You have to set up proper routing, so the two vlans (your mobile/pc wifi vlan and the tv vlan for example) can communicate. But you don't give Internet access to the tv/thermostat vlan, so they can't "call home" and send all kinds of tracking back home.
this post was submitted on 15 Aug 2023
35 points (97.3% liked)
Selfhosted
40728 readers
357 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Doing these "find your device with magic and do stuff" things can be a bit troublesome across networks. Some is possible to set up but sometimes it just doesn't work. It is the tradeoff between security and comfort.
A 1:1 NAT to the other network usually solves it for me.
What about mDNS?
You create inter vlan rules that allow connections from your main vlan to the other vlans, but only allow established and related traffic from the secondary vlans back to the main vlan.
I have a separate vlan for IoT and guests but punch holes for contact back to my HomePods(main vlan) for my Ecobee thermostat (IoT vlan) to contact so my kids can use Siri to get the weather in the mornings, and for guests to use the printer, that sort of thing.
This is what Layer 3 is for. You need to open the relevant port between vlans (e.g. TCP 443 for https) on the firewall. I think its UDP 1900 but may vary by appliance.
I'd also allow multicast, ICMP (ping) and DNS between your vlans as a minimum depending on what they're used for.
routing. On wireless, however, some devices are really stupid and can only talk to things on their own subnet. To address that, I use NAT on the IoT vlan to the real device on the private side.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| IP | Internet Protocol |
| IoT | Internet of Things for device controllers |
| TCP | Transmission Control Protocol, most often over IP |
| UDP | User Datagram Protocol, for real-time communications |
4 acronyms in this thread; the most compressed thread commented on today has 20 acronyms.
[Thread #52 for this sub, first seen 16th Aug 2023, 10:35] [FAQ] [Full list] [Contact] [Source code]