Hello all - I'm about to embark on a mission to fix (or utterly destroy more like) my home network. I run a Home Assistant instance on a Raspberry Pi with a bunch of WiFi-enabled smart devices. I want to separate them into their own Vlans. I have a mix of Mikrotik and Unifi devices. I've been reading a lot of articles on this forum - special thanks to all contributors to the VLAN explainer.
I'm planning 5 different networks:
1) Untagged (I hope that's the right term): management layer. admin laptop and all ubiquity devices. 192.168.88.0/24
2) vlan_main: Laptops/Phones of my family. Access to the internet and access to other vlans (to discovery/use smart devices). 192.168.10.0/24
3) vlan_iot: Home Assistant, "trust worthy" bridges and devices that need internet access like Wyze Cams. Has internet access and can access the untrusted iot network. 192.168.20.0/24
4) vlan_uiot: Untrusted devices that don't need the internet (sonoff/tuya/etc). possibly allow limited internet access, but cannot access other vlans. 192.168.30.0/24
5) vlan_guest: as the name says it, access for guests to the internet. maybe limited access to some home assistant functionality in vlain_main, not sure yet. 192.168.40.0/24
A few devices on vlan_iot need Ethernet connections. I plan to tag Ether2 as vlan_iot and put all of these behind a 'dumb' switch.
I plan to use my Unifi AC Pro and Unifi AC Lite to provide the WiFi networks for the 4 vlans. They'll be on Ether4&5 with the CloudKey on Ether3. All three will be on the untagged management network. The Unifi WiFi networks will be set up to tag the WiFi network with the allocated vlan tags.
For the Mikrotik set up, I planned to have a bridge with all vlans and Ethernet ports. I also need to add a second vlan_iot vlan on ether2 (same tag as the one provided by the Unifi ACs). Firewall rules to drop all traffic except for allowed connections (vlan_main -> vlan_iot for example). Since I'll be running AdGuard on my HA instance, I'll also need to allow DNS access to port 53 on HA in vlan_iot for all devices within vlan_main/vlan_iot/vlan_uiot.
Before I get too deep into setting up my Mikrotik config, I wanted to sense check my planned setup. Does the above make sense? Comments & advice would be greatly appreciated!