Network topology

Hi all,

I intend to isolate all my IoT devices over a guest network that is separate from my main devices. However, I’m running into the problems:

  1. If I place the IoT devices on the built in guest network of my router, I run into issues of persistency, where the DHCP settings do not stick and therefore mess up the authentication.
  2. If I place OH on the guest network, I am unable to access the controls for my main devices that reside on the main network
  3. Even if I manage to isolate OH on the guest network, I have the new problem of presence detection which relies on pings to mobile phones which I need to be connected to the main network.

How do you guys deal with such issues?

I’ve setup a separate WLAN for my IoT stuff and set some rules in the router to allow network traffic from and to openHAB. But to be fair, I use an opnSense router, so this was very easy for me.

How does that actually work? Do you place OH on the IoT side or the main network side? Do you mean that the IoT devices are connected to the same internet facing router but you filter traffic on the router side such that traffic can only flow between the IoT subnet and OH?
Suppose my IoT devices are spread over an area that cannot be covered by a single WiFi router (have to run a mesh network), would connecting all devices to the same WiFi network but filter all traffic at the router end be similar?

I have two access points for WLAN, both do MultiSSID and present the same three different networks. Those Networks have different VLANs as the access points have only one Ethernet port. By the way: the access point itself uses another VLAN for administration…
Now, the different VLANs use different IP segments. openHAB is in my “home” LAN, IoT stuff is in another segment. OpnSense does the routing between those two network segments. IoT has no internet access as the hardware does not need internet access. As all this IoT stuff is in fact MQTT stuff, there is only one port and one ip address to grant access to.

Could you recommend some hardware that allows MultiSSID? I think binding different SSIDs to different VLANs is what I want

Well, there is all sort of hardware out there which supports MultiSSID and VLAN.
I’m using TP-Link TL-WA901ND with OpenWRT Firmware, but that hardware is a bit outdated, only 100MBit/s LAN, PoE needs a special injector, only 2.4GHz band, much to small RAM/Flash…
Take a look at https://openwrt.org/supported_devices and chose wise :wink:

Or simply use the stock firmware.
I’m thinking about changing hardware to Ubiquiti AP AC Pro, downside is no web frontend but only a windows software to configure the access points. At least it is compatible to OpenWRT, I’m used to OpenWRT :slight_smile: but I don’t want to flash new hardware immediately :wink:

Take a look at Ubiquiti… the Unifi stuff is very cool, there is also an OH binding :grinning:

1 Like

Don’t forget that “Guest Network” often also has “Device Isolation” (sometimes called “WiFi Isolation”), so each device can only connect to the internet and not each other.

I’ve got a load of DMX / Art-NET hardware on a totally separate LAN network, with a couple of WiFi access points creating an Art-NET SSID.

All I’ve done is add a cheap and cheerful USB LAN adapter to openHAB2,

Do you mean that you can have two subnets on OH via two network adapters such that one is used for IoT devices while the other for accessing OH on the main network?

That’s what I’m doing with it :slight_smile:

And it appears to be working well.

Or at least, the DMX binding has an option to fix the subnet address for outbound traffic.

I could try putting my Velbus TCP server on a different subnet / segment and see what happens, but I’d expect to work.

(Currently, my Velbus TCP server on is the same machine, so uses 127.0.0.1, it wouldn’t take a lot of work to run up a small machine with VelServ and plug in a 3rd USB LAN dongle)