With Home Automation brings devices…. lots of devices. If you have a tonne of Zigbee or Z-Wave devices, they’re going to build a mesh network. If you go with Wifi, you’re gonna be connecting a lot of devices to your home wifi. Its not super critical to segregate for that reason, but on this brief blog, I talk through how I’ve gone about it in my Smart Home
Lets talk a bit of background – those that know me, or know the line of work that I’m in (essentially tech) will understand that I am a complete IT equipment snob, so as you would expect, I’ve got completely over-engineered equipment, that is far too expensive purely to provide my (rather ungrateful) family with what they describe as ‘rubbish wifi’.
Wi-Fi
To those who are interested, I have the following equipment:
Ubiquiti Dream Machine Pro (Link)
Ubiquti Switch 24 PoE 250W (Link)
Ubiquti Switch 8 PoE 60W (Link)
2x Ubiquti Access Point U6 Mesh (Link)
Before anyone states the obvious, I know having 2x APs cannot make a mesh, I’m just too lazy to purchase another one (the intention is to have one in the back garden).
Configuration wise, prior to the Smart Home setup, I had a single SSID (wireless network name) transmitting across both 2.4GHz and 5GHz ranges onto a single private network. Nothing particular clever, or unusual which I’m sure is not justifying the above investment.
In the new world however, I felt it would make more sense to have a separate vLAN and Wifi network for my devices, not that the above equipment wasn’t capable but I didn’t want any device on that network to be able to talk outbound to the Internet. The thing with IoT devices, is that some of them come from China and other countries that are not in the ‘absolutely trust with my data’ category so if I stop them talking to the Internet, then quite frankly – I don’t care 🙂
In my world, I decided to go with a number of Shelly devices to control my lighting. These are all wifi based so would be the obvious candidates for my new IoT vLAN.
Network Setup
Keeping it nice and simple, on my Unifi Controller (Dream Machine Pro) I created a new VLAN and gave it a /24 address. For those non-network bods about here, this gives me 254 usable addresses ranging from 192.168.2.2-192.168.2.254.
Take note that I have left the ‘Allow Internet Access’ unticked.
From there, within the same console, set up a new SSID for my access points to advertise that lands all devices that connect to that network in the above VLAN. Not major changes here, other than I have unticked this SSID advertising over 5GHz.
The reason for only advertising over 2.4GHz is two-fold. Firstly, the main devices I will have here are Shelly devices, which only connect over 2.4GHz, and secondly the 5GHz band, although fantastic for network speed (hence most modern devices using it) isn’t as good for penetrating through walls, and generally is not as good as 2.4GHz coverage wise.
For IoT devices, we’re not concerned about speed on the whole, but reliability in connectivity, so 2.4GHz is the winner here.
The network security bods amongst you, will point out that you can still traverse my 2x VLANS without any east-west protection, essentially hopping from a network without Internet access, to a network with one, however for ease of management for me, I’ll leave it as it is.
For those also concerned about firmware updates, thankfully Home Assistant supports firmware updates for Shelly devices which, of course, you would expect from a platform actively encouraging cloud-free and local control of your Smart Home.
Zigbee
As I talked about in my previous blogs, Wifi isn’t the only technology that makes up my Smart Home. I’m using a number of Zigbee devices: mostly sensors, but lets list them and their function:
- Aqara Roller Shade Driver E1 (Link): This makes any ‘dump’ roller blind smart. It attaches to the beaded cord and you can control just like any other HA device
- Aqara Motion & Light Sensor P2 (Link): These are PIR sensors that I put up in a number of rooms to detect motion which I can use to trigger automations such as lights turning on (or off)
- Aqara Temperature and Humidity Sensor (Link): I use these in the bathrooms, as it allows me to turn on the extractor fan automatically if someone is showering or if we are drying clothes.
- IKEA PARASOLL (Link): These are simple door (or window) sensors to detect if something is open or closed. I use these on all of my external doors to detect whether someone is entering, but also before I go to bed to ensure that all doors are closed.
- Aqara Smart Wall Switch H1 w/ Neutral (Link): I am currently using this in my office as an alternative to the Shelly in-socket devices. This was purely a trial to see if I preferred it, and on the whole its a great device.
- Click Smart+ 2 Gang Smart Socket (Link): These replace the face plates on your socket and can allow you to switch on and off plug sockets from Home Assistant. I actually use this in an external IP66 socket to power off some external lighting in our garden.
- Tuya 20A Zigbee Smart Plugs (Link): These are simply plugs, that can be plugged into a ‘dumb’ UK socket to allow you to power on or off the individual appliance that is attached. Currently I use these for living room lamps, etc.
- Home Assistant Sky Connect (Link): This plugs directly into my Home Assistant Mini PC via USB-A, and essentially provides the Zigbee connectivity to my house via ZHA (Zigbee Home Automation). There is an option to use Zigbee2MQTT which is often compatible with a larger list of devices (including devices that don’t fully conform to the Zigbee standard) but as it stands, I’m yet to come into any issues using ZHA which is very much a plug and play device.
Tip: Use a USB extension cable to keep it away from anything that may cause interference (such as your Wifi, etc).
Whats pretty cool, is that in Home Assistant, ZHA will happily show you the Zigbee mesh so you can do a bit of diagnostics for connectivity issues:
There aren’t many (if any) settings to go through with Zigbee, its pretty self-sufficient as such and as it stands. The only issue I’ve had is the odd signal dropout, which was resolved by placing a smartplug in strategic places to increase its coverage.
I will add, there are alternative Zigbee-compatible USB dongles that use Z2M (Zigbee2MQTT) that are well known in the HA community – I’ll post the links to those below
SONOFF Zigbee 3.0 USB Dongle (Link)
Zigstar USG01 (Link)
ZigStar ZBStick-Pro CC2652P2 (Link)
Summary
For me, the key to this is ensuring that all house-related data stayed on-premise and the route of ingress in Home Assistant. I’ve read faaaaar too many articles of weak security on IoT devices, that honestly make me nervous having kids, especially cameras, etc. Putting them on their own VLAN and stopping that talk to the Internet gives me a little bit of satisfaction that, even if the device uses poor ciphers, or has known vulnerabilities, I can at least control access to it.