Hubitat on dedicated VLAN

I have several different VLANs right now. I have one VLAN where my current Vera lives, along with my security system, cameras, etc. My plan is to put the Hubitat in the same VLAN.

My Amazon Echos and Google Homes are in a different VLAN, separated by a firewall. Also, my LIFX bulbs, Ecobees, and some other things are in this other VLAN. Am I going to run into any problems having the Hubitat in this more secure VLAN? I'm worried that some of the features might require zeroconf or other local multicast protocols to discover devices and it could possibly cause some connectivity problems.

Is anyone else doing this?

1 Like

Yup. I have all my HA stuff spread across various VLANs here.

Not that I have encountered. The Hubitat hub basically speaks 2 protocols + LAN: Z-Wave and Zigbee. For "LAN" type devices, there is no "discovery" really that I have seen. AFAIK, Sonos is the only one that's a bit "wonky" in terms of discovery. Cloud devices (Ecobee, etc) are all tcp/api based.

My LIFX LAN protocol driver expects to find the LIFX bulbs on the same subnet as the Hubitat. I could maybe modify it to allow you to specify the subnet to scan, but you'd have to open port 56700 (I think that's right) to UDP traffic.

You can use the LIFX Group of Groups driver with this arrangement but it is slower and makes you dependent on an internet connection.

I have the HE on my internal network for now, and I did notice that the Sonos plugin required local scanning. As for lifx, it would be helpful to me to be able to specify a subnet for discovery. I will eventually move the HE from where it is now to the security VLAN. Opening 56700/udp is not a problem.

I think Google Chromecast devices need to be in the same Vlan for voice notification as well.

I'll see about adding that to the next version.

1 Like

It sure seems that way for me. I've been trying to get the Chromecast integration to discover my devices (a Chromecast and two Home Minis), all of which are on a different VLAN than my Hubitat, with no success. This is even after enabling mDNS and adding firewall rules to allow traffic on port 5353, as is often suggested online. Of course, user error is always a strong possibility...:grin:

I tried what you did and gave up. Moved my Google home over and it discovered right away. Mind you I am not a strong network kind of guy either.

Opening port 5353 won't help. Discovery works over the multicast 239.0.0.0 network which is not routable.

1 Like

Well, that's good to hear that it worked once you moved it. The TTS capability intrigues me, so I may end up doing the same as you to check it out.

It's super fun. First automation test for me was getting the google home to suggest to my wife that she give her husband a cuddle every time a particular door sensor was triggered. Much fun.

4 Likes

Mine would have been a little more offensive. :blush:

1 Like

Let's just say I santised the message here for public consumption. :wink:

1 Like

This is why I decided to simply create a HA VLAN and put most of my home automation stuff there. I can still block and route to and from that VLAN.

Basically:

  • 192.168.100.x -> VLAN1 (Incoming broadband and mission critical (DNS, DHCP, etc))
  • 192.168.110.x -> VLAN2 (Phone, laptops, and printers)
  • 192.168.1.x -> VLAN3 (HA stuff (hubs, voice assistants, etc))
  • 192.168.2.x -> VLAN4 (Guests)
  • 10.10.1.x -> VLAN5 (Work network)
1 Like

Nice! Thanks for this!

1 Like

Sorry for bumping old thread, just ordered a HE and want talk talk best practice.

I wanted to get advice, and thought this is probably the best place to start. I just ordered an HE and was trying to figure out the best course of action for implementation. I'm thinking the best is to put it on its own VLAN separate of my existing LAN, Guest, and iOT so that I can completely control it and isolate it.

My other thought was to make this a /30 subnet as the only device on it will be the HE. I could also then completely cut off internet except when I want to run updates (if I wanted), all while still allowing mDNS and Firewall rules to allow my private LAN devices to still be able to access it, but no other VLANs would be able to have any traffic to/from it.

I'm currently reading up zigbee vulnerabilities to see if I'm just wearing a very thick tinfoil hat, but my other thought is why not do it if my hardware supports it.

I don't think you can do mdns across vlans since it uses the 239.0.0.0/8 address space, which is not routable. Also, many of the 3rd party integrations assume that other devices are on the same local network. I was able to make my Vera work on another VLAN, but it was a pain with the HE.

Just put all IOT devices on the same Vlan, this is what I do to separate them from my other devices. There will always be the issue of convenience vs security, just need to find the balance that works for you.

2 Likes

Same here. IOT, Cameras, work on their separate VLAN. The rest on a guest Network.