I’m struggling to get Matter to work on OPNsense. I have some Matter Kindind bulbs and Kasa Switches on my IoT vlan. My Nest Minis are on my main. I can get them added to Google Home, but they show unavailable? I can still control them in AiDot and the Kasa app still. I had IPV6 disabled and enabled it in tracking. Tried using ChatGPT for help, but was no luck. Is anyone willing to share their configuration if they got this to work?
I’m willing to forego this entire setup completely if it doesn’t make sense to even try Matter. Please let me know your opinions. I was thinking its the best way for full local control. Have about 100 devices on my IoT currently with a few Zigbee devices as well.
HA docker container using
Matter server also container using macvlan
Matter devices are currently in its own vlan
HA, matter server both have ipv6 ip
I will edit this post with more detail shortly
EDIT
VLAN30 is my server vlan. it is ipv4 only.
VLAN50 is my matter vlan. it is ipv4 and ipv6.
both vlans are configured in opnsense and have corresponding config in my docker network.
HOMEASSISTANT
as I am posting this I realized that HA has no IPV6 configuration. I made significant changes to my network a month back and did this intentionally. HA should only be able to access the matter server over the docker bridge network. HA would have no way of knowing the matter servers LAN address.
1. pass >> vlan50 >> in >> ipv4/6 >> protocol any >> vlan50 net >> server IPs >> port any to any
description: Allow Vlan50 connection to servers defined by alias
2. rule to allow connection to my dns server
3. rule to allow connection to my ntp server
4. pass >> vlan50 >> in >> ipv6 >> protocol any >> vlan50 net >> single host or network: ff02::1/64 >> port any to any
description: allow multicast ipv6
5. block >> vlan50 >> in >> ipv4/6 >> protocol any >> vlan50 net >> RFC1918 >> port any to any
description: block vlan50 to all local IP defined by RFC1918 alias
6. block >> vlan50 >> in >> ipv4/6 >> protocol any >> vlan50 net >> invert >> RFC1918 >> port any to any
description: block vlan50 to all WAN IP defined by inversion of RFC1918 alias
Hope this makes sense and is what you were looking for
rules #1 and #4 are minimum to make matter work I expect #2 and #3 just point devices to local NTP and DNS #5 prevents devices from trying to reach out to another device unless allowed #6 prevents devices from trying to contact anything outside the local network
after you enter above I believe you should see the dhcpv6 under “services” for your iot network
Yes. I believe static is correct.
I also have this checked. Dont remember details of why or if this was defaulted.
I suggest spending some time learning IPV6 differences from IPV4. it is significant and hard. I think I spent a week or two reading up on this before I even attempted to set this up in opnsense. Not saying you have not or dont know, Im just providing my standard recommendation.
I am not an opnsense or network master. Please Please Please read the documentation and understand any changes you make and any recommendation of mine you implement. A misconfiguration can be VERY BAD. If you find something wrong or think something can be done better I would appreciate you tell me. I am maybe a 2 yr user of opnsense and its hard but best decision I ever made (to move away from Unifi USG).
Lastly, BACKUP YOUR CONFIG before you make any changes.
I’ve had a bad habit of making significant firewall rule and settings changes without a backup to start. I suggest backup >> download locally >> make changes before any change. Its not fun having you network down for several hours because you made unintentional change and couldnt recover.