Hi,
I sometimes hear/read people putting their tv and other devices on a guest Wifi or even on a separate VLAN. Most guest WiFi’s also have client isolation. I can understand that desire but I’m always wondering how that works in real life.
If you have a TV on a guest Wifi, how can you still cast things to it, as I assume your phone is on a different Wifi.
If you put your heating a different VLAN, how can you control the heating from your server that’s on a different VLAN?
What’s your setup in this regard. Is it worth to split? And what do you split and what not?
You have to set up proper routing, so the two vlans (your mobile/pc wifi vlan and the tv vlan for example) can communicate. But you don’t give Internet access to the tv/thermostat vlan, so they can’t “call home” and send all kinds of tracking back home.
Without internet your Chromecast can’t play YouTube etc.
Proper routing would be to have an mDNS repeater/relay that straddles both VLANs and handles the casting requests. Then, because the devices are in their own VLAN, you can give them narrow access to services while blocking most addresses to prevent egress of collected data
Doing these “find your device with magic and do stuff” things can be a bit troublesome across networks. Some is possible to set up but sometimes it just doesn’t work. It is the tradeoff between security and comfort.
A 1:1 NAT to the other network usually solves it for me.
What about mDNS?
You create inter vlan rules that allow connections from your main vlan to the other vlans, but only allow established and related traffic from the secondary vlans back to the main vlan.
I have a separate vlan for IoT and guests but punch holes for contact back to my HomePods(main vlan) for my Ecobee thermostat (IoT vlan) to contact so my kids can use Siri to get the weather in the mornings, and for guests to use the printer, that sort of thing.
routing. On wireless, however, some devices are really stupid and can only talk to things on their own subnet. To address that, I use NAT on the IoT vlan to the real device on the private side.
This is what Layer 3 is for. You need to open the relevant port between vlans (e.g. TCP 443 for https) on the firewall. I think its UDP 1900 but may vary by appliance.
I’d also allow multicast, ICMP (ping) and DNS between your vlans as a minimum depending on what they’re used for.
mDNS for casting…
My guest WiFi’s vLAN has client isolation. And my IoT has the devices isolated with an exception ACL rule that allows them to access and be accessed by my home assistant server.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System IP Internet Protocol IoT Internet of Things for device controllers TCP Transmission Control Protocol, most often over IP UDP User Datagram Protocol, for real-time communications
4 acronyms in this thread; the most compressed thread commented on today has 20 acronyms.
[Thread #52 for this sub, first seen 16th Aug 2023, 10:35] [FAQ] [Full list] [Contact] [Source code]