Comment by briHass
10 hours ago
You're making it complicated with all the VLANs. HAOS in a VM (proxmox helper scripts for one-line install), and HA has plugins for all the other things.
Just deny WAN access to the IoT junk you don't trust at the router, or for things like cameras, a separate switch for those. That usually makes sense, since they're one of the few devices that must be powered with PoE and doesn't require gig+ bandwidth. A cheap 100mbit PoE switch will handle a good number of cameras.
I’m not giving untrusted devices unfettered access to my lan and an airgapped network sounds more complicated tbh. VLANs aren’t really that bad with good networking gear.
I have HASS running on a dedicated VLAN, IoT junk on its own, separate VLAN without internet access, through a managed switch. OPNsense sits in between and does the routing. Didn't have to mess around with anything, just ran the "vm appliance" or whatever it's called for hass and I was off to the races. Wireguard on the firewall gives me access from outside the house.
Actually, both OPNsense and Hass are VMs on the same machine, with the latter's network not even connected to any physical port outside the box. I'm not even running Proxmox or anything fancy, just libvirt on Arch. The only "fancy" thing is a 2nd hand Mellanox NIC I got off eBay for 30 €, which presents virtualized interfaces to the VMs, but HASS doesn't actually use those.
There's also no need to manually screw around with any reverse proxy for TLS; HASS does it with the Let's Encrypt add-on. The only missing piece when I set this up a while ago was something to regularly renew the cert (the add-on would only get started at boot-up).