Router 1: TP-Link router Archer AX50
– connected to Internet by IPv4 only, there is no IPv6 support from IP
– DHCP server
– WLAN: 5GHz (WIFI_5GHz) / 2.4GHz (WIFI_2.4GHz)
Router 2: Asus RT N66U
– FreshTomato FW
– connected to the main Router 1 via 5GHz WiFi
– bridged WiFi 2.4GHz, works as repeater (WIFI_RPT)
NUC
– connected to Router 2
– Proxmox - UBUNTU linux - Supervised HA
The WIFI_RPT should be the main IOT network. Right now I have some ESPHome devices connected and it works nice with IPv4. The Router 2 acts as a bridge between 5GHz home network and 2.4GHz IOT network. All devices connected to IOT network receive IP address from DHCP server running on the main router and they are accessible in the same subnetwork as all other devices.
My wish is to configure IPv6 for the Matter protocol and ideally separate the IOT network from the home network via separate VLAN.
Now I do not know where to start and how to configue IPv6. Up to now the IPv6 was disabled as it is not supported by my IP provider. I would like to configure separate VLAN on the Router 2, but I’m not sure how to at the same time keep the current NUC/HA connection in the home network, so it would be accessible from network.
The matter protocol does not need IPV6 management/configuration or DHCP support. It will autoconfigure IPV6 on it’s devices and manage the network automatically. This was one of the original selling points of matter.
Naturally that is for a “flat” un-routed network. As long as all the devices are on the same layer 2 network it will just work.
I don’t use Supervised, so don’t know those details, but at a high level, I would add to HA the OTBR AddOn and get it running with a SkyConnect for Thread. The OTBR acts as an IPv6 Router between a Thread radio network and another Layer2 network which in this case is a network that should be connected in a Docker fashion to HA-Core and all the other HA AddOns, and connected in a regular way to Ubuntu, and the NUC’s ETH. Assuming Router2 continues to bridge between ETH and WIFI_RPT, then WIFI_RPT is also part of this Layer2 network.
The OTBR (without any particular IPv6 configuration) assigns itself an IPv6 address of a random prefix it chooses and it sends out Router Advertisements with this IPv6 prefix so that all the the endpoints on the Layer2 network can use it to formulate a complete IPv6 address and thus all the endpoints on this Layer2 network are on one/same IPv6 network. This particular IPv6 prefix is not within the global address range so you don’t have to worry about not having a global IPv6 address. Router2 would not need to be configured for IPv6 for anything, assuming you’re fine with it bridging between the NUC and the WIFI_RPT.
firstly; don’t start the hasstle on trying to get IPv6 to work when even your ISP is not supporting it. you won’t get any benefit on running IPv6 in your home network when everything outside your home is not running IPv6 causing your router to make a lot of translations and maybe causing a lot of network drops.
You should start and get a working IPv6 adres on your WAN, after that start worrying about setting up IPv6 in your home network.
now on to your question about segmentation. as i understand only your router 1 has DHCP enabled and so you only have 1 DHCP scope.
The way you have it set up right now causes all your devices in all the networks to be able to talk to eacother. If you don’t want that, try setting up VLANS with both their own DHCP scope. Then you have your devices segmented (for security reasons i highly recommend)
You can do this by getting a router that has Vlan support for your main router and switching your TP-Link out with that one. Thenstart broadcasting 2 wifi networks. one with your default wifi network and one with your IoT network. after that, trow out your asus router as well. in this setup you only have one router for both networks. Please don’t set your second router to dhcp and NAT, this will cause a lot of problems and network performance issues, this because your router 1 already is performing NAT. If one of your current routers has VLAN support you can use that router as your primary router ofcourse.
If you need any help, or more clarification please let me know!
I’m not sure what you mean with “get IPv6 working on WAN”. My internet provider does not support IPv6, so I only need IPv6 locally on LAN.
Currently Router 2 bridges 5GHz home network to 2.4GHz network IOT. All devices, whether connected to Router 1 or Router 2 get IP address from DHCP server running on Router 1. As a result all devices are accessible in one subsegment.
I would like to change it, so IOT network is isolated. NUC needs access to the IOT network as well as to the home network. NUC is connected to router 2.
