Setting up a proper home network for IoT devices with VLAN and security is increasingly important for Indian smart home enthusiasts. As IoT devices proliferate — ESP32 sensors, smart plugs, IP cameras, smart speakers — they represent potential security vulnerabilities if not properly isolated from your main network. This guide shows Indian makers how to segment their network using VLANs to protect personal data while enabling full IoT automation.
Table of Contents
- Why Separate Your IoT Devices?
- Network Equipment for Indian Homes
- VLAN Setup Step-by-Step
- Firewall Rules for IoT Isolation
- Home Assistant on Separate VLAN
- Remote Access with WireGuard VPN
- India-Specific Network Considerations
- Frequently Asked Questions
Why Separate Your IoT Devices?
The typical Indian smart home setup has 15-50 IoT devices sharing the same WiFi network as laptops, phones, and banking apps. This creates significant security risks:
- A compromised smart bulb or cheap security camera can sniff your banking credentials
- IoT devices often phone home to Chinese or American servers with your usage patterns
- Many budget Indian smart home devices have poor security – default passwords, no TLS
- A single infected device can attack all others on the same network
VLANs create virtual network segments. IoT devices get internet access but cannot communicate with your computers. Your computers remain fully accessible to each other but isolated from IoT devices.
Network Equipment for Indian Homes
For a complete VLAN setup, you need a VLAN-capable router. Options for Indian buyers:
Budget: TP-Link Archer series (Rs 2,500-5,000)
Many TP-Link routers support VLAN and guest network isolation. The Archer AX23 and higher support 802.1Q VLAN tagging when running OpenWrt firmware. Works well for apartments with 2-3 rooms.
Mid-Range: TP-Link Omada or Netgear Nighthawk (Rs 6,000-15,000)
These prosumer routers have native VLAN support with web GUI configuration. Ideal for large flats and independent houses.
Advanced: Ubiquiti UniFi System (Rs 15,000-40,000)
Enterprise-grade networking with full VLAN support, deep packet inspection, and IDS/IPS. Overkill for most Indian homes but worth it for tech enthusiasts who want maximum control and visibility.
VLAN Setup Step-by-Step
This guide uses a generic approach applicable to most home routers with VLAN support including OpenWrt, Ubiquiti, and ASUS Merlin.
Recommended VLAN Plan for Indian Home
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 10 | Main | 192.168.10.0/24 | Computers, phones, NAS |
| 20 | IoT | 192.168.20.0/24 | Smart plugs, bulbs, sensors |
| 30 | Trusted IoT | 192.168.30.0/24 | Home Assistant, local servers |
| 40 | Guest | 192.168.40.0/24 | Visitors, temporary devices |
OpenWrt Network Configuration
# /etc/config/network
config interface 'main'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ifname 'eth0.10'
config interface 'iot'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ifname 'eth0.20'
config interface 'trusted_iot'
option proto 'static'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
option ifname 'eth0.30'Separate WiFi SSIDs per VLAN
# /etc/config/wireless
config wifi-iface
option ssid 'HomeMain'
option network 'main'
option encryption 'psk2'
option key 'YOUR_STRONG_PASSWORD'
config wifi-iface
option ssid 'HomeIoT'
option network 'iot'
option encryption 'psk2'
option key 'IOT_SEPARATE_PASSWORD'Firewall Rules for IoT Isolation
The critical security step: block IoT devices from accessing your main network while allowing Home Assistant on the trusted IoT VLAN to communicate bidirectionally with IoT devices.
# OpenWrt firewall rules (/etc/config/firewall)
# Allow IoT to access internet (via WAN)
config rule
option name 'IoT-to-WAN'
option src 'iot'
option dest 'wan'
option target 'ACCEPT'
# BLOCK IoT from accessing Main network
config rule
option name 'IoT-block-Main'
option src 'iot'
option dest 'main'
option target 'REJECT'
# Allow Main network to access Home Assistant
config rule
option name 'Main-to-HA'
option src 'main'
option dest 'trusted_iot'
option dest_ip '192.168.30.100'
option dest_port '8123'
option target 'ACCEPT'
# Allow Home Assistant to talk to IoT devices
config rule
option name 'HA-to-IoT'
option src 'trusted_iot'
option src_ip '192.168.30.100'
option dest 'iot'
option target 'ACCEPT'Home Assistant on Separate VLAN
Home Assistant should sit on the Trusted IoT VLAN (192.168.30.0/24). It needs to communicate with IoT devices but should not be directly reachable from untrusted guest networks.
