| ▲ | sherburt3 4 days ago | |
Having vlans in a home feels insane to me. What's the point? | ||
| ▲ | redundantly 4 days ago | parent | next [-] | |
I segregate using VLANs based on usage. - IoT - Personal - Work - Kids/guests - Lab The first four have their own WiFi SSID. I don't want various cameras/sensors/lightbulbs that rarely get updates to have access to my personal network. I don't want to mix personal use with work use (I work from home). In a similar vein, I trust my kids about as much as I trust random IoT devices. The lab network is just random stuff, like an archive team warrior vm that I have running. I could do everything on one single network, but if a single host or device is compromised everything is, and I'm too paranoid to run like that. | ||
| ▲ | scottlamb 3 days ago | parent | prev | next [-] | |
I use separate LAN segments because the "S" in "IOT" is for "security". I have a bunch of cheap, closed-source IP cameras with poor software quality. [1] Irrigation controller, landscape lighting, printer, scanner, TV, AV receiver, Roku, Sonos, dishwasher [2], key light for video chats, etc. I don't trust any of these things to be secure. Most of them aren't allowed to access the Internet. Even the ones that need to (Roku/Sonos) aren't allowed to initiate connections to my "trusted" segment that has my laptop and such. I implement the separate LAN segments with VLANs for practical reasons. I have a few different places (closets/desks) that might terminate devices on different segments because that's how my home is. [3] Having separate switches for each segment in each place with sufficient capacity for potential future needs, and separate uplinks between them, and multiple ports on my router, and separate wifi access points isn't gonna happen. Instead I have end devices on untagged ports with correct VLAN set and trunked ports with 802.1Q tagging for uplinks, APs, and router. [1] coincidentally talked about this recently: https://news.ycombinator.com/item?id=44792209 [2] I avoided the recent Bosch ones that can only do a rinse cycle through wifi. I think the Miel I bought instead also can be put on wifi, though I haven't felt the need so far. [3] Old. Without a dedicated space for networking—most of the drops are in the top of my coat closet. Difficult to wire, particularly the largest room that was converted from a garage, is on a slab, and has the old foundation perimeter between it and the rest of the house's crawl space. | ||
| ▲ | m463 4 days ago | parent | prev [-] | |
oh my. My quality of life changed SO MUCH when I put in vlans. machines go onto the appropriate vlan. the winner was the "jail" vlan. Any machine on it can't get out. Maybe for updates through a filtering proxy like privoxy. Every house should have vlans like this. the status quo of "every machine can talk to the internet" or "buy our cloud-based router" is just uncomfortably common. | ||