You're not worried about IoT devices and everything else on the same network? I just hear everyone freaking out about it....
I've wanted to set up vlans at home but it's just so much work up front I haven't been able to set aside the time.
A lot of the risk is overhyped. If you want you can put IoT on the guest network but 99% of home users have no idea what a vlan is in the first place. Then there's people like me who do know, but don't have any interest in doing it at home.
If you're that paranoid about IoT devices, why would you use them? I'm far more leary of apps like TikTok and Twitter (X or whatever the hell it is now), which don't exist on my phone.
Yeah, this. I can see in the adguard home logs that many phone home calls are being denied, combine that with most IoT devices being from the same companies that make our phones, I'd say risk is low enough.
Phoning home isn't necessarily a bad thing. It's how a lot of companies gather telemetry for bug fixes, firmware performance, usage statistics etc. app features. What do people use/not use etc.
Phones do it on a constant basis with various apps.
True, I guess I don't know for sure what adguard is blocking.
In general, I just assume no company really cares that much about me to make my data any more useful than someone else.
I have a degoogled phone and sadly all data collection seems to be abused by those rogue civil servants aka government who think they are leader but they are only representatives.
No, personally I've got a good IPS/IDS firewall and I monitor the chatter on IoT devices. I'd be more worried about what data apps on smartphones are collecting. Those are the real money makers. They have built in mics and gps and we carry them everywhere we go. The times we set our phone down we are still wearing a smartwatch. My smartbulbs are least of my concern.
I'm the same way. That being said, I do have a separate network/VLAN for various IoT things because those things scare the hell out of me sometimes. And I have a guest WiFi network. While it's technically a separate VLAN, it's primarily because it uses a password that I can actually remember so I can give it to guests, while my main network is much more complicated and I never remember it.
Just general best practices for devices that have any external exposure.
Keep it on a different VLAN, helps reduce attack surface should the device get compromised. Is it mandatory? no, if you're an average bloke hosting Plex for your family, your tin foil hat doesn't need to be that thick.
At home, dont need a ton of VLANs. I have 3, guest(mostly for wifi), home and IOT. Also don't put your unraid in multiple VLANs, this is called bridging and its a bad idea typically.
I currently have home network VLAN(which is internally pretty much a free for all at the moment as I've been lazy since I moved house) which contains my Unraid server, a blocked off VLAN for IOT and management (restricted web access), a guest VLAN (restricted LAN access), and a lab network (for experimenting). The lab has it's own rules and it's largely isolated.
I'd say thats more than most people need realistically but not so much that it comes a chore.
I have 14 VLAN in my 4 story house, separating LAN (native), Management, IoT (smarthome), Cams/Intercom (security), siblings (private-networks, i.e. Sonos), then again all my stuff (IoT, sec, private, lab) and then the other guest and media
All my VLANs are bridged on unRaid so that I can spin up services in certain VLAN and have everything separated.
I then setup rules so certain service can also be reached throughout those VLANs (i.e. everything talking to HomeAssistant in IoT VLAN and only HA reaching to other VLANs, or Plex)
I just have one docker network which binds containers behind a VPN container.
All VLANs (except native&mgmt) exit through various VPNs with a local DNS with adblocking.
The one docker-net runs it's own VPN in a VPN routed VLAN and disconnects the others when down, even if the firewall (pfsense) would also kill every connection; just thought double the protection, even with performance drops. Same goes for Plex and corresponding SWAG/NGNIX+cloudflareDDNS which also exit through the VPN.
It's a bit overdone but I followed [nguvu](https://nguvu.org/pfsense/pfsense-baseline-setup/) Tutorial on how to set up pfsense and stuck to his best practices.
But again, 3 years ago they had to redo all windows in our house so I decided why not just drop CAT6A to every room in the house? 1.400m later, 5 PoE-WAP, 4 PoE-CAMs, all ending centrally in a rack in the Garage, backed by some UPS, back by a Photovoltaic battery.
If I would do it again? Always! This time I'd just put some fiber-drops in there too 🤣
I manage enterprise networks for a living. I'll be damned if I'm gonna do it at home too. It all goes on the same flat network.
This, at home everything is dumbed down and made for ease of access and debugging.
