hermes-ice/homelab/concepts/device-placement-policy.md

title, created, updated, type, tags, confidence, sources

title	created	updated	type	tags	confidence	sources
Device Placement Policy	2026-05-10	2026-05-10	concept	iot smart-home concept vlan security policy	high	network-device-census UniFi controller configuration

Device Placement Policy

Defines which device classes belong on which VLAN, firewall rules required for cross-VLAN access, and the rationale for each placement decision.

VLAN Architecture

┌─────────────────────────────────────────────────────────┐
│                    UniFi Dream Machine                    │
│                  192.168.50.1 (Controller)                │
├──────────┬──────────┬───────────┬──────────┬─────────────┤
│ VLAN 10  │ VLAN 20  │ VLAN 30  │ VLAN 50  │  Default    │
│ Family   │ Guest    │ IoT      │ Prod     │  Mgmt       │
│ .10.x    │ .20.x    │ .30.x    │ .50.x    │  .1.x       │
└──────────┴──────────┴───────────┴──────────┴─────────────┘

Device Class → VLAN Assignment

VLAN 10 — "Family of D." (Personal Devices)

Policy: Trusted personal devices with full internal access. Phones, tablets, laptops, watches. No IoT devices unless they require direct phone access without firewall rules.

Device Class	Examples	Rationale
Phones	TophPhone14 (×3)	Need access to everything
Tablets	iPad	Personal use
Laptops	MacBook	Personal use
Watches	Apple Watch	Companion to phone
Baby monitors	Eufy cameras (×3)	Exception: Require constant phone access; avoid firewall complexity
RPi (personal)	Ice (.10.178 WiFi)	Personal use connection

VLAN 30 — "Will of D. IoT" (Smart Home + Infrastructure)

Policy: All IoT devices, smart home hardware, and infrastructure hosts that need inter-device communication. This is where panda and all smart home controllers live.

Device Class	Examples	Rationale
HA controller	panda (.30.196)	Central hub — needs access to all IoT
Zigbee/Thread hubs	home-assistant-connect-zbt-2, aqara-hub-m3 (.30.59)	Must reach Zigbee devices + HA
Voice assistants	Echo Dots (×4)	Matter controllers, need HA access
Media players	Apple TV (.30.234), LG TV (.30.79)	Controlled by HA + phones
Smart lighting	Shelly (×2), Govee (×5), TP-Link (×4)	WiFi actuators, HA-controlled
Climate	Nest Thermostat (.30.179)	HA + Google ecosystem
Air purifiers	Levoit Vital 200S (.30.21), AMWAY (.30.161)	WiFi appliances
Sensors/Locks	Aqara Zigbee devices (via hubs)	Non-IP, behind Zigbee coordinators
Cameras	Aqara Doorbell (.30.118), Camera Hub G3 (.30.113)	Aqara ecosystem, HA-managed
Robot vacuum	Eufy Omni C20 (.30.50)	WiFi appliance
Voice PE	HA Voice PE (.30.25)	ESPHome voice assistant
Sleep mat	Withings Rest (.30.177)	Health device
Infrastructure	Grizzley (.30.84), Ubuntu (.30.61), Ice (.30.197)	Also have .50.x on Production
NAS	TrueNAS (.30.11)	Also .50.12 on Production

VLAN 50 — "Production" (Server Infrastructure)

Policy: Server-to-server communication only. Infrastructure hosts carry dual NICs — .50.x for production traffic, .30.x for HA/IoT management.

Device Class	Examples	Rationale
Docker hosts	Ubuntu (.50.61), Grizzley (.50.84)	Production services
NAS	TrueNAS (.50.12)	Storage backend
Control plane	Ice (.50.197)	Gateway + monitoring
Proxmox	PVE (.50.11)	Hypervisor

VLAN 20 — "Will of D. (Guest)" (Guest Access)

Policy: Internet-only access, no internal device communication.

Device Class	Examples	Rationale
Guest phones	Any	Internet only
Solar monitor	SunPower (.20.190)	Internet-only reporting? ⚠️ Verify

Default — No VLAN (Management)

Policy: Network infrastructure management. Switches, wired-only devices without VLAN tagging.

Device Class	Examples	Rationale
Managed switch	TP-Link SG108PE (.1.92)	Switch management
Unknown wired	HYTERevolt (.1.143), VectorPro (.1.77)	Unidentified — investigate

Cross-VLAN Firewall Rules

Current state and recommended rules:

Required (Missing)

Source	Destination	Ports	Purpose	Priority
VLAN 10	VLAN 30:8123	TCP 8123	Phone → HA dashboard	High
VLAN 10	VLAN 30:443	TCP 443	Phone → Traefik ingress to HA	High
VLAN 10	VLAN 30 (Eufy)	Eufy app ports	Phone → Baby cameras	Medium
VLAN 50	VLAN 30	All	Server ↔ IoT management	Medium
VLAN 30	VLAN 50	All	IoT → Storage (NFS, S3)	Medium

Already Working (Same VLAN)

Source → Dest	VLAN	Why it works
Phone → Eufy cameras	10 → 10	Same VLAN, no firewall needed
HA → All IoT devices	30 → 30	Same VLAN, no firewall needed
Echo → Alexa cloud	30 → Internet	Outbound allowed by default
Nest → Google cloud	30 → Internet	Outbound allowed by default

Placement Decision Tree

New device arrives
├── Is it a personal phone/tablet/laptop/watch?
│   └── YES → VLAN 10
├── Is it a server or infrastructure host?
│   ├── YES → Dual: VLAN 50 (production) + VLAN 30 (management)
│   └── NO ↓
├── Is it an IoT device managed by HA?
│   ├── YES → VLAN 30
│   └── NO ↓
├── Does it need direct phone access WITHOUT HA?
│   ├── YES → VLAN 10 (with note: add to HA if possible)
│   └── NO ↓
├── Is it a guest device?
│   ├── YES → VLAN 20
│   └── NO ↓
└── Unknown → VLAN 30 (IoT) + investigate

Exceptions & Rationale

Device	Expected VLAN	Actual VLAN	Reason
Eufy Baby Cameras (×3)	30	10	Phone accessibility without firewall rules
SunPower Solar Monitor	30 or 10	20	Possibly internet-only reporting; verify
HYTERevolt	10 or 50	Default	Unknown device — needs identification
VectorPro	50	Default	Unknown device — needs identification

Migration Checklist

If moving Eufy cameras to VLAN 30 for better segmentation:

1. Reserve IPs on VLAN 30 for 3 Eufy cameras
2. Add UniFi firewall rule: VLAN 10 → VLAN 30, allow Eufy app ports (TCP 8006, 8080, 9000 — verify with Eufy docs)
3. Add UniFi firewall rule: VLAN 10 → VLAN 30, allow mDNS (UDP 5353) for device discovery
4. Reconnect cameras to IoT SSID
5. Test phone app access from VLAN 10
6. Update network-device-census with new IPs

Related Pages

• network-device-census — Full device classification
• iot-device-inventory — IoT devices by room
• matter-multi-fabric — Matter ecosystem architecture
• smart-home-handbook — Operational handbook