I have HA with HAOS installed on a x86_64 desktop mini-pc working perfectly.
In my home network I have created separate VLAN(s) for computing devices and for Iot devices. The default VLAN id:1 (untagged vlan) 192.168.0.1/24 is the one internal computing devices, and VLAN id:10 192.168.0.10/24 is for Iot devices. All my smart home devices are on the VLAN id:10 (non-default) they work without any issue.
When I connect the HA box to a port on default VLAN on gateway it works flawlessly, when i move it to the port on VLAN id:10 on the gateway it does get a IP from the gateway DHCP but doesn’t respond to ping or connect to network. The router shows that it is correctly routing the packets to HA box’s ip and port but it is as if HA is dropping all tagged packets.
Any ideas what is going on ?
PS: My networking stack (gateway/access point) is tp-link omada. All VLAN creation and administration is happening on my gateway steup and I assumed the HAOS box would connect transparently like any other end device.
PPS: In my setup there all cross VLAN communication is open and HA box when it does comeup on default VLAN id:1 is able to detect most of all smart devices, but i still would like to move it VLAN 10 for better matter device connection and monitoring/rate control.
EDIT - I had a type-o my VLAN id:10 subnet is 192.168.10.1/24
The subnets, unless separated on their own interfaces, with their own DNS, DHCP, and SSID, are conflicting, I would imagine. I’m not fully aware of Omada’s capability, as I use and prefer OpenWrt, but if you have subnet 192.168.0.1/24, that alone covers all addresses from 192.168.0.1 thru 192.168.0.255. Then you have your IoT network using 192.168.0.10, which falls in the main LAN’s subnet. Doesn’t make sense… Try changing to a different subnet for the IoT network alltogether. Something like 10.0.0.1/24 or 192.168.10.1/24.
EDIT - This will bring you to a fork in the road with additional complexities. Which network is HA sitting on? One or both? Does it need to be on both networks? Does your HA machine have dual-nics so you can dual-home it on both networks? Some IT professionals will ward you away from doing so. You will most likely encounter issues with device discovery via AVAHI and mDNS if you have it on one, but need it on both. There are alternative methods to bounce AVAHI and mDNS traffic between networks using reflectors, but they’re not simple to setup. If you need HA on both networks and you don’t have dual-nics and setting up reflectors isn’t an option, you can virtually create a second nic using nmcli and dual-home it. Some very experienced users on this forum will advocate the method, while other very experienced users will highly advise against it, because it can create security vulnerabilities. Either way, good luck.
EDITx2 With all that said, VLANs bring a complexity of their own to your network. A lot of users struggle setting up Matter devices/ipv6 when using VLANs. Unless you are really willing to learn the ins and outs of networking and get your hands dirty and your mind blown, honestly, your best and safest option is to keep things simple and only use one network. A lot of people jump into this head first without the knowledge and wherewithall to accomplish it. Even the HA Devs highly recommend keeping your home network simple, instead of trying to achieve an enterprise level network.
Very well, most of what I said still stands. In any regard, when you switch HA between the networks, the HA machine’s NIC may not be refreshing fully under the different subnet which can explain packet loss. Really, as HA is a host device, it should be given a static IP outside the DHCP range of the network is lives in or at the very least, given a reserved IP address within the DHCP. That’s best practice.
Thanks, I understand the advice an agree the VLAN discovery and routing does brings in complexity.
But I am able to administer/configure most of my network topology successfully and apply the security properties i want to. I have setup mDNS for cross VLAN discovery. I am ready to learn and explore what i don’t know. My HA box when connected to VLAN id:1 default discover and connect to almost all smart devices connected on VLAN id:10
My question is quite simple If every other PC/desktop/smart device when connects to VLAN id:10 it works i.e pings and connects. the HAOS box doesn’t.
Further more the HA box when connected to the VLAN id:10 port does get a valid 192.168.10.xx ip address. It shows a fully configured network
Once it’s on the IoT network, are you attempting the ping from within the IoT network, from the main network, or from the HA box itself while it’s on the IoT network?
HA will connect yes, but only the network stack is sure that way.
With multiple NICs you normally handle the binding of services to the NICs in the OS, but you can not do that with HAOS and some services require really special configurations to handle multiple NIC bindings, like mDNS, where a hostname can exist on multiple networks without it being the same host.
That is the common mistake with VLANs.
Not everything can be routed with standard TCP/IP rules.
Some protocols are not meant to be routed and therefore needs special software to handle it, like mDNS and many of the open and also proprietary discovery protocols, so the administrator needs to have a deep understanding of all the protocols being used.
I would go back to basics here, you have two Subnets:
192.168.0.0/24 - Your “Primary” subnet with your computers
192.168.10.0/24 - Your IOT / Home assistant subnet.
Assuming the that IOT subnet has DNS/DHCP resolution and clean layer 2 packet forwarding all your IOT devices and home assistant should be able to see each other.
For the sake of this discussion lets say HA is on 192.168.10.50
If your TP-link router is correctly routing packets between subnets, from one of your PC’s you should be able to:
Depending upon your mDNS setup you may or may not be able to resolve HA by name however connecting by IP should work.
Worst case you should be able to power cycle HA when you move it between subnets - to make sure its cleanly on its new IP.
If the test above doesn’t work something is screwed with your router configuration (I don’t think it’s a HA issue).
For most home users VLANs are a distraction - there are two primary reasons two use VLANs:
The UI on your networking gear forces you to use them / makes things very complex unless you do.
You need trunking - i.e. you have multiple managed switches around your home and you want to separate the ports, but only use a single wire to backhaul between switches.
Unfortunately I have both of those use cases, if I didn’t I would try to avoid VLAN’s.
HA is designed to work in a flat subnet.
It you want to make it work otherwise, you are going to have to know what you are doing and you are your own support structure. Enterprise Smart Home Syndrome
@dtrott thanks for the advice.
The problem is specifically with HA and VLAN tagging. When I connect HA on the VLAN:id 10 port it is neither pingable nor does https://192.168.10.50:8123 open. When i connect any other normal laptop on that port it is pingable and connects fine
Further more when i connect the HA on VLAN:id 10 the router logs show it is routing the packets to that port, also the pings comeback with no response and not " Destination Host Unreachable" which is what you get when endpoint is not connected/routed.
There is something in HA stack which is actively black-holing VLAN tagged packed.
That would be it, stop tagging your packets - there is no need in a typical home setup to have tagged packets, at least they are only needed on links between managed switches **
“Normal” computers, IOT devices, HA etc should be running on an untagged network, the only thing that should have tagged packets is networking gear and maybe hypervisors - but we are getting into SIY (Support it yourself) territory.
** This is my situation all my switches and the WIFI AP are managed so they all use tagged packets, however none of my “normal” devices including HA ever see a tagged packet, as far as HA is concerned, it is on its own little (flat) subnet with the IOT devices.
It should be the port that tags the packets and not the host, unless your network gear lacks VLAN management and you try to make some patch for it by tagging on the host, which is not a best practice method.
If it is the port that tags, then the issue is not HA.
Besides that the network settings on a server should be static as best practice, so unless you have set it to DHCP just for the testing here, then you network settings might not get updated when you switch port.
