With homes becoming more and more connected, what’s the best ratio of convenience vs security in 2025? I have a few devices at home and would love to know how the community would segment them.
Cameras: mixed between WiFi and PoE: I have a few Aqara cameras that are currently a mix between WiFi and PoE cameras. I use the Aqara Bridge connected using Ethernet and the Aqara app to view them while my wife uses the Apple Home app. I also want them on Home Assistant which is connected through Ethernet.
WiFi-based IoT devices- I have a few thermostats and IR/RF (Broadlink) based controllers that connect to WiFi. These need to be accessible to Home Assistant which is connected via ethernet.
Zigbee Network: I have a PoE based Zigbee controller that talks to Home Assistant and all the Zigbee devices at home.
Matter/Thread- I have an Apple TV (connected via ethernet) that acts as a Thread router, controlling some Matter devices that are also visible to Home Assistant.
Smartphones, tablets, computers: Between my wife and three kids there are tons on devices. Kids and Wife also use AirPlay to show stuff from their phones/tablets to TVs.
TVs, Soundbars, PlayStation, Sonos- Have a few media devices at home. tunnel rushAlso have a drone and a pcoket camera that connected over WiFi.
Guests: Would ideally like a separate guest network
I am using a UniFi setup for the gateway (UD SE), switches and APs (mixed WiFi 7 and WiFi 6), which will hopefully make it easier to setup however I really don’t want to micro-manage everything. Would you just leave everything ont he same network and call it a day or would you segment them in VLANS? If VLANs, how many? And how many WiFi Networks?
You can go overboard and assign one VLAN per device. If you don’t limit connectivity between VLANs using firewall inside router, then all devices will be able to communicate with all others … unless some on-device firewall blocks it because it sees communication from “foreign” subnet (Windows by default does). And there are certain means of communication which don’t work nicely across routers (e.g. anything involving broadcasts and multicasts, e.g. automatic finding clients/servers does). Most of time you can work around/across those obstacles … but then you have to decide whether complexity of setup and amount of work necessary really does offset the gained security.
So for me, optimum is to have as many IP subnets as there are (groups of) devices which don’t have to communicate between each other (they mostly only need internet access or they can even be contained in an isolated subnet). Anything more than that makes life of admin a PITA. E.g. having smart TV, media server, home cinema system and smart phones (to manage all of them) each on separate subnet/VLAN is a PITA because all of these devices only work nicely together if they can communicate without too many hurdles. Or: printers isolated in different subnet than PCs … while printing mostly does work in such setup, setting printers on PC has to be largely done manually (because they can not be autodetected) … unless you install all sorts of helpers (mDNS relay or something similar). And those helpers defeat large portion of the reasoning behind splitting your network into multiple subnets (similarly to how UPnP enabled on edge router defeats lots of firewall filtering).
As noted, form follows function. Vlans are cheap use as many as you think you need.
In terms of security, I will keep it short and no wishy washy talk.
Should cameras from company A, be in the same vlan as alarm system from company B, EFF NO
Should cameras from company A be in the same vlan as home users…EFF NO
Should guests users be on the same vlan as home users …EFF NO.
So what is not clear to you in terms of the number of vlans you need??
For example my spouse computer sometimes used for work is on its OWN vlan.
I had a poker player in the house, they were on their own VLAN.
etc
etc.
Somewhat personal preferences and in some cases need. I used to have more than I do now, but I has two ISPs and certain VLANs were forced onto one ISP and other VLANs were on the other ISP. However my fiber is so reliable that I dropped my cable a year or so ago. With that some of the VLANs went away. However I have my “main” home LAN (only wired devices), a main WiFi, guest WiFi, two for specific ham radio applications, a VOIP phone, and most of my IoT devices. There are also seven more that are each connected to the LAN port of a ham radio AREDN node so that the router gets an IP from each of those nodes. That gives me wired access to those nodes via the LAN port. Most of the VLANs are isolated except a few selected IPs have access so some of the various other VLANs.
Yea, I’m not normal…
Also, OP, because you use UniFi APs and they full support PPSK as well as WPA2-Enterprise/WPA3-Enterprise, you can have one SSID carrying as many VLANs as you want at the same time. In theory you would only need two SSIDs, one configured with PPSK for devices not supporting WPA2-Enterprise/WPA3-Enterprise (IoT devices, one VLAN per password) and one SSID with WPA3-Enterprise (for phones, tablets, laptops, can have individual VLAN per user account or user group).
That way you can even have one VLAN per device without ballooning the number of SSIDs. If you have kids, you can give each child one VLAN and any filtering or time restriction can be applied to the VLAN, without being bothered by modern devices having random MAC address anymore.