45% Fewer Reports After Smart Home Network Setup

The quickest way to slash smart-home alerts is to isolate your Shelly devices on a dedicated, encrypted subnet and let Home Assistant handle all authentication locally. By routing traffic away from the main Wi-Fi and dropping stray replies, you remove the most common attack surface.

45% fewer incident reports after implementing the isolation strategy (WIRED).

Smart Home Network Setup: Rerouting Shelly Traffic

Key Takeaways

• Dedicated bridge isolates Shelly from main Wi-Fi.
• Outbound rule limits telemetry to trusted servers.
• WPA3-Enterprise hardens the security-critical subnet.

When I first discovered a flaw that let a hacker press a virtual button at 3 a.m., I realized my Shelly-controlled garage door was sitting on the same Wi-Fi as my streaming TV. The solution was to give those tiny devices their own highway. Think of it like a private driveway that only your family cars can use, while strangers are forced onto the public street.

Step 1: Choose a bridge device that supports both Zigbee and Thread/Matter. The Home Assistant SkyConnect dongle is a good example; it talks to Shelly over Zigbee and can also serve as a Thread border router (ZDNET). I flashed the dongle with Home Assistant OS and placed it on a spare Ethernet port of my primary router. This creates a second network interface that will become the “Shelly Bridge”.

Step 2: Create an isolated local subnet, for instance 192.168.50.0/24, and bind the bridge’s Ethernet port to it. In my router’s UI I disabled DHCP on the main LAN for that range and enabled a separate DHCP server on the new VLAN. The result is a pocket network that only the bridge and Shelly devices can see.

Step 3: Re-configure each Shelly device to join the new Zigbee network. The Shelly app lets you select a custom coordinator - I pointed it at the MAC address of the SkyConnect. Once they’re paired, all door-open, garage-close, and sensor messages travel exclusively through the bridge, never touching the main Wi-Fi band.

Step 4: Harden the subnet with WPA3-Enterprise. Most consumer routers only support WPA2-Personal, but my ASUS RT-AX86U allows a radius server on a separate VLAN. I installed FreeRADIUS on a tiny Raspberry Pi, created a certificate for the bridge, and set the subnet’s SSID to use WPA3-Enterprise. This adds mutual authentication; even if a rogue device sniffed the radio, it cannot decrypt the packets without the private key.

Step 5: Add an outbound firewall rule on the primary router. I limited UDP/TCP outbound traffic from the Shelly subnet to the two verification servers listed in Shelly’s documentation (api.shelly.cloud and cloud.shelly.energy). Any unsolicited inbound reply is dropped. This tiny rule eliminates the “reply-anywhere” vector that attackers exploit to bypass local authentication.

Why does this matter? Recent cybersecurity audits of IoT networks showed that 73% of breaches started with an unauthenticated reply reaching a device on the same LAN (WIRED). By isolating Shelly, you remove that 73% from your attack surface. In my own home, after implementing the bridge and firewall, the nightly door-unlock alerts vanished.

Pro tip: Keep the bridge firmware updated via Home Assistant’s add-on manager. The community releases patches faster than Shelly’s own OTA channel, and you stay ahead of newly discovered exploits.

Smart Home Network Design: Using Home Assistant Integrations

When I decided to go fully local, I turned to Home Assistant because it is free, open-source, and built for exactly this kind of interoperability (Wikipedia). Think of Home Assistant as the central nervous system of your house - it receives signals from the peripheral devices and decides how to react, all without asking an external cloud.

First, I enabled Home Assistant’s “Session” feature. Each device that talks to the hub must open a session token that is stored only in the local database. I manually generated a token for every Shelly driver and revoked any cloud-issued credentials. This manual step sounds tedious, but it guarantees that the only party able to trigger a lock or garage door is the Home Assistant instance you control.

Second, I wrote a YAML automation that runs a cron-style job every 24 hours. The script loops through all active sessions, forces a re-authentication request, and deletes any token older than the day. The syntax looks like this:

automation:
  - alias: "Refresh Shelly Sessions"
    trigger:
      - platform: time
        at: "02:00:00"
    action:
      - service: script.refresh_shelly_sessions

This daily refresh eliminates stale sessions that attackers could capture and reuse. Because the automation lives on the same device that stores the tokens, there is no external dependency.

Third, I built a geofencing rule that flips the house into a “Secure Mode” when my phone leaves the property. Home Assistant monitors my device’s GPS via the mobile app, and when the distance exceeds 200 meters, it disables all remote-triggered actions and forces every command to go through the local bridge only. The YAML looks like:

automation:
  - alias: "Enable Secure Mode"
    trigger:
      - platform: zone
        entity_id: device_tracker.my_phone
        zone: zone.home
        event: leave
    action:
      - service: script.activate_secure_mode

The benefit is twofold: it reduces the window for remote code execution (Android Authority) and it makes a lost phone less useful to an attacker because the house will automatically retreat to a locked-down state.

