Dashboard access across VLANs

This is more of a networking question, but figure I'd ask here since it's specific to HE.

I have a guest dashboard that is locked down (can't edit, can't click the home button to access all dashboards) and local LAN access only. I can provide guests the link with a QR code. The intended use is for overnight guests who are visiting or pet sitting while I'm away. I have 3 VLAN's on my network: my main private VLAN, the guest VLAN, and the IOT VLAN. My hub i s on the IOT network and my guest WiFi is on the guest network. As expected, guests cannot access IOT devices. I'm pretty sure the answer here is no, but figure I'd ask anyway. Since the local dashboard link begins with the IP address of the hub, is there any possible way to allow a device that is connected to the IOT VLAN to access this link while prohibiting access to the rest of the hub? If not, does anyone have any recommendations for this scenario? Granted, this is for people who I trust, and worst case if someone tried to snoop is they'd be presented with the hub's login page, but it would be nice to prevent access completely while still allowing them the convenience of a mobile dashboard to control my devices.

Why not just give them the cloud link to that dashboard instead?

If local dashboard is a must then it's depend on what kind of network do you have at home? I have Unifi and you can do all kind of firewall setting for this type of thing.

4 Likes

If your router supports rules creation (I assume it would if you can create VLans) then you should be able to write a rule that allows access only the HE ip from your guest VLaN.If you want to limit it to a specific URL it probably can be done but you'd need to google it for your router.

1 Like

+1 for @Navat604 's idea of giving guests a link to the cloud link for the dashboard. I do this even for myself, as I have my Hubitat devices on an IOT VLAN but spend most of my time using a different VLAN on the network. If I need to make Rule Manager changes or add a device, I switch to the IOT VLAN . But to just turn on a device, etc., I use the cloud link.

I have an EdgeRouter X, and after I posted this question I tried to create a firewall rule for a specific URL, but it only allows rules for an IP address or range of addresses. Booo! I prefer local for guests so they can't control things when they aren't here. But again it is mostly people I trust, so I guess it's a question of which is the lesser of two evils.

Perhaps rather than approaching this from the angle of providing their devices with access to your network / dashboards, you could look at options for providing them limited access through interfaces you control, e.g. a mounted (or not) tablet that displays different dashboards but is locked down in what else it can access, or look at other control devices like smart switches or buttons for specific controls like lighting scenes or controlling shades and fans.

1 Like

Why exactly would a non-IOT device be connected to the IOT vlan?
The purpose of the VLAN is to allow your truster/guest network to reach your IOT vlan (and hence your dashboard) but not let your IOT vlan be able to traverse out of itself onto the guest/trusted.

TLDR: you should not have to connect to your IOT vlan to use connect to your hub/dashboard

You could share the cloud dashboard as others have said. Or give them the app (I dont know much about the app)

see @rocketwiz reply, you should never have to switch to your IOT vlan for accessing the hub/rules-manager

Hmm... Well, I do. And that's exactly what I WANT to happen. If a device is connected on the IOT VLAN, I don't want it to be able to operate on another VLAN (such as my office VLAN). That's exactly the way it functions today, and is what I thought we wanted VLANs to do - keep devices separate from each other, but still able to talk to each other if assigned to the same VLAN, and to be able to reach the internet, if that VLAN is so enabled. What am I missing here?

you can keep them completely isolated (its def. the simpler of the methods), but you could

  • DENY IOT from talking outside itself
  • ALLOW Trusted to talk to IOT (aka operate dashboard/hub) -- since you trust it, you trust ONLY its traversal to IOT and not the other way around.
1 Like

The issue with the completely separated approach is .. Once you (temporarily) connect directly to the IOT you are completely exposing your device(s) to the things you were guarding against. However, its temporary, so its minimal footprint of exposure

This is very helpful, and appreciated. I'm no networking expert by any stretch of the imagination, and use a Peplink router and APs that I sorta/kinda understand, but a Unifi switch, which I sorta/kinda hate but not as much as the Netgear it replaced. I probably need to learn more about networking but it's down the list from work, maintaining the property, fighting fires, and community volunteering. Maybe this winter.... For now, the separate VLAN approach works for me, but thanks for the info.

This is 25 minutes of pure UNIFI GOLD Complete Unifi Configuration New User Interface - YouTube

My quick eyebrow raise to your response is, I wonder if in your current setup, you can access your UNIFI local-lan UI (ie the 192.168.x.x) from the IOT network, if so, I would suggest moving your networking research up :wink: ... .otherwise, the separation is a fine solution if used correctly

1 Like

Thanks for the link. I cannot access my Unifi UI from the IOT network, so something must be right.

1 Like

not to be nitpicky, make sure when trying to access you change to the UNIFIs ip for that VLAN

ie, your main lan in 192.168.1.x .. your unifi is 192.168.1.1
your IOT lan is 192.168.2.x .. you would connect to unifi via 192.168.2.1

or similar

Download the Hubitat app