Separation between IoT and home network

Dear all,

my first post here. Awesome work done so far with OpenHAB2! Since new users cannot upload attachments, please find attached my actual network setup:
Home Network

I’m concerned about the growing number of IoT devices, so I ask you gurus if you advise me to separate the network in different domains (and how), in order to avoid low performance on the crappy router provided by my ISP, meaning wifi drop, low speed while streaming, and so on.

A bit of description of my setup in the following:

  • my entire home automation is based on a RPi2 with MQTT, InfluxDB, Grafana running on a OpenHABian SD.
  • All my IoTs are wifi Sonoff devices (with Tasmota), MAX! for heating with cabled MAX! cube and a USB CUL for the Intertechno-like power switches.
  • Manual control of OpenHAB is gained via Android app (BasicUI) or HabPanel, depending on the device I’m on.
  • In my network, I serve a NAS with different services. Among others, rsync is what I run via cron on the RPi, in order to save the SD content on the NAS.
  • My ISP router is bridged to a TP-Link (ddWRT enabled) that serves a separate network to a third router in my garage. It’s like a wifi bridge, but with separate subnet.

Since I still have a ddwrt router around, since I plan to add 10 more Sonoff-Tasmota, and since I’m concerned of ‘friends/ISP colleagues’ playing around, would it make sense to separate the IoT domain (Sonoff, MAX! and RPi) from the Home domain (streaming, www,…)?

If yes,

  • how can I still control OpenHAB manually via the Android app/HABPanel (remember Grafana plots)?
  • how can I still rsync on my NAS via RPi?

I hope my question is clear. Of course, I’m confused, I know :slight_smile:

Seperate your friends off to a guest network with client isolation. And a lot of people put their iot devices there.

Keep your rpi in your home network. And you’d have to work out a Strict set of firewall rules to allow communication to/from you iot devices.

I actually have a main network, with all my devices, a guest network for guests and an iot network for devices. I only alllow mqtt both ways from iot to my main network. I partially do this because I have some broadlinkndrvofes that I don’t trust, and I can if need to isolate it from the internet as well as my home network.

Thank you for your answer.
So, if I may recap (and excuse me if I don’t get all), you suggest the following:

  • Have 3 networks with 3 subdomains
  • One network is the main (the one from ISP’s router, in my setup), which includes the NAS, all PCs, all Smartphones and the RPi
  • One is the ‘garage’ (or Guest network), which I might configure as a simple bridge to the first network (I’m the guest in my garage :slight_smile: )
  • One is the IoT, which includes the MAX! cube and all the Sonoffs.

each subnetwork shall not communicate each other, unless a firewall rule allows it. In case I need to maintain the Sonoffs, then I can join the IoT network from my laptop.

In this case, I can use a spare router for the IoT network (my ISP’s one is as closed as a tin of sardines…). Some questions here:

  • Since I cannot modify my ISP’s router (only assign static IP and a bit of MAC filtering), would it be ok to have the iptables rules only on the IoT router, or do you see issues? Something like ‘deny all; allow MQTT from IoT to Main, where RPi is’ would go for the Sonoffs?

  • Let’s say: I configure the Main to be, while the IoT to be on a WiFi link to the main. Then, the IoT provides a subnet for all the Sonoffs/MAX! Cube and a second WiFi network via VLAN. As well, the IoT router allows MQTT to the RPi on the Main via iptables (routing?). Is this the direction I should go to follow your setup? Would you suggest to follow this (plus iptables later): Wlan_Repeater

Many thanks again and sorry for my long post. I really appreciate :slight_smile: