Can Hubitat handle more VLAN?

Can Huby be connected to 2 different VLAN?

  1. for all wifi IOT devices
  2. for PC and Alexa




One more reason to just put all your devices on the same LAN / Subnet. Segregate guests only.

I started going down this separation path before but then what if I want to cast something to the TV from my phone. What if app XYZ wants to talk to its devices directly on the LAN and not via the cloud, etc....

You trusted the device enough to bring it into your home.


I would like to create a VLAN just for home automation so that it is more secure, but then I have limitations.

How do I connect Alexa to HE and the cloud at the same time?
How do I connect HE to the cloud to update it?
How do I connect the PC and Phone to HE?
How do I update the FWs of my IoT devices?

Those questions are exactly why NOT to bother segregating everything unless you have extensive business class networking knowledge and know how to configure all the firewall rules to make it work.

What sort of security are you gaining? If someone can hack into your network through a thermostat how hard do you think it would be for them to bypass the VLAN? The next question is... WHY would anyone bother doing this, are you a high value target?

Most "hacking" of consumer devices is done by bots exploiting known security issues in very old and outdated devices. Usually it would be a router, and they just plant some code on there to either gather more info, or to use your router in a bot-net.

@rlithgow1 usually has a few things to say about this :wink:


PREFACE - I'm genuinely not trying to be negative or combative.

If you don't already know the answer to those questions you really should not even consider doing this level of segregation. Not to mention that there are a few more considerations you haven't even listed there (time sync being one).

It is a tremendous amount of work to PROPERLY create that level of segregation. and you will find that it takes fairly regular tinkering/interaction to have a setup where you prevent internet connectivity most of the time but allow it sometimes as you are hinting at (the way I read it).

That said, you can do as you please.


And I hear you can completely lock yourself out of your router so it has to be reset then you realize you didn't make a backup 1st.

1 Like

I'm here to learn

to learn and also to realize that something is not needed

Again to learn, does separating IoT traffic from the rest is needed to lighten the network?

In the military we had a saying.... don't fix what isn't broken. This should be used here.


I think that would only be useful if you had a separate switch to handle those devices. Most stuff there is so little traffic that I doubt they have much impact anyway. As long as you don't have a bottom of the barrel (or very old) router it should be able to handle all the traffic.

1 Like

I have 8 different VLANs and Hubitat can talk to devices on any of them, as long as my firewall rules allow it..


Somewhat similar but simpler, I have two VLANs and have all IoT on one of them. IoT VLAN devices can make connections out to their mothership if they need to, firewall rules allow initiating connections from primary VLAN into the IoT side, IoT cannot initiate any connections into primary VLAN.

I do have to admit the main reason I set up a VLAN is because I'd always wanted one. :slightly_smiling_face: Definitely not a requirement, and wouldn't suggest that to someone who wasn't relatively technical and interested in learning a lot while they set it up.

1 Like

I used to do network design back in the day so I'm always thinking of how to best separate traffic depending on type and security. So I have a VLAN for Ubiquiti gear, a VLAN for all network appliances (PiHole, Pihole2, NTP server, VPN Server, etc), a VLAN for all standard wired clients, a VLAN for all 10Gb wired clients, a VLAN for IP cameras, IoT VLAN for Hubitat and all IoT devices, a VLAN for guest WiFi, a VLAN for private WiFi, and VLAN for streaming devices like Chromecasts and Google TVs.

I guess that's actually 9...

There's yet another one for my test bench but that never actually gets used.

The idea, besides security, is to separate devices by traffic type as best as possible. IoT devices that are generally only sporadically transmitting tiny packets here and there should get their own SSID and VLAN so that their packets don't have to wait for higher bandwidth video streaming devices, etc. But since IoT devices use broadcast packets a lot for discovery and other purposes, and broadcast packets take priority and force other devices to pause, this way any broadcast traffic on my IoT network doesn't cause waits in my private WiFi VLAN, etc.

I admit it's way overkill, but it's sort of like how I keep my networking chops up-to-date since I no longer work in that industry these days, but may need to fall back should the current direction fail in the future.


I thought I was overdoing it with 4... :flushed:

1 Like

No - clearly you are under-doing it terribly, and I'm not even in the game. :wink:

I agree heartily w/the concept...and regardless whatever we each decide is the right amount for us (as long as we can manage it effectively) is just fine. :slight_smile:

It would be helpful if you told us what sort of network equipment you have.

Like discussed by many already, what you are asking to do is very possible.

It can be as simple or as complex as you want, or somewhere inbetween.

But it’s hard to give you or point you to specific things if we don’t know the type of network equipment you are working with.

I am barely competent to set up a VLAN, but have run three of them for years now, at our home. The primary is used by my wife and me to do all our regular internet activities on our computers, tablets, and phones. An IOT network handles everything that's, well, a "thing". HE hubs, wifi plugs, Alexa devices, cameras, whatever. My thinking is that if someone hacks one of those, I'd rather have some barrier between them and the internet devices I use for banking and such. It may be easy for a hacker to get to my regular VLAN, but so far it's been fine. When I want local control over, say, my HE hubs, I temporarily switch to that VLAN, which takes a few seconds. Otherwise, I use the cloud connection to just turn on a light or change a thermostat,(via a shortcut on the phone screen). Finally, there's a guest network for visitors. This has worked remarkably well for years now, wasn't all that hard to do, and just seems like an easy precaution. I'm surprised more people don't do it.

There are many instances where people need to connect directly from a regular device to a device on the IoT side. Casting to a TV, casting music, local control via an app, configurations, local camera feeds, etc... Not going to be bothered with having to change something every time. The proper way is how @danabw has it setup. Sounds pretty flawless if you can write firewall rules.

The minimal perceived security gain is not worth the headache to me.


I directly configure and support more VLANs, and routing, than I care to count in the enterprise. VLANs have their place.

I ran with a separate IoT vlan for many years at home. It can work, but was simply was not worth the hassle in my opinion for the limited benefit in a home environment where I already control every device o the network.

Other's opinion may differ, and that's cool.

1 Like

Yes, definitely useful in enterprise deployments, I imagine in different ways, especially with many more devices than a single home could imagine. There you also have the unknown if you do not have strict MAC filtering. When you allow users to connect personal devices those are treated like a guest network, segregated from the Intranet to avoid security breaches. There is also (hopefully) a skilled person to setup and maintain the configuration so it is all seamless and easy for the users.