Why Isolate IoT Devices?
Consumer IoT devices have a troubled security track record. Cheap IP cameras, smart plugs, and voice assistants are frequent botnet targets. Putting them on a separate VLAN prevents a compromised bulb from reaching your NAS or laptop.
What You'll Need
- A managed switch or router that supports VLANs (UniFi, pfSense, OpenWrt)
- A wireless access point that supports multiple SSIDs
- About 30 minutes
Step-by-Step (UniFi Example)
1. Create the IoT Network
In UniFi Network → Networks → Create New Network:
- Name: IoT
- VLAN ID: 20
- Gateway: 192.168.20.1/24
- DHCP Range: 192.168.20.100 – 200
2. Create a Dedicated Wi-Fi SSID
Go to Wi-Fi → Create New Wi-Fi:
- Name: Home-IoT
- Network: IoT (VLAN 20)
- Security: WPA2
3. Configure Firewall Rules
Block IoT → Main LAN traffic:
Rule: Block IoT to LAN
Source: IoT (192.168.20.0/24)
Destination: Main LAN (192.168.10.0/24)
Action: Drop
Allow IoT → Internet:
Rule: Allow IoT to WAN
Source: IoT (192.168.20.0/24)
Destination: Any
Action: Accept
4. Allow Home Assistant to Query IoT
Add a specific pass rule before the block rule:
Source: Home Assistant IP (192.168.10.50)
Destination: IoT subnet
Action: Accept
Advanced: DNS Filtering
Run Pi-hole on your main LAN and point the IoT VLAN's DNS to it. Block known IoT tracking and telemetry domains at the DNS level for extra privacy.
Result
Your IoT devices can reach the internet for cloud functions, Home Assistant can poll them, but a compromised device cannot pivot laterally into your personal network.