate WiFi network with firewall policy that permits only relevant ports (eg: MQTT) through.
While WPA2 is now potentially hackable since KRACK exploit, it is still very difficult and as BrutalBirdie has mentioned, in this particular setup if the network were compromised the hacker could turn some lights on and off or even unlock my front door, but eh, if they wanted to break in they could smash a window just as easily. Of course, that’s why I pay massive $$$ for insurance…
Personally I would (and have) patch firmware on your WiFi AP to cover this vulnerability, but why compromise a very good cost effective solution (such as itead sonoff devices) for the sake of a very low chance of being hacked? (I do realize that KRACK can exploit client WiFi as well as server side, but that’s only being able to sniff the traffic, so they’ll see some 1’s and 0’s for on and off mqtt - big deal, it’s not like it’s credit card info)
2 Likes
Looking for the same thing as the original poster I came across this;
https://www.dfrobot.com/product-837.html
Bit pricey, and if only it had PoE… anyone know of such a beast?
Aaarrrghhh! Tired of these switches getting offline randomly after power outage or without any cause! Got 20 of them at home, big area - so I need a mesh of a few mikrotik routers, it’s a headache to pair sonoffs and then checking if all of them are still online, can’t rely on them. Please, make just the same, but with BALD WIRED ETHERNET LINK! All I found is https://www.aliexpress.com/item/LAN-Ethernet-2-Way-Relay-Board-Delay-Switch-TCP-UDP-Controller-Module-WEB-Server-Great-Value/32875281443.html ordered to check that out.
In other terms these devices are great and handy!
2 Likes
Yes, basically this is a simple 2-channel switch with bald web gui and some APIs, I tried just direct console commands from local linux machine - worked fine.
Following this topics. I’m planning tu go full wired for other reasons