#HA Green and vLANs

I just got a Unifi network and I am starting to setup my new networks. I am looking at setting up different vLANs.
Network Control Hardware
Trusted
IoT
Guest

Has anyone had succes with HA doing this, if so, what vLAN would you put the green on and why.

vlans are not officially supported.
you will have various problems if you have the green and devices that you want to integrate on different vlans. it is possible that you get things mostly working with manual setups and a bunch of firewall exception stuff. but any time you have a problem getting something working in the future theres a high chance it will be related to your network setup.

So would you recommend putting the HA green on the IoT vlan? I plan to add firewall rules to allow vlans to talk

it being on the same vlan as your devices is probably best, just because vlans can talk to reach other you may stuff not have full functionalty some network discovery functions do not work across networks/vlans so you may still have problems.

why are you actually doing this?

I get having a guest network, but splitting up your main network (perhaps with the exception of minimal and specific required but non-trusted devices) just causes problems with no benifit for most home networks.

A lot of the reserarch I have done, has mentioned doing this to help seperate traffic, manage what is where on the network and security purposes.

I am moving from a google mesh network to a unifi network. A lot more control and architecture. Things I have seen mentioned that having a network all smart devices to keep that seperate from your trusted network (computers, phones, etc). One of the videos I watched specificed that with the firewall rules in place all smart things should work including home assistant. Made me start to look into that which led me here

even with firewall rules to allow access, things like autodiscover dont work (there are some things that try and help with this but they are flakey at best).
whilst i like unifi stuff, most of the research you have done is likely by people sponsored by them.

what specific devices do you have that you do not trust?

I am not saying there is no benifit to vlans but theres a lot of stuff around thats scaring people. "lock down your network with todays sponsor" for the overwhelming majority of home networks you dont need a bunch of seperate networks.

having a more basic
guest/trusted/isolated-internet/isolated-no-internet
with only specific devices put on the isolated networks is probably a more sensible setup.

This has been very helpful. I am waiting for a few more hardware pieces to be delivered so I am still in the research phase.

I know there are mDNS rules as well for the dicovery and such that are in play within the unifi ecosystem, but I have am new to network arch like this....I am more into HA and smart home things, so will for sure be leaning to a more HA friendly setup

I tend to take the view of "if i dont trust the device then i dont have thee device" and lean towards opensource/open protocol devices.

if you want to play with vlans then start more simple. until you learn more about it. theres always a bunch of people "my xyz device stopped working suddenly" and in reality its because they set up half a dozen vlans and loads of things broke.

As someone who is pro-VLAN and has my IoT stuff split up like Mike is going for, I will say - you can get it working, but it can be finnicky and may not be worth the work, depending on why you're doing it.

I keep most of my IoT stuff on the same VLAN to avoid most issues, but I have a few rules with my setup that have helped:

• I have a network with devices that are used by humans. Computers, tablets, phones, etc.
• HA, along with all other IoT devices, live on the IoT network only.
• mDNS is allowed across both VLANs to avoid a lot of problems, but IoT devices cannot establish the initial connection to the human network.
• Established connections are allowed across VLANs to ensure the human network can access the IoT network and the IoT network can reply
• For devices that are supposed to be local only, they still live on the same VLAN, but I explicitly disallow them access to the Internet

Now, my threat model, the reason I do this, is to prevent IoT devices that get pwned from affecting human devices, or vice versa (if humans on my network do something stupid). This does not really solve "distrust of the device itself." If you don't trust the device, +1 to what piez0r said. It also doesn't solve IoT devices owning each other. That might happen, but I try to only use Zigbee/Z-Wave so there's not very many that could really do that.

This was super helpful and sounds like what I am going for.