I have two VLANs (Guest & IoT) too - and a main LAN. The Guest VLAN allows internet access but ACLs prevent access to everything else. My router, (3) switches, hardware controller, (4) APs, Hubitat Hub, and main PC are on the Main LAN. Everything else (~50 clients) is on the IoT VLAN. ACLs prevent IoT devices (except my printer) from accessing the Main LAN but allow LAN devices access to the IoT and Guest VLAN devices. The printer is further limited to responding to a Main LAN device - only if the main LAN device initiates the 'conversation'.
Is this level of segregation needed for security? Possibly not, but it was not difficult for me to set up and IoT devices (cameras and printers are notorious) have been known to have weak or non-existent security - further aggravated by a lack of firmware updates. These issues could open an avenue to my infrastructure and possibly my data.
Yeah, as noted it was really a lot an "Oooo...I always wanted one of those sparkly VLANs" decisions, along with thinking (before I heard more about it from smart folks here) that it was critical for home network security w/IoT.
But the fact is I really enjoy new tech projects where I get to play "The IT Guy!" to learn new things and test my (limited ) competence. That's a key reason I have multiple Pi's set up for different HE integrations, and also for running my 3D printer using Klipper. The VLAN setup was definitely in the "not easy but in the end fun" category for me.
I do have to say that once set up on my ER/managed switches my VLANs have been a "set it and forget it" experience. Other than deciding which VLAN/SSID I want to join new devices to, my family and me really don't notice the VLANs in daily usage, everything just works. I'd do it again, but I wouldn't recommend it in general.
No. IOT Vlan segregration is generally to wall off your (potentially) unsecure IOT devices from your primary network.
That said, as mentioned elsewhere, you can put your HE/IOT stuff on a vlan and simply configure your rules such that your primary network can access that vlan but not vice versa.
) competence. That's a key reason I have multiple Pi's set up for different HE integrations, and also for running my 3D printer using Klipper. The VLAN setup was definitely in the "not easy but in the end fun" category for me.
