VLANs and "advanced" network topologies

Over in my driver thread a discussion came up regarding VLANs and network topology and support in Hubitat, it has been discussed many times, but can always be discussed more :slight_smile: The way I've written my drivers they are as compatible as they can be with more exotic network setups. But that is not always the case, I'm sure. What's your experiences with this, where has the issues been, which topologies are you using?
Personally I have a /22 where Hubitat and my IOT devices live in a /24 with all traffic to and from transparently filtered/limited. This works great for me, but I'm not so sure I would recommend it to anyone... What do you guys use?

1 Like

I have multiple VLAN's in my house such as iOT, NoT, Lan and Guest. For anyone interested in this though albeit with a Ubiquiti (my personal favourite) specific focus then there is a 3 part video series that "The Hook Up" did on this.


I can't say that I have much experience with ubiquiti, but, (and please correct me if I'm wrong), isn't it true that Ubiquiti routers/ap don't allow you to set up an OpneVPN VPN?
Isn't it true that in order to actually setup such a thing (Which I consider essential in todays environment), you have to monkey around with the base system with CLI?
Why would I want to get a router that doesn't offer OpenVPN as a built in option?

My question is more about device drivers and their support for connecting to devices off net. What I’ve seen is that most don’t support this solution and very few(Markus’s driver being one) that does support this. Even hubitat itself does not support the iPhone app being on a different vlan than HE.

Btw, I work for a manufacture of network gear for enterprise/sp networks. So well versed in networking. That’s not the challenge for me. I run a 2 spine 2 layer clos network at home. The challenge is to understand the native and customer developed drivers and what their ability to support off net connectivity. I’ve picked up a separate HE now just to test each device driver as I put them on my network.

As a side, I seam to gravitate toward the Wi-Fi devices if the device drivers exist because I don’t have to worry about coverage. My entire house and yard have coverage for Wi-Fi signal and I’m not limited to where I have repeaters for zwave or zigbee and the multi-hop/mesh technologies

Unifi can set up L2TP VPN without ever going to the CLI.

This is why I've had to resort to the topology I'm using, it is not as straight forward as a "normal" VLAN setup, but it "solves" the issues when HE/Apps/Devices don't play ball with a more standard VLAN setup. But again, I wouldn't recommend it unless you're an expert (I'm not an expert, so it took me more time than I would have wanted to get this up and running). I do have a lot of experience with networking, but that was more than 10 years ago before my career choices took me elsewhere.

So yes, you know more than I do. As far as my drivers go, as they are reusing the same codestack automatically (no copy-paste, this is part of an automated build-process), if one works, all works.

Here I happily agree, though for battery-powered devices, I really can't see how I can get wifi-based devices to work well. I have two battery-powered ESP8266-based motion sensors, I really doubt I'll ever use them in my setup unless I put them somewhere I can supply power from mains.

I’m more than happy to do any testing or help in anyway from the networking side. It’s been 3 decades since I did any really app dev work. But will to get back into it to help with drivers. I’ve had to pickup python due to the networking industry moving toward automation.

Btw Markus, I’ve started to take a look at your drivers and your solution is elegant.

1 Like

Yes, you can do OpenVPN direct on the device on Ubiquiti gear. I used to use it daily but now use Wireguard. Why would I want to use a router that doesn’t have flexibility to change VPN technologies when encryption becomes the bottleneck for achieving decent speeds.

I really wish it was that simple for where I live... Internet censorship is a real problem... To get US Netflix I run OpenVPN over Vmess or shadowsocks... Just to get past detection... For my traffic to the country I live in I send it directly, anything else is routed through different VPNs/cloaking proxies depending on destination (and source device). And all is switched to a different technology "automagically" based on what is currently giving the fastest speeds/is not blocked. Multipath TCP is fun! All of this provides for a complex setup... But I can stream 4K YouTube on multiple devices while most people get to contend with a barely functioning VPN or no International access at all... My 1Gbit connection delivers me about 200Mbit to the U.S. when I do it this way.
(they scan the internet for mentions of this with their country name, I'm not joking, I know people who have been affected by this... But all know the largest country in the world with internet censorship). Please don't mention the country name in this thread.