Home Assistant also integrates with voice assistants - Google Assistant, Amazon Alexa, Apple Siri, and its own built-in Assist. I disabled the cloud-linked assistants and kept only Assist, which runs locally on the same hardware. This way, a voice command to unlock the front door is processed without ever touching the internet.

In practice, the local integrations cut latency in half and eliminated the “cloud-dependency” alerts that WIRED reported many users receive. I no longer see any push notifications from Shelly about failed remote logins because the cloud is out of the loop.

Pro tip: Use the Home Assistant “Snapshot” feature before making big changes. A snapshot backs up your configuration, entity registry, and automation scripts. If a new integration breaks something, you can roll back in minutes.

Smart Home Network Topology: Creating a Secure VLAN Mesh

My final piece of the puzzle was to restructure the entire home LAN into a VLAN-only mesh for security-critical devices. Imagine your house as a multi-story building: each floor (VLAN) has its own fire-rated door, and only the elevator (the edge-gateway) can move people between floors under strict control.

Step 1: I defined a VLAN ID 30 on my UniFi Dream Machine and assigned it to a dedicated port on the managed switch. All ports that feed Shelly bridges, the Home Assistant server, and the radius server were moved to VLAN 30. The rest of the house - phones, laptops, smart TVs - stayed on VLAN 10 (the default LAN).

Step 2: On the gateway, I created ACLs (Access Control Lists) that deny any inbound traffic from VLAN 10 to VLAN 30 except for traffic that originates from the bridge’s MAC address or the radius server’s IP. The rule looks like this in the UI:

allow src 192.168.1.0/24 dst 192.168.50.0/24 port 1883 (MQTT) if src MAC = 00:11:22:33:44:55
deny any src 192.168.1.0/24 dst 192.168.50.0/24

This explicit deny-except pattern flips the usual “allow-by-default” mindset of home routers. Even if a rogue device manages to join the guest Wi-Fi, it cannot reach the Shelly subnet.

Step 3: I enabled edge-gateway segmentation. The gateway runs a tiny containerized proxy that only forwards authenticated echo-requests (ICMP) to the cloud for firmware checks. All other outbound connections from the Shelly VLAN are blocked. If a firmware update is needed, the proxy validates the signature before letting the packet through.

The net result is that the Shelly devices never expose their firmware-download URLs directly to the internet. This eliminates the “firmware hijack” vector that ZDNET highlighted when comparing Thread, Zigbee, and Matter ecosystems - the same principle applies to any IoT device that pulls updates over HTTP.

To verify the isolation, I used Wireshark on a laptop attached to VLAN 10 and tried to ping a Shelly IP on VLAN 30. The packets were dropped at the gateway, confirming the ACLs work. Meanwhile, Home Assistant on VLAN 30 could still talk to the devices because it sits inside the same VLAN.

Why a mesh? By enabling Spanning Tree Protocol (STP) on the switch, the VLAN forms multiple redundant paths without loops. If one cable fails, traffic automatically reroutes, keeping the security-critical devices online. This resilience is crucial for locks and garage doors that must remain reachable.

Pro tip: Label your switch ports with the VLAN number and purpose. A quick glance prevents accidental mis-plugging of a new smart bulb into the secure VLAN, which would otherwise clutter the isolated network.

After deploying the VLAN mesh, my smart-home incident logs dropped dramatically. The combination of a dedicated subnet, local authentication via Home Assistant, and strict ACLs created a layered defense that no single exploit could bypass.

Frequently Asked Questions

Q: Do I need a separate router for the Shelly VLAN?

A: Not necessarily. Most modern managed switches and UniFi Dream Machines let you create VLANs and ACLs without adding another router. Just configure a dedicated port and bind it to the new VLAN.

Q: Will using Home Assistant locally affect my existing voice assistants?

A: You can keep Google Assistant or Alexa for general commands, but disable their cloud integration for security-critical devices. Use Home Assistant’s built-in Assist for local voice control of locks and garage doors.

Q: How often should I refresh the authentication tokens?

A: A daily refresh, as shown in the YAML example, balances security with convenience. It clears stale tokens that could be captured by an attacker while keeping the automation seamless.

Q: Can I use the same VLAN for other IoT devices like cameras?

A: Yes, but only if those devices support the same security posture. Cameras often need external access for streaming, so consider a separate VLAN with its own firewall rules to avoid exposing the lock subnet.

Q: What is the benefit of WPA3-Enterprise over WPA2-Personal?

A: WPA3-Enterprise provides mutual authentication with a radius server, so each device proves its identity before joining. This prevents rogue devices from masquerading as legitimate Shelly nodes, a weakness often exploited in IoT attacks.