# Network Security - VLAN Architecture & Privacy **Created:** 2026-02-09 **Purpose:** IoT isolation, private data protection, PII sanitization for cloud APIs --- ## VLAN Architecture ``` +---------------------------------------------+ | VLAN 1: Trusted (192.168.1.0/24) | | Laptops, phones, tablets | | Full internet access | | Can initiate connections to all VLANs | +---------------------------------------------+ | (can access) +---------------------------------------------+ | VLAN 10: Infrastructure (192.168.10.0/24) | | Home Assistant Yellow | | LLM Server | | NAS (if applicable) | | Can access Trusted + IoT VLANs | +---------------------------------------------+ | (can access) +---------------------------------------------+ | VLAN 20: IoT (192.168.20.0/24) | | Zigbee coordinator (HA Yellow) | | WiFi cameras, sensors, smart plugs | | BLOCKED from initiating to Trusted | | Internet restricted (DNS/NTP only) | +---------------------------------------------+ | (restricted) +---------------------------------------------+ | VLAN 99: Guest (192.168.99.0/24) | | Guest devices | | Internet only, no internal access | +---------------------------------------------+ ``` --- ## Firewall Rules ### Rule 1: IoT Isolation (Critical) - **ALLOW:** Trusted --> IoT (control devices from phone) - **BLOCK:** IoT --> Trusted (prevent compromised device probing network) ### Rule 2: Infrastructure Bridge - **ALLOW:** Infrastructure --> IoT (HA controls devices) - **ALLOW:** Infrastructure --> Trusted (send notifications) - **ALLOW:** Trusted --> Infrastructure (access HA web UI, LLM) ### Rule 3: IoT Internet Restriction - **ALLOW:** IoT --> DNS (port 53) and NTP (port 123) - **BLOCK:** IoT --> Internet (all other ports) - **EXCEPTION:** Whitelist specific cloud services if device requires it ### Rule 4: mDNS Control - **BLOCK:** Broadcast protocols across VLANs by default - **ALLOW:** Selective mDNS reflection for HA discovery --- ## Hardware Options ### Budget: TP-Link Omada (~$150) - ER605 router ($60) -- VLAN routing, firewall rules - TL-SG2008P managed switch ($90) -- VLAN tagging, PoE ### Mid-tier: Ubiquiti UniFi (~$760) - Dream Machine Pro ($379) -- Router + controller + IDS - USW-24-PoE switch ($379) -- 24 ports, VLAN, PoE - Better UI, more features, IDS/IPS built in ### Existing Gear - Most Netgear managed switches support VLANs - OpenWRT on consumer routers adds VLAN capability - pfSense/OPNsense on old PC is free and powerful --- ## Privacy: Keeping Data Local ### Core Principle **Private data NEVER leaves the local network.** | Data Type | Route | Why | |---|---|---| | Sensor readings | Local LLM only | Reveals activity patterns | | Camera feeds | Local LLM only | Obvious privacy concern | | Device names/locations | Local LLM only | Reveals home layout | | Presence detection | Local LLM only | Reveals who's home | | Personal names/addresses | Strip before cloud | PII | | Energy usage patterns | Sanitize before cloud | Activity inference | | General questions | Cloud OK | No private data | | Internet searches | Cloud OK (Grok) | No private data | ### PII Sanitization Pipeline For queries that go to cloud APIs, scrub private information first: ```python from presidio_analyzer import AnalyzerEngine from presidio_anonymizer import AnonymizerEngine analyzer = AnalyzerEngine() anonymizer = AnonymizerEngine() def sanitize_for_cloud(query): """Remove PII before sending to Claude/Grok""" # Detect sensitive entities results = analyzer.analyze( text=query, entities=["PERSON", "LOCATION", "PHONE_NUMBER", "EMAIL_ADDRESS", "DATE_TIME"], language="en" ) # Anonymize detected entities sanitized = anonymizer.anonymize(text=query, analyzer_results=results) # Hard block certain categories blocked_keywords = ["camera", "location", "address", "password", "who is home", "alarm"] if any(kw in query.lower() for kw in blocked_keywords): return None # Block query entirely, handle locally return sanitized.text ``` ### Cloud API Data Policies **Anthropic (Claude):** - API inputs are NOT used for training by default - Can explicitly opt out - Data retained 30 days for safety, then deleted **xAI (Grok):** - Data sharing program is opt-in ($150/month credit if you opt in) - Can opt out and keep data private - Standard API usage not used for training if opted out --- ## Remote Access ### Recommended: Tailscale (Zero-Config VPN) ```bash # Install on LLM server and HA curl -fsSL https://tailscale.com/install.sh | sh tailscale up ``` - WireGuard-based mesh network - No port forwarding needed - Free for personal use (up to 20 devices) - Access HA + LLM from anywhere securely ### Alternative: WireGuard (Self-Hosted) - Run on router or dedicated server - Full control, no third-party dependency - Requires port forwarding (one UDP port) - More setup, more control ### Home Assistant Cloud (Nabu Casa) - $6.50/month, official HA remote access - No VPN config needed - Supports HA development team - Simplest option --- ## Security Hardening Checklist - [ ] Disable UPnP on router - [ ] Enable 2FA on Home Assistant - [ ] Strong passwords (16+ chars, random) on all services - [ ] Regular updates: HA, Ollama, OS, router firmware - [ ] Monitor failed login attempts in HA logs - [ ] Daily automated backups (HA + LLM configs) - [ ] Firewall rules reviewed quarterly - [ ] IoT devices on isolated VLAN - [ ] No camera feeds sent to cloud APIs - [ ] PII sanitization active on cloud-bound queries --- ## Data Retention | System | Retention | Notes | |---|---|---| | HA sensor data | 30 days raw, indefinite aggregated | Purge in Settings > System > Storage | | Camera recordings | 7-14 days | Local storage only (NAS or NVMe) | | LLM conversation logs | Purge monthly | Ollama logs stored locally | | Cloud API logs | Disable or redact PII | Check provider settings | --- ## Sources - https://newerest.space/mastering-network-segmentation-vlans-home-assistant-iot-security/ - https://www.xda-developers.com/vlan-rules-every-smart-home-should-have/ - https://thehomesmarthome.com/home-assistant-security-vlans-firewalls-ids/ - https://tailscale.com/