ESPHome Static IP on IoT VLAN
wifi:
ssid: "HomeIoT"
password: "YOUR_IOT_PASSWORD"
manual_ip:
static_ip: 192.168.20.100
gateway: 192.168.20.1
subnet: 255.255.255.0
dns1: 8.8.8.8mDNS Across VLANs
IoT devices use mDNS for discovery, which does not cross VLAN boundaries by default. Solutions:
- Install avahi-daemon on your router with multi-VLAN reflector support
- Or configure Home Assistant integrations with static IP addresses instead of mDNS
- Assign static IPs to all ESP32/ESPHome devices to avoid mDNS dependency altogether
Remote Access with WireGuard VPN
Instead of port-forwarding your Home Assistant to the internet (dangerous), use WireGuard VPN. When you are away from home, connect to your WireGuard server and access Home Assistant as if you are on your local network.
# WireGuard server config on router or Pi
[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = SERVER_PRIVATE_KEY
# Your phone as client
[Peer]
PublicKey = PHONE_PUBLIC_KEY
AllowedIPs = 10.8.0.2/32India-Specific Network Considerations
ISP-Provided Routers
Airtel, Jio, and ACT Fibernet provide locked routers that do not support VLAN configuration. Solutions:
- Set ISP router to bridge or passthrough mode and add your own VLAN-capable router behind it
- Use your own router in DMZ mode with the ISP router forwarding all traffic to it
- Some ISP routers have hidden menus accessible via Telnet – check your specific model online
Power Outage Resilience
Indian homes experience frequent power cuts. Use a UPS (600VA minimum) for your router and Home Assistant server. VLANs and firewall rules are RAM-resident and the router needs clean shutdown to save configuration properly to flash.
ISP IPv6 Support
Jio and Airtel provide IPv6 in many cities. IoT devices on IPv6 may bypass VLAN isolation if your firewall rules do not cover IPv6. Always add matching IPv6 firewall rules alongside IPv4 rules.
Frequently Asked Questions
Does VLAN setup work on apartment WiFi routers provided by ISPs in India?
Most ISP-provided routers from Airtel and Jio do not support VLANs through their standard interface. Your best option is to add a VLAN-capable router such as TP-Link or Asus running OpenWrt behind the ISP modem in bridge mode. Even a Rs 2,500 TP-Link router running OpenWrt supports full VLAN functionality.
Will my smart home devices still work after VLAN isolation?
Yes. IoT devices on the IoT VLAN still get internet access so cloud-connected devices work normally. Home Assistant can still reach them via the firewall rule allowing Trusted IoT to IoT traffic. The only restriction is that IoT devices cannot initiate connections to your computers or phones.
Can I still control devices from my phone after VLAN setup?
Yes. Your phone is on the Main VLAN. It connects to Home Assistant on the Trusted IoT VLAN via a specific firewall rule allowing port 8123. Home Assistant then controls IoT devices on your behalf. Alternatively, use the Companion App cloud connection when away from home.
How do I add a new IoT device after VLAN setup?
Simply connect the new device to the IoT WiFi SSID (HomeIoT). It automatically goes onto the IoT VLAN with internet access but no access to your main network. For ESPHome devices, update the static IP assignment to the next available address in the 192.168.20.x range.
Does Zigbee2MQTT work across VLANs?
Place the Zigbee2MQTT server on the Trusted IoT VLAN alongside Home Assistant. Zigbee devices communicate directly with the coordinator via Zigbee radio (not WiFi), so VLAN configuration does not affect Zigbee device operation at all. Only the MQTT broker needs to be reachable from both VLANs.
Add comment