Router 1 runs original Firmware, where I have only limited configuration possibilites.
Router 2 is flashed with FreshTomato, so the possibilities are endless.
Let’s start with separating IOT network from Home network. I have no possibility to configure VLANs on Router 1. Router 2 is totally different story, as it is running FreshTomato firmware.
Additional note:
NUC runs two virtual machines. First one Ubuntu server with HA. Second one Ubuntu server with Pi.Hole and Nginx server providing HTTPS for HA, but also NAS connected to Router 1.
I have not read all the replies, so this might have been said before.
First your IPv4 knowledge is pretty useless with IPv6. It will mainly cause problems, because you are bound by the structure and limitations in that protocol. Read up on IPv6 if you want to do anything else but automatic configuration.
Secondly HA has a lacking control of IPv6, so setting the interface in the address part seems impossible and then you can not define which of all your FE80 networks should use.
FE80 networks exist on all your interfaces and might or might not be the same actual network.
This means multi NIC setups are pretty much impossible.
You best bet is to include the HA server in the IoT network and then use the router and its firewall to open the ports needed for specific connections, which is also what a router is made for.
Thirdly dont try to set up IPv6 manually until you understand the protocol. You need several addresses configured for each interface and you might also get temporary addresses and auto-configuration addresses added that you need to control.
I’ve managed to get it working. I separated the networks in two subnets, where second router is connected to main using wireless client mode. I could enable DHCPv6 on the second router. And matter works on the second subnet. However I would like to create third subnet just for the HA/Matter devices. For this purpose I have VLAN with virtual WiFi, the network appears in HA as second ethernet interface. All works, but I need to tell Matter Server to use this interface.
OK, for now I’m back with a single ETH link/subnet. IPv6 is working, router assigns IPv6 addresses via DHCP, but I’m unable to add Matter devices. It always fails onverifying connection. It worked once when I was playing with the router settings, but no more.
mDNS scan on linux running HA during adding Matter device:
ha dns info
fallback: true
host: 172.30.32.3
llmnr: false
locals:
- dns://10.100.1.2
mdns: true
servers: []
update_available: false
version: 2024.04.0
version_latest: 2024.04.0
Matter server logs (there is no sign of whatever activity during adding Matter device)
s6-rc: info: service banner successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service banner: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
-----------------------------------------------------------
Add-on: Matter Server
Matter WebSocket Server for Home Assistant Matter support.
-----------------------------------------------------------
Add-on version: 5.6.0
You are running the latest version of this add-on.
System: Ubuntu 22.04.4 LTS (amd64 / qemux86-64)
Home Assistant Core: 2024.5.0
Home Assistant Supervisor: 2024.04.4
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service banner successfully started
s6-rc: info: service matter-server: starting
s6-rc: info: service matter-server successfully started
s6-rc: info: service legacy-services: starting
[16:54:58] INFO: Starting Matter Server...
s6-rc: info: service legacy-services successfully started
[16:54:59] INFO: Using 'ens18' as primary network interface.
[16:54:59] INFO: Successfully send discovery information to Home Assistant.
2024-05-03 16:55:00.530 (MainThread) INFO [matter_server.server.stack] Initializing CHIP/Matter Logging...
2024-05-03 16:55:00.530 (MainThread) INFO [matter_server.server.stack] Initializing CHIP/Matter Controller Stack...
