Help and advice to enforce the Intranet of things :-)

Up until now I have just been using MySensors sensors with openHAB and these communicate with my local MQTT server and nothing else.

But recently I’ve bought a few more devices being an Amazon Echo, Wemo Switch and Some Wifi LED bulbs… All of these news devices are obviously communicating with any number of cloud services which makes me think “why”…

Ideally I want OpenHAB to be the only thing that’s trying to get out onto the web. If I can control openHAB remotely like I do through my.openhab then surely I should be able to cut off internet access to these devices? I’m sure that would cause issues when I maybe first setup a new device but I’m wondering if I can setup another wifi network in the house which is dedicated to my automation devices and then somehow limit access to the outside world for anything connected to that network. I’d probably need to at least allow traffic out so long as it’s only to my local openHAB server…

I’d be interested to hear if anyone else has thought along these lines and setup the appropriate infrastructure to enforce it?

Not really setup any infrastructure as such, but I just tend to avoid any device that requires a cloud based connection. I lock down my firewall pretty tight and only have a few ports open for openHAB, MQTT, openVPN and an internal web server I run to serve things like ownCloud etc.

All my devices inside the home are only accessible via openHAB. I am very much like you (and @Kai) and don’t really want any third parties mining my personal data, or potentially exposing myself to hackers via their poorly implemented cloud security.

It is not to say I am completely immune, but I would like to think I am minimising the risk at least!

I am actually using a router that easily allows blocking internet access for certain devices. So this is the normal setting for these untrustworthy gadgets - only for setup or firmware updates, they can be temporarily allowed to call their cloudy home…

Most midrange routers will let you setup your network like this and DD-WRT will as well. You can put your openHAB server on both networks (via VPN or through two network devices) so it can see your devices and your devices can see it and then block your HA network from access to the internet.

However, a lot of HA devices actually offload some of the processing to the cloud and thus will not work without an Internet connection. I think the Echo may fall into this category. Similarly some of the OH bindings rely on a given device’s cloud API so cutting it off from the internet also cuts that device off from OH. The Nest Binding is one example that works like this.

I have not yet spent the time to address this sort of security yet in my setup so I do not have any direct experience to share. There are also lots of different ways to accomplish your end goals.