azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aaf4172b3c298060884c5bddce1d0d8bd79db1c3
claudetools/projects/wrightstown-smarthome/documentation/network-security.md
Mike Swanson aaf4172b3c sync: Add Wrightstown Solar and Smart Home projects 
New projects from 2026-02-09 research session:

Wrightstown Solar:
- DIY 48V LiFePO4 battery storage (EVE C40 cells)
- Victron MultiPlus II whole-house UPS design
- BMS comparison (Victron CAN bus compatible)
- EV salvage analysis (new cells won)
- Full parts list and budget

Wrightstown Smart Home:
- Home Assistant Yellow setup (local voice, no cloud)
- Local LLM server build guide (Ollama + RTX 4090)
- Hybrid LLM bridge (LiteLLM + Claude API + Grok API)
- Network security (VLAN architecture, PII sanitization)

Machine: ACG-M-L5090
Timestamp: 2026-02-09

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 18:44:35 -07:00

6.4 KiB
Raw Blame History

Network Security - VLAN Architecture & Privacy

Created: 2026-02-09 Purpose: IoT isolation, private data protection, PII sanitization for cloud APIs

VLAN Architecture

+---------------------------------------------+
|  VLAN 1: Trusted (192.168.1.0/24)          |
|  Laptops, phones, tablets                   |
|  Full internet access                       |
|  Can initiate connections to all VLANs      |
+---------------------------------------------+
                  | (can access)
+---------------------------------------------+
|  VLAN 10: Infrastructure (192.168.10.0/24)  |
|  Home Assistant Yellow                      |
|  LLM Server                                |
|  NAS (if applicable)                        |
|  Can access Trusted + IoT VLANs            |
+---------------------------------------------+
                  | (can access)
+---------------------------------------------+
|  VLAN 20: IoT (192.168.20.0/24)            |
|  Zigbee coordinator (HA Yellow)             |
|  WiFi cameras, sensors, smart plugs        |
|  BLOCKED from initiating to Trusted        |
|  Internet restricted (DNS/NTP only)         |
+---------------------------------------------+
                  | (restricted)
+---------------------------------------------+
|  VLAN 99: Guest (192.168.99.0/24)          |
|  Guest devices                              |
|  Internet only, no internal access          |
+---------------------------------------------+

Firewall Rules

Rule 1: IoT Isolation (Critical)

  • ALLOW: Trusted --> IoT (control devices from phone)
  • BLOCK: IoT --> Trusted (prevent compromised device probing network)

Rule 2: Infrastructure Bridge

  • ALLOW: Infrastructure --> IoT (HA controls devices)
  • ALLOW: Infrastructure --> Trusted (send notifications)
  • ALLOW: Trusted --> Infrastructure (access HA web UI, LLM)

Rule 3: IoT Internet Restriction

  • ALLOW: IoT --> DNS (port 53) and NTP (port 123)
  • BLOCK: IoT --> Internet (all other ports)
  • EXCEPTION: Whitelist specific cloud services if device requires it

Rule 4: mDNS Control

  • BLOCK: Broadcast protocols across VLANs by default
  • ALLOW: Selective mDNS reflection for HA discovery

Hardware Options

Budget: TP-Link Omada (~$150)

  • ER605 router ($60) -- VLAN routing, firewall rules
  • TL-SG2008P managed switch ($90) -- VLAN tagging, PoE

Mid-tier: Ubiquiti UniFi (~$760)

  • Dream Machine Pro ($379) -- Router + controller + IDS
  • USW-24-PoE switch ($379) -- 24 ports, VLAN, PoE
  • Better UI, more features, IDS/IPS built in

Existing Gear

  • Most Netgear managed switches support VLANs
  • OpenWRT on consumer routers adds VLAN capability
  • pfSense/OPNsense on old PC is free and powerful

Privacy: Keeping Data Local

Core Principle

Private data NEVER leaves the local network.

Data Type Route Why
Sensor readings Local LLM only Reveals activity patterns
Camera feeds Local LLM only Obvious privacy concern
Device names/locations Local LLM only Reveals home layout
Presence detection Local LLM only Reveals who's home
Personal names/addresses Strip before cloud PII
Energy usage patterns Sanitize before cloud Activity inference
General questions Cloud OK No private data
Internet searches Cloud OK (Grok) No private data

PII Sanitization Pipeline

For queries that go to cloud APIs, scrub private information first:

from presidio_analyzer import AnalyzerEngine
from presidio_anonymizer import AnonymizerEngine

analyzer = AnalyzerEngine()
anonymizer = AnonymizerEngine()

def sanitize_for_cloud(query):
    """Remove PII before sending to Claude/Grok"""

    # Detect sensitive entities
    results = analyzer.analyze(
        text=query,
        entities=["PERSON", "LOCATION", "PHONE_NUMBER",
                  "EMAIL_ADDRESS", "DATE_TIME"],
        language="en"
    )

    # Anonymize detected entities
    sanitized = anonymizer.anonymize(text=query, analyzer_results=results)

    # Hard block certain categories
    blocked_keywords = ["camera", "location", "address",
                       "password", "who is home", "alarm"]
    if any(kw in query.lower() for kw in blocked_keywords):
        return None  # Block query entirely, handle locally

    return sanitized.text

Cloud API Data Policies

Anthropic (Claude):

  • API inputs are NOT used for training by default
  • Can explicitly opt out
  • Data retained 30 days for safety, then deleted

xAI (Grok):

  • Data sharing program is opt-in ($150/month credit if you opt in)
  • Can opt out and keep data private
  • Standard API usage not used for training if opted out

Remote Access

Recommended: Tailscale (Zero-Config VPN)

# Install on LLM server and HA
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up
  • WireGuard-based mesh network
  • No port forwarding needed
  • Free for personal use (up to 20 devices)
  • Access HA + LLM from anywhere securely

Alternative: WireGuard (Self-Hosted)

  • Run on router or dedicated server
  • Full control, no third-party dependency
  • Requires port forwarding (one UDP port)
  • More setup, more control

Home Assistant Cloud (Nabu Casa)

  • $6.50/month, official HA remote access
  • No VPN config needed
  • Supports HA development team
  • Simplest option

Security Hardening Checklist

  • Disable UPnP on router
  • Enable 2FA on Home Assistant
  • Strong passwords (16+ chars, random) on all services
  • Regular updates: HA, Ollama, OS, router firmware
  • Monitor failed login attempts in HA logs
  • Daily automated backups (HA + LLM configs)
  • Firewall rules reviewed quarterly
  • IoT devices on isolated VLAN
  • No camera feeds sent to cloud APIs
  • PII sanitization active on cloud-bound queries

Data Retention

System Retention Notes
HA sensor data 30 days raw, indefinite aggregated Purge in Settings > System > Storage
Camera recordings 7-14 days Local storage only (NAS or NVMe)
LLM conversation logs Purge monthly Ollama logs stored locally
Cloud API logs Disable or redact PII Check provider settings

Sources

Reference in New Issue View Git Blame Copy Permalink