--- title: Device Placement Policy created: 2026-05-10 updated: 2026-05-10 type: concept tags: [iot, smart-home, concept, vlan, security, policy] confidence: high sources: [network-device-census, UniFi controller configuration] --- # Device Placement Policy > Defines which device classes belong on which VLAN, firewall rules required for cross-VLAN access, and the rationale for each placement decision. ## VLAN Architecture ``` ┌─────────────────────────────────────────────────────────┐ │ UniFi Dream Machine │ │ 192.168.50.1 (Controller) │ ├──────────┬──────────┬───────────┬──────────┬─────────────┤ │ VLAN 10 │ VLAN 20 │ VLAN 30 │ VLAN 50 │ Default │ │ Family │ Guest │ IoT │ Prod │ Mgmt │ │ .10.x │ .20.x │ .30.x │ .50.x │ .1.x │ └──────────┴──────────┴───────────┴──────────┴─────────────┘ ``` ## Device Class → VLAN Assignment ### VLAN 10 — "Family of D." (Personal Devices) **Policy**: Trusted personal devices with full internal access. Phones, tablets, laptops, watches. No IoT devices unless they require direct phone access without firewall rules. | Device Class | Examples | Rationale | |-------------|----------|-----------| | Phones | TophPhone14 (×3) | Need access to everything | | Tablets | iPad | Personal use | | Laptops | MacBook | Personal use | | Watches | Apple Watch | Companion to phone | | Baby monitors | Eufy cameras (×3) | **Exception**: Require constant phone access; avoid firewall complexity | | RPi (personal) | Ice (.10.178 WiFi) | Personal use connection | ### VLAN 30 — "Will of D. IoT" (Smart Home + Infrastructure) **Policy**: All IoT devices, smart home hardware, and infrastructure hosts that need inter-device communication. This is where [[panda]] and all smart home controllers live. | Device Class | Examples | Rationale | |-------------|----------|-----------| | HA controller | [[panda]] (.30.196) | Central hub — needs access to all IoT | | Zigbee/Thread hubs | [[home-assistant-connect-zbt-2]], [[aqara-hub-m3]] (.30.59) | Must reach Zigbee devices + HA | | Voice assistants | Echo Dots (×4) | Matter controllers, need HA access | | Media players | Apple TV (.30.234), LG TV (.30.79) | Controlled by HA + phones | | Smart lighting | Shelly (×2), Govee (×5), TP-Link (×4) | WiFi actuators, HA-controlled | | Climate | Nest Thermostat (.30.179) | HA + Google ecosystem | | Air purifiers | Levoit Vital 200S (.30.21), AMWAY (.30.161) | WiFi appliances | | Sensors/Locks | Aqara Zigbee devices (via hubs) | Non-IP, behind Zigbee coordinators | | Cameras | Aqara Doorbell (.30.118), Camera Hub G3 (.30.113) | Aqara ecosystem, HA-managed | | Robot vacuum | Eufy Omni C20 (.30.50) | WiFi appliance | | Voice PE | HA Voice PE (.30.25) | ESPHome voice assistant | | Sleep mat | Withings Rest (.30.177) | Health device | | Infrastructure | Grizzley (.30.84), Ubuntu (.30.61), Ice (.30.197) | Also have .50.x on Production | | NAS | TrueNAS (.30.11) | Also .50.12 on Production | ### VLAN 50 — "Production" (Server Infrastructure) **Policy**: Server-to-server communication only. Infrastructure hosts carry dual NICs — .50.x for production traffic, .30.x for HA/IoT management. | Device Class | Examples | Rationale | |-------------|----------|-----------| | Docker hosts | Ubuntu (.50.61), Grizzley (.50.84) | Production services | | NAS | TrueNAS (.50.12) | Storage backend | | Control plane | Ice (.50.197) | Gateway + monitoring | | Proxmox | PVE (.50.11) | Hypervisor | ### VLAN 20 — "Will of D. (Guest)" (Guest Access) **Policy**: Internet-only access, no internal device communication. | Device Class | Examples | Rationale | |-------------|----------|-----------| | Guest phones | Any | Internet only | | Solar monitor | SunPower (.20.190) | Internet-only reporting? ⚠️ Verify | ### Default — No VLAN (Management) **Policy**: Network infrastructure management. Switches, wired-only devices without VLAN tagging. | Device Class | Examples | Rationale | |-------------|----------|-----------| | Managed switch | TP-Link SG108PE (.1.92) | Switch management | | Unknown wired | HYTERevolt (.1.143), VectorPro (.1.77) | Unidentified — investigate | ## Cross-VLAN Firewall Rules Current state and recommended rules: ### Required (Missing) | Source | Destination | Ports | Purpose | Priority | |--------|------------|-------|---------|----------| | VLAN 10 | VLAN 30:8123 | TCP 8123 | Phone → HA dashboard | High | | VLAN 10 | VLAN 30:443 | TCP 443 | Phone → Traefik ingress to HA | High | | VLAN 10 | VLAN 30 (Eufy) | Eufy app ports | Phone → Baby cameras | Medium | | VLAN 50 | VLAN 30 | All | Server ↔ IoT management | Medium | | VLAN 30 | VLAN 50 | All | IoT → Storage (NFS, S3) | Medium | ### Already Working (Same VLAN) | Source → Dest | VLAN | Why it works | |--------------|------|-------------| | Phone → Eufy cameras | 10 → 10 | Same VLAN, no firewall needed | | HA → All IoT devices | 30 → 30 | Same VLAN, no firewall needed | | Echo → Alexa cloud | 30 → Internet | Outbound allowed by default | | Nest → Google cloud | 30 → Internet | Outbound allowed by default | ## Placement Decision Tree ``` New device arrives ├── Is it a personal phone/tablet/laptop/watch? │ └── YES → VLAN 10 ├── Is it a server or infrastructure host? │ ├── YES → Dual: VLAN 50 (production) + VLAN 30 (management) │ └── NO ↓ ├── Is it an IoT device managed by HA? │ ├── YES → VLAN 30 │ └── NO ↓ ├── Does it need direct phone access WITHOUT HA? │ ├── YES → VLAN 10 (with note: add to HA if possible) │ └── NO ↓ ├── Is it a guest device? │ ├── YES → VLAN 20 │ └── NO ↓ └── Unknown → VLAN 30 (IoT) + investigate ``` ## Exceptions & Rationale | Device | Expected VLAN | Actual VLAN | Reason | |--------|-------------|-------------|--------| | Eufy Baby Cameras (×3) | 30 | 10 | Phone accessibility without firewall rules | | SunPower Solar Monitor | 30 or 10 | 20 | Possibly internet-only reporting; verify | | HYTERevolt | 10 or 50 | Default | Unknown device — needs identification | | VectorPro | 50 | Default | Unknown device — needs identification | ## Migration Checklist If moving Eufy cameras to VLAN 30 for better segmentation: 1. Reserve IPs on VLAN 30 for 3 Eufy cameras 2. Add UniFi firewall rule: VLAN 10 → VLAN 30, allow Eufy app ports (TCP 8006, 8080, 9000 — verify with Eufy docs) 3. Add UniFi firewall rule: VLAN 10 → VLAN 30, allow mDNS (UDP 5353) for device discovery 4. Reconnect cameras to IoT SSID 5. Test phone app access from VLAN 10 6. Update [[network-device-census]] with new IPs ## Related Pages - [[network-device-census]] — Full device classification - [[iot-device-inventory]] — IoT devices by room - [[matter-multi-fabric]] — Matter ecosystem architecture - [[smart-home-handbook]] — Operational handbook