Just running the drivers and reporting issues is a great help, for the devices you have and I have drivers for, it would be great to know which you test and which work as expected. For the network part, they're all the same, but for device-specific features all may not have been fully tested. Writing a driver for something I don't have myself is not always 100%.
If you can provide additional documentation help that would be great as well. There's a Wiki for this firmware and all drivers.

Thank you for saying so, I do strive for making it easy to maintain and update all drivers. Without my framework, maintaining this many drivers would be a problem... I've created them all the past few weeks. I started with HE in the beginning of November and hadn't even looked at Tasmota before that.

I have Ubiquiti and more specifically Unifi devices that make up my network at home. There is built in support for VPN and that is what I use when I need it. Works great for me but then I don't need access to my home network too often.

Back on topic!

I know markus’s driver and tasmota work on separate vlans. What other community drivers work? What HE native devices work?


I have a Ubiquiti... but it's a harder-core Ubiquiti - an EdgeRouter Lite 3. And several Asus routers. The problem with VLANs is that too many devices don't support them well, so what I did instead was a double-NAT.

My "modem" feeds transparently into my ERL3, which serves the DMZ. Inside that, an ASUS router provides another NAT to my internal net. All IoT live in the DMZ... all Echo/Alexa devices, TV, Roku, Hubitat, untrusted cameras, printers, etc. Inside the protected net are my PCs, Synology, etc. The ASUS hosts an OpenVPN server, with appropriate ports forwarded by the ERL3 to allow it to work, such that my VPN (e.g. from my phone) works for Hubitat and anything else.

Simpler and more secure than VLAN, but VLANs can share wires, while this can't.

I’m not sure how this works. When discovering devices, that would generally be a broadcast packet. Not nat’able. And device drivers that rely on MAC addresses, would use Ethernet packets to talk to the device on net, again not nat’able. So all your device and hub are on the same lan segment? Where does the double Nat help?

My devices are Zigbee and Z-Wave, not Ethernet. The Hubitat and Echos (Alexas) are IoT and only partially trusted; they live in the DMZ. My computers and data live inside the inner NAT; they can talk to the Hubitat, but the Hubitat cannot talk to them; it can only respond.

Understood! Was looking more toward ip based IoT devices

This is very interesting. I have to admit these more advanced networking concepts like VLANs, DMZ and double-NAT are mostly above my head, though I’d like to figure out a way to provide at least some protection on my LAN against potentially exploitable devices.

Can I ask how the WiFi-based devices like the Echos (or maybe printer) connect to your LAN in this setup? Do you have a wireless access point for your devices in the DMZ, in addition to the ASUS router you mentioned that secures your trusted devices?

Do you have to create firewall or routing rules with your edgerouter to get access to hubitat from a PC?

Any IoT or IP devices in my DMZ (between the NATs) can talk to each-other just fine. Just as the Alexa talks to the Hubitat. The DMZ devices just cannot initiate contact to devices inside the inner NAT. But my computer, phone, etc. in that zone can talk to them. The dashboards work fine crossing into the DMZ, for example.

Yes, I have two WiFi zones. The DMZ - closest to the router - is for both wired and WiFi devices that don't need, let's call it, file access. So the Hubitat, Echos, printer, camera, oven (a "smart"-oven, although mostly the smarts are annoying. The on-oven U.I. is nice though), Roku, etc. are all attached, via wires or WiFi, to that first router.

The second inner router is also attached to that first one. Our computers, phones and network file devices (Synologies) attach to that. So they're protected from the DMZ, but they can talk to the DMZ, and through it to the internet.

The only downsides to this, relative to a VLAN setup are that it requires a second router (but I had several anyhow, plus they're cheap) and a single wire can only carry one or the other. i.e. I decide which network a port is in the wiring closet. Or I could have equally well put the inner router in my home-office, connecting all hard-wired devices to it there. But either way, the living room, which is DMZ, does not provide a way right now to plug an ethernet jack into the inner network, just the DMZ.

But it is a heckuva lot simpler to run and much more compatible with most consumer devices than using a VLAN. And if I really do need to reach the internal net from the DMZ, I can fire up OpenVPN, which is hosted on the inner router. With a port forwarded from the outer firewall/router, allowing easy internal access and DMZ access even from my phone while remote.

1 Like

Not really, but ok. Also double Nat sometimes has issues when you are using multiple of the same brand gaming consoles on the same lan.

In the end, if it works for you that's fine. There is no one size fits all answer for everyone's use.