Hello all.
Starting to use HA and planning on running it on a server at home (HW tbd).
I currently have different VLANs and subsequent networks. One for the main stuff (TV, phones, PC etc.) and others for other servers and finally one for IoT devices.
I heavily denied all sorts of stuff on the IoT network so they don’t go rogue on me, with PiHole running in the middle of all that anyways.
But to the point: if I wanted HA to run on the main LAN at home, to detect the TV etc. and other media devices, has anyone gotten a similar configuration where devices are on an other VLAN / network ?
Did you add a VLAN interface to HA ? Did you do something different ?
I assume the device creating these vlans also lets you define the firewall rules for controlling communication between them right? So add rules to ensure HA has the access it needs.
In my house for example device on the main vlan can see every device on the IOT vlan but not vice versa. The IOT vlan is heavily restricted so devices on it can only reach my DNS server, my NTP server and necessary functions on the gateway (DHCP, etc.). Nothing else on the network can be reached from the IOT vlan.
All this is done in my network switch which is where these kinds of tasks should be done. HA should not have any control over what it can or cannot see or what other devices can and cannot see, your switch should be controlling network traffic.
Agreed. And yes, HA has access to these (main → IoT vlan) and not vice-versa. I meant in terms of network discovery, have you setup a IGMP proxy or anything like that ?
I guess anyways, that wouldn’t matter using ZHA devices, given HA would discover them with their respective protocols
I have multiple VLANs setup on mine, one being trusted devices, one for IoT and one for DMZ. HA has access to 2 VLANs in mine, Internal and IoT as it interacts with both (it tracks PC states on the trusted network).
Basically I just setup a VLAN trunk on HA and the switch and gave HA two IP addresses, one for each VLAN. Its default route is out through the internal network. I have also setup nftables firewall rules on HA to lockdown HA on the IoT network.
So, no one has faced the use-case of having Home Assistant in a different VLAN / subnet / broadcast domain than their TV and other “network discoverable devices” ?
Sure I have, that’s what I have now. I didn’t have to set up an IGMP proxy though, I’m not sure how that plays in. Actually tbh I’m not really even sure what that is.
My switch has options to allow multicast broadcasts across networks so I believe HA still picks those up even though it lives on a different network from most of the devices broadcasting multicast services. That being said I didn’t really use discovery for setup so I didn’t really do much testing of that particular feature. HA can see my IOT network so I added the integrations for my TV and stuff and put in the IP address. Or the hostname if it broadcasted a human-readable one or I felt like making one in my DNS server.
Yeah, indeed I have just added the VLAN interfaces to the device, seemed to be the easiest way for now, quite keen to get it working using router/switch capabilities just for the “fun of it”.
Also seems like one can add hosts for these integrations manually by IP so that is also an alternative.
I had stuff that didnt work across multiple layer 3 networks, so ended up with the multiple adapters in different VLANs approach. Been that way for years and been working great.
Thanks for the reply. I’m running Home Assistant OS 12.3 on a Raspberry Pi4. I’m not sure if I could add a usb network adapter and have HA recognize it.