Thank you guys, and I find the functionality @rlkoshak points at interesting. I will look into that.
Just to clarify; the reason for doing it this way is security. I may have rushed out a description that is a bit fuzzy; let me clarify.
The less privileged network
The thing is that I wish to have an “agent” running in a less privileged network. The network is a client net consisting of “edge” devices as laptops, phones and things that need to broadcast/multicast to devices like Chromecasts and Sonos. The reason is usabiltiy and availability through existing apps. The “agent” is a hardened openhab instance that just have a few relevant integrations towards Chromecast and Sonos. Nothing more. By running a instance of a MQTT broker on that very network (as a part of the “agent”), no ports will be opened into a more privileged network, but a well-understood service will be made available for more privileged services to easily consume.
One can discuss if the hardening of agents on this network is necessary, as it integrates to services that is already open. There are no secrets. And the only reason would be to limit the number of attack vectors. There is no good security on this network anyway. It’s a “DMZ”. Sort of.
The cloud network
This is another network but with client isolation, and internet access only. This is where I have my cloud-only devices. They don’t see each other. Examples are cloud connected heaters, ovens, washing machine etc. As a security and integration “benefit” I run an “agent” on this network as well, integrating to the mentioned devices’ cloud services. The reason is that I have no grounds for trust towards the producers or integration providers of OpenHab, so the network acts as a “DMZ” as well - exposing only a MQTT server as described for the less privileged network above. Why not have these on the less privileged network? 1) They need secrets. I don’t want secrets on the less privileged network 2) I don’t want them to be able to contact or do anything harmful if they ar compromised. In here they are isolated from each other and everything else. 3) I don’t need discovery for these devices through broadcast or multicast. It is merely done via the cloud and custom services/apps.
The more privileged network
This network contains an MQTT server that has privileges to bridge against the MQTT servers on the two less privileged network as described above. A OpenHab server runs here as well, picking up integrations from the agents through MQTT in addition to doing integrations itself (like Z-wave or Ikea or custom built devices).
We will end up with a protected OpenHab installation centrally, that is unreachable from less safe areas, and that is secure enough to integrate against locks, alarms and other more security sensitive devices. This and only this instance will contain scripts, automations etc. that really is worth protecting.
What about the GUI and controls from a users perspective? This is made available through my own secured API, with proper authentication, firewall rules etc. Another story I hope it makes a bit more sense now? Thanks again!