Suggested network topology for OpenHAB in a home network?

Hi everyone,

With my first home automation gear last week (yes, total home automation newbie), I naturally put my Google Home and Tradfri GW on the same WiFi network as our personal devices (phones, tablets, Kodi, etc). But looking at WiFi enabled Sonoff devices is making me thinking about the network topology, separating out all home automation onto a dedicated WiFI and wired physical network (VLAN or LAN). What kind of network topology have you implemented? Everything fine on one WiFi network or not? How about with OpenHAB in a DMZ?

Skills wise, I used to be an experienced Linux sysadmin and some network admin. Time to brush up on those skills! Also we’ve an experienced electrician onsite doing a complete rewire of our home (as part of full renovation works) including Cat6A cabling and need to make some decisions about the physical network topology: wiring, patch panels, where network switches, comms cabinet will go etc.

Although I’ve advocated the use of a separate vlan for the home automation network (I know that kai does this as he has mentioned it a few times) and I have every intention of doing this at some point, I run everything on the same LAN (well two if you count OpenVPN).

Instead I’ve focused on securing my network over all (I’m using pfSense right now) and certain completely untrustworthy devices, like Vizio TVs, simply do not have any access to the network at all.

I don’t think there is any reason to put OH in a DMZ. If you set up a reverse proxy to expose your OH to the Internet then the reverse proxy should go in the DMZ. Similarly, if you set up your own instance of openHAB Cloud Server on your local network, that should go in the DMZ. But if you are using myopenhab.org, OpenVPN, or SSH tunnels to access your OH when away from home, I don’t see any benefit to running OH in the DMZ. You may want to put the ssh server or OpenVPN server in a DMZ though.

To come up with the correct approach for you, you need to sit down and think about what you think your real risks are.

Risk = Impact a given vulnerability is exploited * likelihood a threat will exploit the vulnerability

For the separate LAN case you need to think about what threats your home automation devices being compromised pose to your personal devices and whether it is worth the time and extra equipment to separate them out into their own LAN/VLAN. Risk mitigations are not free and they should not “cost” more than the risk you are mitigating against.

Given you have some experience in this area, the amount of time and therefore cost is probably a lot less than the average Joe.

Personally, the biggest thing driving me to want to set up a separate LAN for my home automation is primarily to learn how to do it. I don’t think my risks warrant it. So for me, implementing this is an opportunity, not a risk mitigation.

I mitigate the risks posed by having everything on the same LAN by:

• I only have ssh and OpenVPN exposed to the internet and both are secured with certs so the risk there is not beyond acceptable.
• I use encryption on disk for my sensitive files
• I use pfBlocker to block all outgoing connections to know malicious IPs including malware C2 servers
• I have good backups of important file

Am I completely secure? Absolutely not. There is a ton more I could do. But I’m willing to accept that risk for now.

Others may not be willing to do so.

Thanks for the detailed reply, you make some excellent points - good food for thought re security.

For better home automation performance, is it worth putting all home automation devices (inc voice gateways like my Google Home), Tradfri, Sonoff, OpenHAB (dual homed), on a separate, but routed LAN? I’m thinking a dedicated WiFi AP.

That’s a good idea. Get a powerful one that covers the whole house. The AP doesn’t have to be on another network. That’s your choice.

I think it largely depends on how many devices you have and whether it is dual band or not. If you have a dual band AC AP then you already are segregating into separate networks as most of your IOT type devices will only support 2.4GHz and most of your newer personal devices will support 5 GHz.

If you do put in another AP, make sure it is on a different band so they don’t interfere with each other.

I’ve not noticed any problems on my wifi network (NetGear Nighthawk R7000 running DD-WRT in AP mode) with:

• 2 laptops (more when there are guests)
• 2 phones (more when there are guests)
• 2 tablets
• 2 re purposed phones (hooked up to speakers for streaming audio)
• 1 desktop
• 3 Rokus
• 3 RPis
• up to 3 Sonoffs at a given time
• 3 ESP8266s

Including the wired devices I’ve around 40 addresses in my static routing DHCP config.

With all this going on I can stream at high quality 1080p to two of the the Rokus simultaneously without problem. I’ve never tried to stream to more than two at the same time.

I’ve the single AP on the top floor of the house and it covers everything including the basement and the back deck. It does not cover the whole yard though so if I wanted to put some sensors in the vegitable garden or the like I’d have to set up a repeater or run a wire.

I’m in a suburban environment though and there is very little interferance. I can see three to four other APs but their signal is very low and with so few it is easy to pick an empty set of channels to avoid interferance.

If I ever do run into problems, I’ll ressurect my old N300 router and put most of the little stuff on that and dedicate the R7000 for video streaming and personal devices.

Since everything goes through my pfSense server and it serves as the dhcp server, it is pretty easy to do drastic changes to the wifi topology without needing to rebuild the whole network.

In my humble opinion, keep it all on one network till you have a reason to separTe.

For me running out of ip addresses is the only valid reason. The whole security thing is a good one but many times people don’t have a real security risk, only a perceived one.

I use separate Wi-Fi access points on separate devices, on separate channels.

For me it comes down to ensuring the device count load is minimised on each wireless router. I have about 40 or so devices between smart items, IoT and tablets etc

Good approach, domestic routers can only handle a certain amount of wifi clients. Cheap professional APs (The kind you see on the ceiling of supermarkets and shopping centers) are available on eBay although they can be a pain to set-up and most of them require POe.