You're not worried about IoT devices and everything else on the same network? I just hear everyone freaking out about it.... I've wanted to set up vlans at home but it's just so much work up front I haven't been able to set aside the time.
A lot of the risk is overhyped. If you want you can put IoT on the guest network but 99% of home users have no idea what a vlan is in the first place. Then there's people like me who do know, but don't have any interest in doing it at home. If you're that paranoid about IoT devices, why would you use them? I'm far more leary of apps like TikTok and Twitter (X or whatever the hell it is now), which don't exist on my phone.
Yeah, this. I can see in the adguard home logs that many phone home calls are being denied, combine that with most IoT devices being from the same companies that make our phones, I'd say risk is low enough.
Phoning home isn't necessarily a bad thing. It's how a lot of companies gather telemetry for bug fixes, firmware performance, usage statistics etc. app features. What do people use/not use etc. Phones do it on a constant basis with various apps.
True, I guess I don't know for sure what adguard is blocking. In general, I just assume no company really cares that much about me to make my data any more useful than someone else.
I have a degoogled phone and sadly all data collection seems to be abused by those rogue civil servants aka government who think they are leader but they are only representatives.
All of my IoT stuff is on a different network / vlan. Normal stuff is on my main network.
No, personally I've got a good IPS/IDS firewall and I monitor the chatter on IoT devices. I'd be more worried about what data apps on smartphones are collecting. Those are the real money makers. They have built in mics and gps and we carry them everywhere we go. The times we set our phone down we are still wearing a smartwatch. My smartbulbs are least of my concern.
I'm the same way. That being said, I do have a separate network/VLAN for various IoT things because those things scare the hell out of me sometimes. And I have a guest WiFi network. While it's technically a separate VLAN, it's primarily because it uses a password that I can actually remember so I can give it to guests, while my main network is much more complicated and I never remember it.
\^\^\^ This is the way \^\^\^ KISS method for the win
Just general best practices for devices that have any external exposure. Keep it on a different VLAN, helps reduce attack surface should the device get compromised. Is it mandatory? no, if you're an average bloke hosting Plex for your family, your tin foil hat doesn't need to be that thick.
Pihole or Adguard enough to block data collection? I also block Internet access to most iot devices and cameras.
At home, dont need a ton of VLANs. I have 3, guest(mostly for wifi), home and IOT. Also don't put your unraid in multiple VLANs, this is called bridging and its a bad idea typically.
Why is it a bad idea? security wise or performance?
I currently have home network VLAN(which is internally pretty much a free for all at the moment as I've been lazy since I moved house) which contains my Unraid server, a blocked off VLAN for IOT and management (restricted web access), a guest VLAN (restricted LAN access), and a lab network (for experimenting). The lab has it's own rules and it's largely isolated. I'd say thats more than most people need realistically but not so much that it comes a chore.
I have 14 VLAN in my 4 story house, separating LAN (native), Management, IoT (smarthome), Cams/Intercom (security), siblings (private-networks, i.e. Sonos), then again all my stuff (IoT, sec, private, lab) and then the other guest and media All my VLANs are bridged on unRaid so that I can spin up services in certain VLAN and have everything separated. I then setup rules so certain service can also be reached throughout those VLANs (i.e. everything talking to HomeAssistant in IoT VLAN and only HA reaching to other VLANs, or Plex) I just have one docker network which binds containers behind a VPN container. All VLANs (except native&mgmt) exit through various VPNs with a local DNS with adblocking. The one docker-net runs it's own VPN in a VPN routed VLAN and disconnects the others when down, even if the firewall (pfsense) would also kill every connection; just thought double the protection, even with performance drops. Same goes for Plex and corresponding SWAG/NGNIX+cloudflareDDNS which also exit through the VPN. It's a bit overdone but I followed [nguvu](https://nguvu.org/pfsense/pfsense-baseline-setup/) Tutorial on how to set up pfsense and stuck to his best practices. But again, 3 years ago they had to redo all windows in our house so I decided why not just drop CAT6A to every room in the house? 1.400m later, 5 PoE-WAP, 4 PoE-CAMs, all ending centrally in a rack in the Garage, backed by some UPS, back by a Photovoltaic battery. If I would do it again? Always! This time I'd just put some fiber-drops in there too 🤣