Help with Matter on OPNsense

I’m struggling to get Matter to work on OPNsense. I have some Matter Kindind bulbs and Kasa Switches on my IoT vlan. My Nest Minis are on my main. I can get them added to Google Home, but they show unavailable? I can still control them in AiDot and the Kasa app still. I had IPV6 disabled and enabled it in tracking. Tried using ChatGPT for help, but was no luck. Is anyone willing to share their configuration if they got this to work?

I’m willing to forego this entire setup completely if it doesn’t make sense to even try Matter. Please let me know your opinions. I was thinking its the best way for full local control. Have about 100 devices on my IoT currently with a few Zigbee devices as well.

Thanks in advance!

Matter bulbs work for me

HA docker container using
Matter server also container using macvlan

Matter devices are currently in its own vlan

HA, matter server both have ipv6 ip

I will edit this post with more detail shortly

EDIT

VLAN30 is my server vlan. it is ipv4 only.
VLAN50 is my matter vlan. it is ipv4 and ipv6.
both vlans are configured in opnsense and have corresponding config in my docker network.

HOMEASSISTANT
as I am posting this I realized that HA has no IPV6 configuration. I made significant changes to my network a month back and did this intentionally. HA should only be able to access the matter server over the docker bridge network. HA would have no way of knowing the matter servers LAN address.

      macvlan30_net:
        mac_address: "02:42:0a:3c:1b:f1"
        ipv4_address: "192.168.30.15"

MATTER SERVER

      macvlan30_net:
        ipv4_address: "192.168.30.17"
      macvlan50_net:
        ipv4_address: "192.168.50.17"   
        ipv6_address: "fc00:6207::17"

DOCKER NETWORK

IPV6 Subnet - fc00:6207::/32
IPV6 IP Range - fc00:6207::/32
IPV6 Gateway - fc00:6207::1

OPNSENSE

under services >> dhcpv6 >> vlan50

enable: true
subnet: fc00:6207::
subnet mask: 32 bits
available range: fc00:6207:: - fc00:6207:ffff:ffff:ffff:ffff:ffff:ffff

firewall rules (6 total)

1. pass >> vlan50 >> in >> ipv4/6 >> protocol any >> vlan50 net >> server IPs >> port any to any
description: Allow Vlan50 connection to servers defined by alias
2. rule to allow connection to my dns server
3. rule to allow connection to my ntp server
4.  pass >> vlan50 >> in >> ipv6 >> protocol any >> vlan50 net >> single host or network: ff02::1/64 >> port any to any 
description: allow multicast ipv6
5. block >> vlan50 >> in >> ipv4/6 >> protocol any >> vlan50 net >> RFC1918 >> port any to any 
description: block vlan50 to all local IP defined by RFC1918 alias
6. block >> vlan50 >> in >> ipv4/6 >> protocol any >> vlan50 net >> invert >> RFC1918 >> port any to any 
description: block vlan50 to all WAN IP defined by  inversion of RFC1918 alias

Hope this makes sense and is what you were looking for

rules #1 and #4 are minimum to make matter work I expect
#2 and #3 just point devices to local NTP and DNS
#5 prevents devices from trying to reach out to another device unless allowed
#6 prevents devices from trying to contact anything outside the local network

Thank you for this! I’ve never used/setup IPv6 before so I’m assuming I still have something wrong.

When I go to Services > DHCPv6, I only have ‘Services’ as an option. I must be missing a setting somewhere else.

Under Interfaces > IoT, I set the IPv6 Config Type to Track, I’m assuming it probably needs to go to static?

I also checked the box for Allow IPv6 under Interfaces > Settings.

I setup seperate vlan for matter devices. I think just enabling ipv6 on your standard IOT vlan is enough

if you go to interfaces >> youriot_vlan

Generic configuration
  IPv6 Configuration Type: static ipv6
Static IPv6 configuration
  IPv6 address: fc00:6207::1   32 
  IPv6 gateway rules: disable

after you enter above I believe you should see the dhcpv6 under “services” for your iot network

Yes. I believe static is correct.

I also have this checked. Dont remember details of why or if this was defaulted.

I suggest spending some time learning IPV6 differences from IPV4. it is significant and hard. I think I spent a week or two reading up on this before I even attempted to set this up in opnsense. Not saying you have not or dont know, Im just providing my standard recommendation.

I am not an opnsense or network master. Please Please Please read the documentation and understand any changes you make and any recommendation of mine you implement. A misconfiguration can be VERY BAD. If you find something wrong or think something can be done better I would appreciate you tell me. I am maybe a 2 yr user of opnsense and its hard but best decision I ever made (to move away from Unifi USG).

Lastly, BACKUP YOUR CONFIG before you make any changes.
I’ve had a bad habit of making significant firewall rule and settings changes without a backup to start. I suggest backup >> download locally >> make changes before any change. Its not fun having you network down for several hours because you made unintentional change and couldnt recover.