Recently I moved all my Smart devices like Xiaomi gateway, yeelight bulbs and led strips etc. to separate vlan on my network to increase the security in my home network.
So in vlan 192.168.1.xx I have my hassio in docker
In another vlan 192.168.180.xxx I have all my IoT devices. Before vlan change everything was working just fine.
Now i’m struggling with some issues and hope that you can help me.
My xiaomi gateway is visible in HA after changing configuration to below:
xiaomi_aqara:
discovery_retry: 5
gateways:
host: 192.168.xxx.xx
mac: xxxxxxxxxx
key: xxxxxxxxxxxxxxxx
Once or twice per day it’s disappear from HA and it’s back after reboot of HA again for half of the day.
All my Yeelight bulbs are still unavailable, I have them correctly configured in HA I believe:
yeelight:
devices:
192.168.180.xx:
name: biurko LED
devices:
192.168.180.xx:
name: lampa stojaca
devices:
192.168.180.xx:
name: Lampka na biurku
devices:
192.168.180.xx:
name: Led’y kuchnia
Xiaomi air purifier is also configured but not visible in HA
It’s configured like this:
fan:
platform: xiaomi_miio
host: 192.168.180.xx
token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: oczyszczacz powietrza
And last but not least it’s my Philips for xiaomi bulb configured like this:
light:
Everything is configured on EdgeRouterX with Ubiquity access point.
I believe that most of firewall rules are set correctly but maybe there is a port or service is missing in my config?
I believe that with USG it would be much more simpler but I like challenges
Do you have in your config also separated network for IoT and rules set on firewall?
I just switched from a “dumb” flat network to all Ubiquiti about two weeks ago, so I’m still setting things up. I started adding rule by rule and I enabled firewall logging for the rule. This way when something stopped working I checked the log to find port and device and then I added a firewall rule to enable this port/device.
I have one rule to allow all established and related sessions, so that devices can communicate if the session was initialized by the other party.
-> LAN_In: Allow all established and related sessions
I have a VLAN for the server, which runs Home Assistant, MQTT etc.
Another VLAN for IoT devices, which should not have access to the internet or to any other VLAN, but should be able to publish messages to the MQTT server.
-> LAN_IN: Allow access from VLAN to server for the ports 1883/8883 (MQTT ports)
-> WAN_OUT: Block access to Internet
-> LAN_IN: Block access to other VLANs
I have another VLAN for entertainment devices like AV-Receivers, Kodi Box etc., which should be allowed to go to the internet for spotify etc. but blocked from accessing other VLANs
-> LAN_IN: Block access to other VLANs
And so on.
Thanks a lot for your advice. I just realised that with USG it will be simpler
So I just ordered USG instead of EdgeRouter which I will back to local store.
I will look how it will be working with USG next week.
Big thanks
Michał
I agree it’s pretty easy with the USG, because you can do a lot of things through the GUI, however I think the EdgeRouter allows more advanced config, and some of them are more powerful, all depending on your needs.
True, but I will have two of them and than I will decide. I still believe that what I want to accomplished is not a rocket science Second advantage is to have both USG and AP managed on that same tools I mean Unify controller. All changes are propagate to all connected unify devices and so one.
We will see. Hope that this change will be it plus only.
