Although I’ve advocated the use of a separate vlan for the home automation network (I know that kai does this as he has mentioned it a few times) and I have every intention of doing this at some point, I run everything on the same LAN (well two if you count OpenVPN).
Instead I’ve focused on securing my network over all (I’m using pfSense right now) and certain completely untrustworthy devices, like Vizio TVs, simply do not have any access to the network at all.
I don’t think there is any reason to put OH in a DMZ. If you set up a reverse proxy to expose your OH to the Internet then the reverse proxy should go in the DMZ. Similarly, if you set up your own instance of openHAB Cloud Server on your local network, that should go in the DMZ. But if you are using myopenhab.org, OpenVPN, or SSH tunnels to access your OH when away from home, I don’t see any benefit to running OH in the DMZ. You may want to put the ssh server or OpenVPN server in a DMZ though.
To come up with the correct approach for you, you need to sit down and think about what you think your real risks are.
Risk = Impact a given vulnerability is exploited * likelihood a threat will exploit the vulnerability
For the separate LAN case you need to think about what threats your home automation devices being compromised pose to your personal devices and whether it is worth the time and extra equipment to separate them out into their own LAN/VLAN. Risk mitigations are not free and they should not “cost” more than the risk you are mitigating against.
Given you have some experience in this area, the amount of time and therefore cost is probably a lot less than the average Joe.
Personally, the biggest thing driving me to want to set up a separate LAN for my home automation is primarily to learn how to do it. I don’t think my risks warrant it. So for me, implementing this is an opportunity, not a risk mitigation.
I mitigate the risks posed by having everything on the same LAN by:
- I only have ssh and OpenVPN exposed to the internet and both are secured with certs so the risk there is not beyond acceptable.
- I use encryption on disk for my sensitive files
- I use pfBlocker to block all outgoing connections to know malicious IPs including malware C2 servers
- I have good backups of important file
Am I completely secure? Absolutely not. There is a ton more I could do. But I’m willing to accept that risk for now.
Others may not be willing to do so.