[1714748100.554452][126:126] CHIP:CTL: Setting attestation nonce to random value
[1714748100.554709][126:126] CHIP:CTL: Setting CSR nonce to random value
[1714748100.555572][126:126] CHIP:DL: ChipLinuxStorage::Init: Using KVS config file: /tmp/chip_kvs
[1714748100.555747][126:126] CHIP:DL: writing settings to file (/tmp/chip_kvs-IU5Y3G)
[1714748100.555821][126:126] CHIP:DL: renamed tmp file to file (/tmp/chip_kvs)
[1714748100.556088][126:126] CHIP:DL: ChipLinuxStorage::Init: Using KVS config file: /data/chip_factory.ini
[1714748100.556152][126:126] CHIP:DL: writing settings to file (/data/chip_factory.ini-mWuvqJ)
[1714748100.556204][126:126] CHIP:DL: renamed tmp file to file (/data/chip_factory.ini)
[1714748100.556235][126:126] CHIP:DL: ChipLinuxStorage::Init: Using KVS config file: /data/chip_config.ini
[1714748100.556272][126:126] CHIP:DL: writing settings to file (/data/chip_config.ini-93Jm0I)
[1714748100.556303][126:126] CHIP:DL: renamed tmp file to file (/data/chip_config.ini)
[1714748100.556334][126:126] CHIP:DL: ChipLinuxStorage::Init: Using KVS config file: /data/chip_counters.ini
[1714748100.556371][126:126] CHIP:DL: writing settings to file (/data/chip_counters.ini-wYyZxI)
[1714748100.556404][126:126] CHIP:DL: renamed tmp file to file (/data/chip_counters.ini)
[1714748100.556726][126:126] CHIP:DL: writing settings to file (/data/chip_factory.ini-GVEAUI)
[1714748100.556884][126:126] CHIP:DL: renamed tmp file to file (/data/chip_factory.ini)
[1714748100.556904][126:126] CHIP:DL: NVS set: chip-factory/unique-id = "3A415011A07A7C3C"
[1714748100.556984][126:126] CHIP:DL: writing settings to file (/data/chip_factory.ini-ELuotI)
[1714748100.557249][126:126] CHIP:DL: renamed tmp file to file (/data/chip_factory.ini)
[1714748100.557273][126:126] CHIP:DL: NVS set: chip-factory/vendor-id = 65521 (0xFFF1)
[1714748100.557373][126:126] CHIP:DL: writing settings to file (/data/chip_factory.ini-2AuT1J)
[1714748100.557529][126:126] CHIP:DL: renamed tmp file to file (/data/chip_factory.ini)
[1714748100.557555][126:126] CHIP:DL: NVS set: chip-factory/product-id = 32769 (0x8001)
[1714748100.557625][126:126] CHIP:DL: writing settings to file (/data/chip_counters.ini-bR5qPI)
[1714748100.557797][126:126] CHIP:DL: renamed tmp file to file (/data/chip_counters.ini)
[1714748100.557819][126:126] CHIP:DL: NVS set: chip-counters/reboot-count = 1 (0x1)
[1714748100.557888][126:126] CHIP:DL: writing settings to file (/data/chip_counters.ini-fvZ5FK)
[1714748100.558030][126:126] CHIP:DL: renamed tmp file to file (/data/chip_counters.ini)
[1714748100.558052][126:126] CHIP:DL: NVS set: chip-counters/total-operational-hours = 0 (0x0)
[1714748100.558133][126:126] CHIP:DL: writing settings to file (/data/chip_counters.ini-LZXjzK)
[1714748100.558259][126:126] CHIP:DL: renamed tmp file to file (/data/chip_counters.ini)
[1714748100.558277][126:126] CHIP:DL: NVS set: chip-counters/boot-reason = 0 (0x0)
[1714748100.558338][126:126] CHIP:DL: writing settings to file (/data/chip_config.ini-cuVviI)
[1714748100.558453][126:126] CHIP:DL: renamed tmp file to file (/data/chip_config.ini)
[1714748100.558471][126:126] CHIP:DL: NVS set: chip-config/regulatory-location = 0 (0x0)
[1714748100.558535][126:126] CHIP:DL: writing settings to file (/data/chip_config.ini-THQkeJ)
[1714748100.558661][126:126] CHIP:DL: renamed tmp file to file (/data/chip_config.ini)
[1714748100.558681][126:126] CHIP:DL: NVS set: chip-config/location-capability = 2 (0x2)
[1714748100.558992][126:126] CHIP:DL: Got Ethernet interface: ens18
[1714748100.559204][126:126] CHIP:DL: Found the primary Ethernet interface:ens18
[1714748100.559630][126:126] CHIP:DL: Failed to get WiFi interface
[1714748100.559641][126:126] CHIP:DL: Failed to reset WiFi statistic counts
2024-05-03 16:55:00.560 (MainThread) WARNING [PersistentStorage] Initializing persistent storage from file: /data/chip.json
2024-05-03 16:55:00.560 (MainThread) ERROR [root] [Errno 2] No such file or directory: '/data/chip.json'
2024-05-03 16:55:00.560 (MainThread) CRITICAL [root] Could not load configuration from /data/chip.json - resetting configuration...
