this post was submitted on 01 Jul 2025
724 points (98.1% liked)

Selfhosted

49076 readers
1147 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
724
My reason for wanting HomeAssistant and a locked down VLAN... (imgs.xkcd.com)
submitted 2 days ago by [email protected] to c/[email protected]
91 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.world/post/32265822

xkcd #3109: Dehumidifier

xkcd #3109: Dehumidifier

Title text:

It's important for devices to have internet connectivity so the manufacturer can patch remote exploits.

Transcript:

[A store salesman, Hairy, is showing Cueball a dehumidifier, with a "SALE" label on it. Several other unidentified devices, possibly other dehumidifier models, are shown in the store as well.]

Salesman: This dehumidifier model features built-in WiFi for remote updates.
Cueball: Great! That will be really useful if they discover a new kind of water.

Source: https://xkcd.com/3109/

explainxkcd for #3109

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 day ago

We have water, heavy water, hydrogen infused water, nitrogen infused water, ice-9, h2o2...what will they think of next?!

[–] [email protected] 6 points 1 day ago (6 children)

FYI I learned About VLANs that it is in no way „locked down“. I can spoof the MAC address of a known device from a specific VLAN and I’m in that VLAN. Yes your devices can’t reach the internet/other devices by default but it won’t stop a bad actor.

[–] [email protected] 2 points 1 day ago

and this is why I have a completely separate physical network for my IOT stuff.

[–] [email protected] 1 points 1 day ago* (last edited 1 day ago)

Well. The segmentation is to avoid security holes from Rogue third party devices. If you can access my pc vlan that only exists on my wired pcconnection, then you have indeed broken in to my domain. Letting the things that doesn't give a shit about security have their own network is just sanity/sanitary.

[–] [email protected] 1 points 1 day ago

Isn't that what 802.1x is for? If you really want to lock down your network, there are options.

[–] [email protected] 6 points 1 day ago* (last edited 1 day ago) (1 children)

Depends on you hw. That seems rather poor implementation.. I believe my TP switch might handle that, because it rejects traffic to its management interface from mac X from vlan 20 because it sees the same mac in vlan 10.. (only vlan 20 is allowed for management)

[–] [email protected] 1 points 15 hours ago (1 children)

That’s a very cool feature actually but how does it stop a hacker if he has obtained a trusted MAC address from another device and connect to vlan 20 directly while the real device is offline?

[–] [email protected] 1 points 12 hours ago (1 children)

You configure vlans per physical port, so in a properly implemented system your attack won't be possible. When the packet comes to the switch the vlan tag is added to it according to the configuration for the port it was received from.

Or are you talking about mac-vlans?

[–] [email protected] 1 points 11 hours ago

Ok maybe I don’t fully understand yet. Let’s say an access point has 3 SSIDs, lan, guest and iot each client on each SSID gets a vlan tag accordingly. So it’s only connected to a single physical port, i think that’s what confused me. But SSIDs are interfaces just like an physical port afaik so your analogy still stands. The security here is the WiFi password anything that connects to LAN gets a LAN vlan tag. but it’s not like anything that connects to any of the SSIDs can get the DHCP lease of some random device on any vlan cuz it got tagged before. Or am I missing something?

[–] [email protected] 1 points 1 day ago

I'm aware you need a firewall (I used sonicwall professionally) vlans are for segmentation

[–] [email protected] 2 points 1 day ago

Yes, VLAN is an IT convenience feature, you don't need it just because it is a feature of the more expensive hardware.

Instead just establish separate L2s and operate proper L3 firewalls between them. For IoT devices, any kind of reliable potato will do just fine.

[–] [email protected] 9 points 1 day ago (1 children)

New kinds of water, you say? The marketing department is already on it and boy have I got news for you!

[–] [email protected] 3 points 1 day ago* (last edited 1 day ago) (1 children)

Wait... Is that heavy water?? /s

[–] [email protected] 4 points 1 day ago (1 children)

How about I hook you up with a brand new water softener on a 30 year lease but no payments in the first 5 years so it’ll be the next owner’s problem

[–] [email protected] 5 points 1 day ago

Omfg it's like solar panel companies...

So many damn houses with solar leases more expensive than just electricity

[–] [email protected] 3 points 2 days ago

i love it when my vacum makes a remote connction to a other countrye goverment that way i get tracked by mine and theres whatba time we live in

[–] [email protected] 12 points 2 days ago (1 children)

Yeah, companies have abused that to release buggy, incomplete products faster and only make the software stable and feature complete if they make a good profit.

[–] [email protected] 10 points 2 days ago (1 children)

Or add new bloat features / brick devices after updating TOS...

[–] [email protected] 8 points 2 days ago (1 children)

Remote device bricking is cheaper than researching part wear for planned obsolescence.

[–] [email protected] 5 points 2 days ago (1 children)

And both make me go with a different company next time so idk what they think they're gaining.

[–] [email protected] 3 points 1 day ago

They gained a cost reduction for a single quarter of a single year. No further thought was put into it.

[–] [email protected] 7 points 2 days ago (1 children)

My house has manual windows, manual locks, and a dumb garage door controller... because I work in IT.

I do have a few smart appliances (environment reporting) but they are only allowed on the banishment VLAN so they don't get to interact with any single appliance inside my network. All they see is internet and nothing else.

[–] [email protected] 6 points 2 days ago

The S in IoT stands for security

[–] [email protected] 16 points 2 days ago (4 children)

I was an idiot and bought a high end TPLink router, I can't even use Vlans without signing up for their back door service.

[–] [email protected] 11 points 2 days ago

maybe install openwrt/ddwrt?

[–] [email protected] 1 points 2 days ago

I was an idiot and bought a high end TPLink router, I can’t even use Vlans without signing up for their back door service.

Hm, at least with their enterprise equipment you can completely disable Omada.

[–] [email protected] 3 points 2 days ago (1 children)

Shit, are consumer appliances really getting that bad? ew!

[–] [email protected] 3 points 2 days ago* (last edited 2 days ago) (1 children)

I'd assume all Chinese devices are being backdoored via CCP incentives. Buy Asus perhaps, assuming Taiwan never gets infiltrated.

[–] [email protected] 3 points 1 day ago (1 children)

Don't buy ASUS, they have a terrible security record. At this point I would trust only MikroTik and Ubiquiti.

[–] [email protected] 2 points 1 day ago

Ubiquiti

And they too aggressively push their cloud services and at least some point their management tool gave you ads on their other products.

[–] [email protected] 6 points 2 days ago (1 children)

Yeah. Even my old solid netgear got a firmware update that's begging me to get the app now. Shobe that shit up your ass.

At least give me a checkbox to stop bothering me

[–] [email protected] 4 points 1 day ago (1 children)
[–] [email protected] 1 points 1 day ago

Yeah that's on my todo list. I've got 3 decent but old routers.

load more comments
view more: next ›