My reason for wanting HomeAssistant and a locked down VLAN...

tjoa@feddit.org

FYI I learned About VLANs that it is in no way „locked down“. I can spoof the MAC address of a known device from a specific VLAN and I’m in that VLAN. Yes your devices can’t reach the internet/other devices by default but it won’t stop a bad actor.

unique_hemp@discuss.tchncs.de

Don't buy ASUS, they have a terrible security record. At this point I would trust only MikroTik and Ubiquiti.

interdimensionalmeme@lemmy.ml

Yes, VLAN is an IT convenience feature, you don't need it just because it is a feature of the more expensive hardware.

Instead just establish separate L2s and operate proper L3 firewalls between them. For IoT devices, any kind of reliable potato will do just fine.

dezorian@discuss.tchncs.de

I bought a distiller for €60 capable of distilling 4 liters of water (about 1 gallon) en generates some heat. The electricity cost is way lower than buying 4 liters of distilled water, don't need to throw away a 4 liter plastic bottles every time and the distiller heats up my room in the winter (when the air is dryest here).

landless2029@lemmy.world

I'm aware you need a firewall (I used sonicwall professionally) vlans are for segmentation

flux@lemmy.ml

Depends on you hw. That seems rather poor implementation.. I believe my TP switch might handle that, because it rejects traffic to its management interface from mac X from vlan 20 because it sees the same mac in vlan 10.. (only vlan 20 is allowed for management)

sugar_in_your_tea@sh.itjust.works

Isn't that what 802.1x is for? If you really want to lock down your network, there are options.

kingthrillgore@lemmy.ml

We have water, heavy water, hydrogen infused water, nitrogen infused water, ice-9, h2o2...what will they think of next?!

teslasaur@lemmy.world

Well. The segmentation is to avoid security holes from Rogue third party devices. If you can access my pc vlan that only exists on my wired pcconnection, then you have indeed broken in to my domain. Letting the things that doesn't give a shit about security have their own network is just sanity/sanitary.

greenknight23@lemmy.world

and this is why I have a completely separate physical network for my IOT stuff.

stupidcasey@lemmy.world

Try OpenWRT

jcbazpx@lemmy.world

They gained a cost reduction for a single quarter of a single year. No further thought was put into it.

isokiero@sopuli.xyz

Ubiquiti

And they too aggressively push their cloud services and at least some point their management tool gave you ads on their other products.

landless2029@lemmy.world

Yeah that's on my todo list. I've got 3 decent but old routers.

tjoa@feddit.org

That’s a very cool feature actually but how does it stop a hacker if he has obtained a trusted MAC address from another device and connect to vlan 20 directly while the real device is offline?

flux@lemmy.ml

You configure vlans per physical port, so in a properly implemented system your attack won't be possible. When the packet comes to the switch the vlan tag is added to it according to the configuration for the port it was received from.

Or are you talking about mac-vlans?

tjoa@feddit.org

Ok maybe I don’t fully understand yet. Let’s say an access point has 3 SSIDs, lan, guest and iot each client on each SSID gets a vlan tag accordingly. So it’s only connected to a single physical port, i think that’s what confused me. But SSIDs are interfaces just like an physical port afaik so your analogy still stands. The security here is the WiFi password anything that connects to LAN gets a LAN vlan tag. but it’s not like anything that connects to any of the SSIDs can get the DHCP lease of some random device on any vlan cuz it got tagged before. Or am I missing something?