Local Smart Home Guide
Local-first gear. Honest compatibility. Real homes.
best

How to secure iot devices on your network

Protect your Home Assistant setup and local smart home by isolating IoT devices, hardening defaults, and monitoring network traffic for anomalies.

Last updated: 2026-05-17

IoT devices are the weakest link in most home networks. A cheap smart plug or sensor with default credentials can become the entry point for an attacker. If you’re running Home Assistant or a local hub like Hubitat Elevation C8, you already have a security advantage—you’re not relying entirely on cloud services. But that only gets you so far. Here’s how to actually lock down your IoT stack.

Isolate with Network Segmentation

The single most effective thing you can do is put IoT devices on a separate VLAN from your computers and phones. Most consumer routers don’t make this easy, but it’s worth the effort.

Create three networks at minimum:

  • Trusted – your personal devices, NAS, Home Assistant主机
  • IoT – all smart home gadgets, smart TVs, voice assistants
  • Guest – visitors, anything you don’t control

Traffic should flow from Trusted to IoT (so Home Assistant can reach your devices), but never the other way. If a compromised smart bulb tries to phone home to a command server, it gets blocked.

If your router supports it, enable IPv6 firewall rules too. Many IoT devices ship with IPv6 enabled and will bypass IPv4 VLAN rules entirely.

For Home Assistant Green or Home Assistant Yellow users, ensure your instance is on the Trusted network and can still communicate with the IoT VLAN. You may need to configure static routes or allowlist specific ports.

Prefer Local-Only Devices

Cloud-dependent devices are a liability. When the company shuts down their servers or gets breached, your device becomes a brick—or worse, an open door.

Choose devices that work locally without requiring cloud accounts:

  • Aqara devices work over Zigbee to a local hub without any internet dependency
  • Shelly devices have built-in local HTTP APIs and MQTT support
  • Philips Hue runs locally once you’ve disabled cloud connectivity in the app

Avoid devices that require constant cloud connectivity for basic functions. If a device won’t work with your internet down, that’s a security risk, not a feature.

For Zigbee and Z-Wave coordination, consider a dedicated coordinator like Sonoff Zigbee 3 USB Dongle Plus or Conbee III. These give you full local control without cloud dependencies.

Change Defaults and Update Firmware

This should be obvious, but it bears repeating: change every default password. Most IoT devices ship with admin/admin or similar credentials that are publicly documented.

Beyond passwords:

  • Disable UPnP on your router. UPnP lets devices open ports on your firewall automatically, which attackers actively scan for.
  • Turn off cloud features you don’t use. Many devices ship with cloud connectivity enabled by default even if you configure them locally.
  • Update firmware regularly. This is painful with many IoT devices that don’t have auto-updates, but it’s essential. Make a habit of checking every few months.

For devices that don’t get updates anymore—like older Dome or first-gen Ring hardware—consider replacing them. An unpatched device on your network is a liability that grows over time.

Monitor What Devices Are Doing

You can’t secure what you can’t see. Set up network monitoring to detect anomalous behavior:

  • Pi-hole or similar DNS-level blocking can show you which devices are resolving domains you don’t expect
  • Home Assistant’s built-in device tracker shows when devices come online, but it won’t catch traffic to unexpected IPs
  • VLAN-level logging on your router captures all traffic flows—if your router supports it

Watch for devices making connections to IP ranges you don’t recognize, especially on ports other than standard ones (443, 80). A smart plug contacting port 22 or 3389 is a red flag.

If you have a UniFi Protect setup, its network intrusion detection can flag suspicious device behavior across your VLANs.

Bottom line

IoT security isn’t about buying expensive hardware—it’s about network architecture and basic hygiene. VLAN segmentation is the highest-impact change you can make. Pair that with local-only devices where possible, hard defaults, and regular monitoring, and you’ve eliminated 90% of the attack surface. The remaining risk is manageable and worth the tradeoffs.

Next steps

Compare this category side by side

If you want fewer opinions and more matrix-style tradeoffs, the comparison pages are the next stop.

See comparisons →

Inspect all products

The full product database keeps the caveats, setup notes, and compatibility details attached to each device.

Browse products →

Back up and read the explainers

If a buying guide feels too specific too fast, the guides section covers the broader local-first logic behind it.

Read guides →

Related articles

Best local-first smart home hubs

The best smart home hubs and controllers for people who care about local control, Home Assistant compatibility, and fewer long-term regrets.

Read article →

Best smart plugs with local control and energy monitoring

The best smart plugs for buyers who want real local control, useful energy data, and fewer long-term ecosystem regrets.

Read article →

Best local security cameras for Home Assistant

The best Home Assistant-friendly local camera options for buyers who care about RTSP, ONVIF, NVR compatibility, and lower cloud dependence.

Read article →