Hi,

I sometimes hear/read people putting their tv and other devices on a guest Wifi or even on a separate VLAN. Most guest WiFi’s also have client isolation. I can understand that desire but I’m always wondering how that works in real life.

If you have a TV on a guest Wifi, how can you still cast things to it, as I assume your phone is on a different Wifi.

If you put your heating a different VLAN, how can you control the heating from your server that’s on a different VLAN?

What’s your setup in this regard. Is it worth to split? And what do you split and what not?

  • Im_old@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    You have to set up proper routing, so the two vlans (your mobile/pc wifi vlan and the tv vlan for example) can communicate. But you don’t give Internet access to the tv/thermostat vlan, so they can’t “call home” and send all kinds of tracking back home.

    • jsnfwlr
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Without internet your Chromecast can’t play YouTube etc.

      Proper routing would be to have an mDNS repeater/relay that straddles both VLANs and handles the casting requests. Then, because the devices are in their own VLAN, you can give them narrow access to services while blocking most addresses to prevent egress of collected data

  • chris@l.roofo.cc
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Doing these “find your device with magic and do stuff” things can be a bit troublesome across networks. Some is possible to set up but sometimes it just doesn’t work. It is the tradeoff between security and comfort.

  • DrinkMonkey@lemmy.ca
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    You create inter vlan rules that allow connections from your main vlan to the other vlans, but only allow established and related traffic from the secondary vlans back to the main vlan.

    I have a separate vlan for IoT and guests but punch holes for contact back to my HomePods(main vlan) for my Ecobee thermostat (IoT vlan) to contact so my kids can use Siri to get the weather in the mornings, and for guests to use the printer, that sort of thing.

  • BoofStroke@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    routing. On wireless, however, some devices are really stupid and can only talk to things on their own subnet. To address that, I use NAT on the IoT vlan to the real device on the private side.

  • youngerpants@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    This is what Layer 3 is for. You need to open the relevant port between vlans (e.g. TCP 443 for https) on the firewall. I think its UDP 1900 but may vary by appliance.

    I’d also allow multicast, ICMP (ping) and DNS between your vlans as a minimum depending on what they’re used for.

  • jsnfwlr
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    My guest WiFi’s vLAN has client isolation. And my IoT has the devices isolated with an exception ACL rule that allows them to access and be accessed by my home assistant server.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    IoT Internet of Things for device controllers
    TCP Transmission Control Protocol, most often over IP
    UDP User Datagram Protocol, for real-time communications

    4 acronyms in this thread; the most compressed thread commented on today has 20 acronyms.

    [Thread #52 for this sub, first seen 16th Aug 2023, 10:35] [FAQ] [Full list] [Contact] [Source code]