The smart home is quite an achievement when fully deployed. Once a network has been established and a few devices added, you’ll have quite a compelling solution. But to take this to the next level, you’ll likely add a few more devices, but the more smart home hardware is activated, the busier your home network gets. Then there’s also the risk of people accessing your smart home stuff without consent. All of this can be remedied through virtual LANs (VLANs), which are precisely as they sound.
Smart home devices can range from light bulbs and plugs to speakers and alarm sensors, as well as everything in between. If it has wireless capabilities, there’s a good chance you could use it as part of your smart home setup. These devices are great for improving your life, but they can come with a few risks. First, there are firmware vulnerabilities, then data harvesting, and even botnets and other malicious parties who could use your smart home to cause havoc. That’s why I quickly made the switch to VLANs, and you should too.
The risks of building a smart home
More hardware and risks of security breaches
I’m not suggesting all of your newly purchased smart home appliances and devices are inherently unsafe, but they are susceptible to attacks and, depending on the brand, firmware vulnerabilities. These devices can often be found at a low price, largely thanks to their affordable design, manufacturing, and support. Telemetry data can be collected and sent to manufacturer servers, and there’s no guarantee they will roll out security patches and firmware updates.
Just like a PC on your home network, each one of these smart home devices can become a new entry point for attackers.
Just like a PC on your home network, each one of these smart home devices can become a new entry point for attackers. Imagine how many you have with a full alarm system integrated into Home Assistant with smart speakers, lighting, sensors, plugs, and more. It can become quite the maze, which is another issue with IoT and smart home hardware. These clients can really contest the wireless network and the DHCP server, should many of them require a local IP address.
I considered this when planning out the smart home upgrade. Like you would guest devices, it could be partitioned within the same LAN to protect everything else on the network. I quickly set up a guest VLAN to provide access for anyone visiting our home to access the outside world, but they’re unable to connect to any locally hosted services without permissions granted. The same goes for smart home devices, which is why I created a VLAN for them, and it may be a good idea for you to follow suit.
How VLANs solve (almost) everything
The magical world of virtual network links
A virtual local area network is a LAN that runs on top of a physical network. It’s simply a logical way to split a physical network, made up of switches, access points, firewalls, and routers, into multiple isolated instances. Each VLAN can be configured to run independently, allowing you to isolate specific hardware and points on the LAN from one another. This doesn’t mean they’re completely unavailable, as bridges between VLANs are available, should they be configured.
What VLANs do well is to allow hardware to connect directly through the router or firewall to external destinations without being able to link up with anything on the internal side. It’s great for creating guest networks within businesses, hotels, and even your home. But VLANs can also be handy for separating your smart home and IoT devices from the rest of the network. I employ a few VLANs at home already, one for guests, another for security cameras, and a third for all servers and network infrastructure.
A fourth could be viewed as overkill, but it’s worth considering if you want to keep your LAN secure. IoT devices could be placed on a guest network with specific rules and conditions set to allow for some degree of connectivity between hardware on other VLANs, but the aim is to restrict IoT hardware as much as possible, without affecting functionality. This way, we can safely add and use any equipment and worry less about abandoned support, infected firmware updates, and trusting multiple companies to safeguard their products (and your LAN).
It all starts with a grounded plan
Map out your entire network
Before making the move to VLANs or even adding one more, like with my network, it’s vital you map out your home LAN. List all the devices that will be connected to your access points, switches, and routers. List all their addresses and make it easy to see which devices are covered by each VLAN. There are a few requirements, the first and most important being the use of managed switches. You don’t necessarily need a network switch, but if you use one on the LAN already, it will only work with VLANs if it allows for tagging and separation. Unmanaged switches don’t, unfortunately.
Then you’ll need a router or firewall to handle VLANs. I use and wholeheartedly recommend OPNsense. Access to the management interfaces of all your access points and switches will need to be available, too. With all this at hand, configuring VLANs can be achieved within a few minutes. First, I needed to create the new VLAN on the OPNsense firewall with its own subnet (192.168.20.0/24 instead of 192.168.10.0/24, used by the primary LAN). Then, most importantly, firewall rules needed to be created.
Before making the move to VLANs or even adding one more, like with my network, it’s vital you map out your home LAN.
These allowed IoT hardware and guest clients to access the internet, but nowhere else on the network. It also allows me to configure the VLANs to let specific devices, such as a server running Home Assistant, communicate with specific devices on other VLANs, which could be a security camera or smart plug. One step I almost forgot to do this time around was to configure a Wi-Fi SSD for the smart home products, which was painless using EnGenius’ cloud platform, but your mileage may vary with your branded access point or router.
One thing you should never forget to do is to test the isolation. There would be nothing worse than configuring all your VLANs and setting everything up, only to realize it doesn’t work and everything can communicate freely. Use a PC or some other device to ping specific addresses on other VLANs you know are currently up and active. If everything works, you should only be able to do so with rules applied accordingly. Once done, I was once again able to enjoy a truly segregated LAN with peace of mind.
VLANs are for everyone
Virtual networks aren’t just for big business and enthusiasts. Anyone can configure them with appropriate knowledge and hardware. All it takes is some research and time to get your own VLANs up and running. Although rather daunting at first, and you may break something along the way, the result more than pays off any short-term headaches. With my setup, I can provide Wi-Fi access to guests staying over, keep my IP camera feeds isolated, stop IoT hardware from communicating where they shouldn’t, and have more control over what can happen on the network.
