#Locking down Matter/Thread/Zigbee?

Hi all, I was wondering what steps one should take to lock down these protocols, and devices that use these protocols? I am used to normal VLAN and firewall things, however, I am brand new to these kinds of IoT protocols, and as we all know, the s in IoT stands for security. I would especially want guidance as to whether or not these kinds of devices can access the internet with these protocols.

Zigbee is fine, completely disconnected from the Internet unless you are using a manufacturer's hub and then connecting to it via cloud rather than a coordinator and z2m or zha

Thread is also entirely local

If you're using VLANs with Thread and Matter then everything IoT including Home Assistant needs to be on the same VLAN

How would I give HA internet access then, without something like DPI

I’m implementing a hard internet block for IoT

Actually nvm

Firewall rules?

I don’t need to worry about that, since my HA container has access to an interface on the IoT vlan

I’m getting a bit confused, do thread and matter devices have internet access?

Matter could

I searched online and found some sources saying that thread devices could access the internet through a border router, which is currently my nest hub

Yes

I don’t have an opnsense box yet so this is all planning

So like HTTP

Matter, yes, kinda

Thread, no

if you have ipv6 internet connectivity or a border router which supports nat64, thread devices can connect to the internet.

(they mostly shouldn't, since thread bandwidth is really limited, but it is possible)

I expect that many matter over wifi devices will end up including non-matter cloud features in addition to whatever they do via matter.

good idea to use Google Nest Hub for Thread Border Router?

I already have it, and would rather not spend any extra money buying something else to get thread/matter support if I don't necessarily have to.

Huh?

this is all kinda confusing

I just want to make sure that none of my IoT devices connected through thread, or matter, or both, can access the internet, or my main LAN

Then you don't want to use Google, or Apple, or any other commercial Thread Border Router - because those will need Internet access to work, and so can relay traffic for Thread/Matter devices

I heard Apple’s devices are good for an offline only thread+matter setup

However, insanely pricey, and I don’t like apple and their proprietary garbage

Do you know if the home assistant matter controller allows internet access?

the matter controller has nothing to do with it. The home assistant OTBR add-on doesn't do anything to prevent internet access, and even has optional NAT64 support to enable internet access if you have an IPv4-only connection.

hmmm

so what should I do regarding that

maybe putting the server container behind a VLAN?

seems like macvlan could be a good option

at the network level, matter traffic is just normal udp over ip, and a thread border router is an ipv6 router. the things to make sure are that you don't interrupt multicast/broadcast packets between the matter controller and thread border router (and between the commissioning device - e.g. phone - and thread border router) since those are needed for mDNS queries and ipv6 router announcements to work.