I’ve been running a Ubiquiti network for a while now. There is a main VLAN for computers, servers, tablets, Apple TV and a separate VLAN for all the IOT devices - HomeAssistant, WiFi devices etc.
I was having a lot of difficulty in getting a thread / matter device on the Apple TV to be shared to HomeAssistant - The Apple TV is the thread capable router I have. I can add a device to the Apple TV (vlan 50), but not share it to HomeAssistant (vlan 20).
After many attempts I opened a support ticket with Ubiquiti and after a lot of questions they closed it with the following:
**Hi,
Based on our investigation, It appears that the issue lies with the Matter devices potentially using a mode of communication that is not fully compatible across VLANs, rather than a problem with the gateway itself. It is recommended to use the Matter devices in the same VLAN as other devices that are trying to use them.
**
Does this mean that I have to use a single network for Apple TV and HomeAssistant and therefore just about everything else? Seems to be counter to best practices.
Would moving the Apple TV to the IOT network be a practical solution?
MAIN - servers and network devices. Full access to other vlans
GUEST - media devices, like Apple TV, guest devices. Basically stuff that needs to get on internet. Guests get limited access to devices and ports on main. Really not much different than accessing from external web. I don’t connect Apple TV direct to IOT devices but if I did I would grant access on case by case and as limited as possible.
IOT- these devices can access anything. Get to connect but can only respond to external connections. This is cameras, esphome devices, printer, other IOT things. These are usually untrusted devices like cameras that try to call home or water heater that does random activity I want blocked.
MDNS can work across vlans. I think unifi has mdns reflector setting but i remember it did not work well. I changed to OpnSense and it definitely work better.
The answer is no, you don’t have to give up on separate VLANs, but there are definitely caveats / restrictions you need to be aware of.
Thread border routers from Apple, Google, etc do not let you perform advanced functions like assigning VLAN tags, and since they generally need Internet themselves, an Apple/Google Thread mesh is usually “one hop” from an Internet-accessible VLAN. If you’re accustomed to completely blocking Internet access to your IoT devices, this is harder with Apple/Google Thread. The alternative is to get a standalone Thread border router, or setup your own with a USB dongle, and isolate it all you want.
If you just move your Apple TV to the other VLAN, you risk introducing problems with Apple services that rely on mDNS (e.g. AirPlay). The fix, as noted by others, is to get mDNS working properly across VLANs — Ubiquiti should absolutely be capable of this, but it seems challenging to get it working properly, so either keep hacking away, or try another router (OpenWrt with Avahi should work).
A third option is to connect a server to both VLANs. If the server is HA (this is my approach), it can participate in mDNS queries without the need for routing. But any server could run the Avahi reflector daemon to augment a poor/broken router implementation. If you have a managed Ethernet switch, you can even do this with a single NIC by assigning VLAN tags in software to create a subinterface on each network.
I hope you don’t mind if I ask, as I have been trying to understand the settings under “Network adapter”, but if one were to untick the box say for Adapter: enp0s1.70, and reboot HA (core), does enp0s1.70 still work? The reason I ask is that the description says “Currently this setting only affects multicast traffic” but I’m wondering if the ticked/unticked boxes are what actually enable/disable the adapter for any kind of traffic flowing through that adapter.
That’s good to know.
This then leaves me wondering how the ticked boxes affect Matter Server’s multicast, any ideas? AFAIK, Matter will listen on any adapter for receiving mDNS, but in the case where Matter Server sources mDNS, I don’t know if it uses all the adapters that are ticked, or if it uses only the default adapter (or something else)?
I see what you are saying about a guest network - my guest network is internet access only. Home assistant manages the automations, but physical switches are there for guests.
mdns reflector in Unifi responds to the test commands I send from both networks.
Currently the HA Yellow single physical port only registers one adapter - I’ve not tried to get two vlans assigned to one port - here I have Tagged VLAN Allow All, but not sure what else is needed to activate this (Reboot HA did not help).
If you create a untagged lan it will be on all vlans and untafgged lans by default under unifi unless you create firewall rule that blocks it. This is what i meant with below