2024-05-03 16:55:00.560 (MainThread) WARNING [root] No valid SDK configuration present - clearing out configuration
2024-05-03 16:55:00.560 (MainThread) WARNING [root] No valid REPL configuration present - clearing out configuration
2024-05-03 16:55:00.608 (MainThread) WARNING [CertificateAuthorityManager] Loading certificate authorities from storage...
2024-05-03 16:55:00.608 (MainThread) WARNING [CertificateAuthority] New CertificateAuthority at index 1
2024-05-03 16:55:00.612 (MainThread) WARNING [FabricAdmin] New FabricAdmin: FabricId: 0x0000000000000002, VendorId = 0x134B
2024-05-03 16:55:00.612 (MainThread) INFO [matter_server.server.stack] CHIP Controller Stack initialized.
2024-05-03 16:55:00.614 (MainThread) INFO [matter_server.server.server] Starting the Matter Server...
2024-05-03 16:55:00.617 (MainThread) INFO [matter_server.server.helpers.paa_certificates] Fetching the latest PAA root certificates from DCL.
2024-05-03 16:55:05.233 (ThreadPoolExecutor-0_0) WARNING [py.warnings] /usr/local/lib/python3.11/concurrent/futures/thread.py:58: CryptographyDeprecationWarning: The parsed certificate contains a NULL parameter value in its signature algorithm parameters. This is invalid and will be rejected in a future version of cryptography. If this certificate was created via Java, please upgrade to JDK21+ or the latest JDK11/17 once a fix is issued. If this certificate was created in some other fashion please report the issue to the cryptography issue tracker. See https://github.com/pyca/cryptography/issues/8996 and https://github.com/pyca/cryptography/issues/9253 for more details.
result = self.fn(*self.args, **self.kwargs)
2024-05-03 16:55:12.191 (MainThread) INFO [matter_server.server.helpers.paa_certificates] Fetched 132 PAA root certificates from DCL.
2024-05-03 16:55:12.192 (MainThread) INFO [matter_server.server.helpers.paa_certificates] Fetching the latest PAA root certificates from Git.
2024-05-03 16:55:14.381 (MainThread) INFO [matter_server.server.helpers.paa_certificates] Fetched 90 PAA root certificates from Git.
2024-05-03 16:55:14.382 (MainThread) WARNING [FabricAdmin] Allocating new controller with CaIndex: 1, FabricId: 0x0000000000000002, NodeId: 0x000000000001B669, CatTags: []
2024-05-03 16:55:14.529 (Dummy-2) CHIP_ERROR [chip.native.DL] Long dispatch time: 146 ms, for event type 2
2024-05-03 16:55:14.531 (MainThread) INFO [matter_server.server.device_controller] Loaded 0 nodes from stored configuration
2024-05-03 16:55:14.539 (MainThread) INFO [matter_server.server.vendor_info] Loading vendor info from storage.
2024-05-03 16:55:14.539 (MainThread) INFO [matter_server.server.vendor_info] Loaded 0 vendors from storage.
2024-05-03 16:55:14.539 (MainThread) INFO [matter_server.server.vendor_info] Fetching the latest vendor info from DCL.
2024-05-03 16:55:14.823 (MainThread) INFO [matter_server.server.vendor_info] Fetched 189 vendors from DCL.
2024-05-03 16:55:14.823 (MainThread) INFO [matter_server.server.vendor_info] Saving vendor info to storage.
I finally managed to add Matter device. The ulprit was Adroid phone with enabled work profile and VPN. It probably somehow disrupted the communication between the Matter device and HA companion app. Once I disabled the work profile, I could add the Matter device.
Didn’t read everything above, but for Matter and Thread to work, ALL Ethernet and Wifi devices MUST be on the same subnet. Matter doesn’t support segmented networks.
And you don’t need to configure IPv6 on those device interfaces manually, you just need to ENABLE IPv6. Matter and Thread then use local link addresses, they are created automatically.
