Hi all, I have an absolute doozy of a networking problem, and I’d like some help figuring out what might be going on.
A few things about my setup:
Networking is all Unifi
I have three VLANs configured that are relevant for my HA install:
VLAN 2: IoT Devices
VLAN 3: Trusted Devices
VLAN 5: Servers
HAOS is running on Proxmox and is configured with 2 vNICs, one tagged for VLAN 2, one for VLAN 5
The Proxmox host management network is tagged for VLAN 5
My Unifi firewall is configured to allow inbound connections and return traffic from VLAN 3 to VLANs 2 and 5
I have HAOS installed and configured, it can talk to all of my IoT devices without any issues. The problem is connecting to HAOS from my Trusted VLAN. When I ping either of the HA instance’s IPs from my desktop in VLAN 3 I don’t get any response.
If I connect my desktop to VLAN 2 or 5 I can connect without issues.
I have confirmed the following with tcpdump:
The ICMP packets for my ping are tagged with the correct VLAN when they hit the Proxmox host.
The ping reaches the network interface of the Docker container that runs Home Assistant.
Therefore the problem must be somewhere in the return path. I have already double- and triple-checked my firewall rules, and there is nothing there that would prevent the ping response. In fact, I can ping the Proxmox host (which is on the same VLAN as Home Assistant) without any issues from my Trusted VLAN. Based on this, I suspect something strange might be happening with the Docker network in the Home Assistant VM.
I don’t know what the problem is.
Just here to tell you that you imho are over complicating things for basically no reason.
Use vlans to put your could based, insecured devices on it and trusted devices on main lan. Devices sitting on your vlans should not be able to access ha on port 8123, any other port or any of the local services including routers. Those devices can access ha through communication ports used by ha. And that is it.
I know that this is not helpfull in your usercase but I just want to point yout my opinion on the matter.
Thank you for sharing your opinion. Unfortunately HA needs to be on the same network as my untrusted IoT devices because I run a bunch of Thread stuff and HA won’t connect to a Thread border gateway across VLANs.
The default LAN is the management network for my networking devices, so I don’t want to put client devices on it if I can avoid it.
If I can’t figure out the problem I’ll probably just consign HA to the IoT VLAN and accept the fact that I’m going to have to keep VLAN 2 and 3 routing open with some strict firewall rules in place. Things seem to work better when HA only has a single network connection.
Daniel we’ve gone over this. Yes it CAN if you spend a ton of time configuring it but it’s jot documented ANYWHERE and the answer involves lot of complicated network config not suitable for normal humans.
I glad it works for you but fact. HA is not designed to work in this condition and the op will be fighting it.
Op if you’re interested in a research project have at it someone tries this about once every 3 mo. There’s plenty of threadd here have fun searching.
It involves a lot of special firewall rules and reflectors to pass mdns traffic and the discovery paths. You may not ever get matter working and yes ipv6 is required if you want matter. At the very least it needs a clean path to the iot stuff. And you’ll find that’s the net it likes most buuut it also doesn’t support multi homing cleanly so now you need to figure out the rest. There are also dragons in local DNS inside the container 172 network in haos.
Personally way too much maintenance for me. I prefer a well and actively monitored flat net at home because I don’t want to carry my daytime job home.(and yes I have both the skillset and the gear - I just have much better things to do with my time.)
Sounds like the sane approach is to just dump HA into the IoT network, give up on multi-NIC and sleep like a baby at night.
Matter is working, it’s just the trying to expose HA on multiple networks thing that I’m stuck on, so that I can keep clean segregation between trusted and untrusted networks.
Glad it is actually this hard and I’m not just missing something, thanks for saving me some time.
FWIW, I do genuinely mess with this stuff to learn about low level networking. I know it doesn’t need to be this complicated, but I also don’t want to fight the system unnecessarily.
But surely I’m the special snowflake that actually needs this and I’ll totally get a return on investment if I personally create the right HA extension that adds true RAFT protocol leader election and a shared state store that lets me fool myself into thinking that because my state is in Redis my HA instances are actually High Availability, right? Right???
/s
Heard loud and clear. I’m running a system that turns my lights on a bit darker if it’s after 9pm. I’ll instead spend my valuable time overthinking how I can dynamically schedule Immich ML containers so that I can make the most of my 0.fuckall discount on off-peak power prices. A clearly much more sensible allocation of effort.
Then I’m not a normal human. I just want to point out that home assistant doesnt have anything to do with vlans. Perioid.
Home assistant is just a service is docker network. As any other service you can put it in main lan, create different macvlan and put than in separated vlan or what ever combination you want to do. For network perspective home assistant as a service is totally neutral, at least I see it like that.
And that is because vlan operates on lower osi level then ha that usually stand on application level. I’m not a network engineer but I learn some basic stuff.
I set up my vlans, I don’t know when. Never mind.
I don’t maintain anything for it. I set things up and forgot about it.
I open my opnsesnse gateway and openwrt routers only when I upgrade my routers firmware. For everything else you can just forgot about it as it is working as designed.
