Network vlans - ArveVM/MyAssistedHome GitHub Wiki
Separate vlan for different manufacturers devices,,, since some require internet and is a device that has some firmware and a supplier that can push firmware - it is safest to do some network segregation
Separate vlan for different type of devices. Since my network-skills are rather limited, and to simplify future maintenance (and understanding), I've chosen a bit more granular and detailed segregation which is a bit hazzle to set up. Hopefully will give better overview of rules in the long run.
each vlan have separate port-definitions and firewall rules for that particular type/manufacturers devices, so it is easier to control what is alowed
Limit connectivity/control,, like the Sonos-app and control of sonos-devices through the app is only available in the new vlan,, so not from my normal mobile/pc vlan. However, Spotify and HA see the sonos-devices on the new vlan just perfectly
General rules:
- for all vlans: IP-range=vlanID, domain=local,Default Gateway=Auto, DNS=192.168.2.141 and 192.168.2.1,
- if NTP then 192.168.2.141
- if DNS then allow-rule for range to dns-server/port
- E&R=EstablishedAndRelated
- MC=Multicast (mDNS)
- I-A=Internet access
- all internal ranges start with 192.168.
| Vlan | Range | Description/ purpose |
IA | DNS | MC | NTP | Allow | Deny | Comment |
|---|---|---|---|---|---|---|---|---|---|
| Default | 2.0/24 | GW, server/HA, switches | X | X | AnyAny | AnyAny | |||
| n/a | 4.0/24 | VPN L2TP | |||||||
| n/a | 5.0/24 | Wireguard VPN | |||||||
| 10 | 10.0/24 | Trusted | X | X | AnyAny | AnyAny | |||
| 11 | 11.0/24 | Kids | X | X | X | X | E&R | ||
| 20 | 20.0/24 | IoT 'general' | X | X | E&R | All_Local_IP | |||
| 21 | 21.0/24 | Sonos | X | X | E&R HA_servers: TCP, SonosPorts(1440,1443,4444) |
All_Local_IP | Sonos-app work only in this vlan! | ||
| 22 | 22.0/24 | GoogleCast | X | X | E&R Nesthub to HA, - lots of ports |
All_Local_IP | |||
| 23 | 23.0/24 | D-Link | X | X | E&R | Any-Any | |||
| 29 | 29.0/24 | Guest | X | X | E&R | All_Local_IP | |||
| 30 | 30.0/24 | Shelly | ? | X | X | E&R HA_servers: UDP, PortGr=Shelly(5683) HA_servers:PortGr=MQTT(1883) ShellyFWupdateIPs |
Any-Any | ||
| 31 | 31.0/24 | SimiCam | E&R | Any-Any | manually configured ntp-ip | ||||
| 32 | 32.0/24 | espHome | X | E&R | Any-Any | ||||
| 33 | 33.0/24 | NoT-reolink | X | x | E&R | Any-Any | IP reservations, IP in Frigate/go2rtc-config | ||
| 43 | 43.0/24 | TestSubnet | X | X | X | E&R HA server, Shelly |
Any-Any |
IP's for fw-update, added to group ShellyCloudFW update
Gen1 - ShellyPlugS 23.251.142.183 Gen2 - Shelly+1 34.79.102.148
- KennethM - personal support- knowledge-transfer :)
- NetworkChuck Docker networking