Hello all.
Starting to use HA and planning on running it on a server at home (HW tbd).
I currently have different VLANs and subsequent networks. One for the main stuff (TV, phones, PC etc.) and others for other servers and finally one for IoT devices.
I heavily denied all sorts of stuff on the IoT network so they don’t go rogue on me, with PiHole running in the middle of all that anyways.
But to the point: if I wanted HA to run on the main LAN at home, to detect the TV etc. and other media devices, has anyone gotten a similar configuration where devices are on an other VLAN / network ?
Did you add a VLAN interface to HA ? Did you do something different ?
I assume the device creating these vlans also lets you define the firewall rules for controlling communication between them right? So add rules to ensure HA has the access it needs.
In my house for example device on the main vlan can see every device on the IOT vlan but not vice versa. The IOT vlan is heavily restricted so devices on it can only reach my DNS server, my NTP server and necessary functions on the gateway (DHCP, etc.). Nothing else on the network can be reached from the IOT vlan.
All this is done in my network switch which is where these kinds of tasks should be done. HA should not have any control over what it can or cannot see or what other devices can and cannot see, your switch should be controlling network traffic.
Agreed. And yes, HA has access to these (main → IoT vlan) and not vice-versa. I meant in terms of network discovery, have you setup a IGMP proxy or anything like that ?
I guess anyways, that wouldn’t matter using ZHA devices, given HA would discover them with their respective protocols
I have multiple VLANs setup on mine, one being trusted devices, one for IoT and one for DMZ. HA has access to 2 VLANs in mine, Internal and IoT as it interacts with both (it tracks PC states on the trusted network).
Basically I just setup a VLAN trunk on HA and the switch and gave HA two IP addresses, one for each VLAN. Its default route is out through the internal network. I have also setup nftables firewall rules on HA to lockdown HA on the IoT network.
So, no one has faced the use-case of having Home Assistant in a different VLAN / subnet / broadcast domain than their TV and other “network discoverable devices” ?
Sure I have, that’s what I have now. I didn’t have to set up an IGMP proxy though, I’m not sure how that plays in. Actually tbh I’m not really even sure what that is.
My switch has options to allow multicast broadcasts across networks so I believe HA still picks those up even though it lives on a different network from most of the devices broadcasting multicast services. That being said I didn’t really use discovery for setup so I didn’t really do much testing of that particular feature. HA can see my IOT network so I added the integrations for my TV and stuff and put in the IP address. Or the hostname if it broadcasted a human-readable one or I felt like making one in my DNS server.
Yeah, indeed I have just added the VLAN interfaces to the device, seemed to be the easiest way for now, quite keen to get it working using router/switch capabilities just for the “fun of it”.
Also seems like one can add hosts for these integrations manually by IP so that is also an alternative.
I had stuff that didnt work across multiple layer 3 networks, so ended up with the multiple adapters in different VLANs approach. Been that way for years and been working great.
Thanks for the reply. I’m running Home Assistant OS 12.3 on a Raspberry Pi4. I’m not sure if I could add a usb network adapter and have HA recognize it.
I have a similar set-up on Debian. It’s tricky. Many devices are only discoverable if they can be reached via the default gateway with the lowest metric.
For example, TP-Link devices are discovered using broadcast packets, which are limited to one subnet (I think). My gateways look like this:
default via 192.168.10.1 dev usb0 proto dhcp src 192.168.10.253 metric 128
default via 192.168.15.1 dev eth0 proto dhcp src 192.168.15.253 metric 256
TP-Link devices on usb0 are discoverable, but any on eth0 are not. Luckily, I only use eth0 for a few Rokus, and they have static IPs. It would be nice if a routing guru knew a better option, though.
Hi my HA is on the main LAN it should be able to see all other Vlans but it could not integrate IOT devices in those Vlans, How do i go about adding Vlans to my HA? The network adaptor in advance option only shows the auto config and/or the main IP addy its attached there seems to be no way to be able to hook it up to a Vlan.
My network is setup with the main LAN having access to all Vlans but not the other way around for security reasons. Ports in switches configured with all the various networks and are discoverable mDNS as well as PIM on my router.
You may need to have HA on that IOT VLAN and have an ip address on that VLAN. A way to do that is to have multiple Ethernet ports. Plug on into the main LAN and one into the IOT VLAN. Since my device has two ports that’s what I did. Alternatively, configure the port on the. LAN switch as a TRUNK and then configure additional networks in Linux for different VLAN Ids.
You can set up a bridge easily without needing multiple ethernet ports. I haven’t used the Home Assistant OS, but the process is easy on most Linux-based distros.