So after having initially installed HomeAssistant container in UnRaid, I decided to migrate to HA OS VM to get full capabilities.
And it all seemed to be working fine initally, except that one Overkiz integration to my Somfy Connexoon box.
Now my networking here it a bit more than the average home user, so I wll start with explaining the setup :
I have a Unifi Core Switch to which my Unraid server is connected with a VLAN Trunk containing MGMT, USER, IOT.
Also connected to this Switch is my Palo Alto firewall in Trunk and my small unifi switch where the somfy box is connected to.
Both the Home Assistant VM and the Somfy box exist in the IOT VLAN.
both can see each others MAC addresses and there is no port isolation configured on the network.
The HA VM is configured on the br0 subinterface for the VLAN, with e1000 driver.
Ok, so with the configuration out of the way:
For anything outside of the IOT VLAN, there are no issues.
But the HA VM sends all traffic for the IOT VLAN to the interface of the firewall, rather than directly to the device. Which of course causes all connections to break within that VLAN.
Because my firewall expects to see the returning flow, while the local devices can see HA and will send responses directly.
Is this default/expected behavior? Anyone knows how to fix this ? (i tried other driver types, but then HA was inaccessbile
And it was working perfectly when the docker for HA was bound to the same interface. (the docker had same IP before as well, but the issue existed before I changed the VM to use the same IP)
So basically :
docker on br0.4 : can connect within the VLAN
VM on br0.4 : all connections go to the MAC address of the default gateway it seems
The 172.30 network is the internal docker network.
HA “can” have multiple NICs, but it is a mess to make it work right, especially if you do not have gateways with access to the internet on all of them.
You can set a default NIC in HA and this is where the discovery protocols then run, but it is also oft where the primary gateway is expected to be.
So yeah, it’s running with a single “physical” NIC. But it’s like it has port isolation, which s not the case.
If I for example connect to IOT network with my phone and I try to browse to the HA address…
I know the SYN goes directly to HA.
instead of responding directly to my phone, I see the SYN ACK going to the firewall.
So it seems that everything including local LAN is sent via default gateway, which is not normal networking behavior, definitely because if I show my ARP table on the HA VM, it has the required IP-MAC address mappings
FYI : I have a workaround in place by configuring U-turn NAT on traffic originated from HA to the local LAN, so that the destinations see a source IP on my firewall and send traffic back to firewall instead of direct to HA. This works perfectly of course, but is not a desired configuration and shouldn’t be necessary.
So everything works now, just not correctly.
Maybe some other piece of info, my Windows AD VM does not have this issue on the native VLAN
