How do you get Pfsense and Couple Vlans to Auto Detect Devices i frustrated

hi so i tried to get help at pfsense forums as the discord said they firewall rules but i didnt get help

i have my network 192.168.0.x that covers my lan Cameras and IoT Devices

now i added 3 nics to my HA cuz i could
192.168.0.x LAN
192.168.10.x Cameras
192.168.20.x IoT Devices

my home assistant ips are
192.168.0.12 LAN
192.168.10.12 Cameras
192.168.20.12 IoT Devices

i find all Iot and Cameras auto detect when on LAN

if i move them over to Cameras and IoT Devices Vlans
they dont carry over like HA cant re change the IPS
if i delete them in devices and reboot HA they cant be auto detected

i was told i need like msdn and avahi whatever that stuff is… how do you properly setup HA to auto detect Iot Devices and Cameras and LAN stuff on there seperate ethernets… i lost… and they couldnt really help

one said HA needs to go on the IoT Devices… but shouldnt HA be able to auto detect all 3 Lan Ports i have… so it scans each one… so i stuck

is there a video as a a visual learner but is there a video of someone settting up HA and having seperate Vlans to seperate things like i have and in pfsense

In general you want pfSense to manage your network/VLANS - not HA. Avahi is a package you install in pfSense using the pfSense package installer.

This video should help.

Do you have a diagram of how this is all hooked up, what are you running pfsense on?

i will watch that video

here is crap design i just made it in windows pain… and ill take a look at video

network design1774×1824 34.1 KB

That doesn’t look right.

Pfsense should be the router between the VLANs.

Do your switches support VLANs?

If so, you can have a single cable go into both Ha and Pfsense and configure it for trunk mode.

I setup 4 VLANs with pfsense and Cisco switches. It was really painful. There’s a lot to learn.

yes so pfsense is the router created Cameras IOT Devices Vlan and LAn and VPN and couple others

then its linked to mikotek managed switched its vlan enabled 10 for the POE switch for the Vlan 10 camears…

then from the miktoek it goes to the un managed switch in my house and to Tplink ax3000 AP but not enabled Vlan cuz they dont wanna work with HA yet… so its just on Lan

so from the miotek switch its trunked to my cisco/linksys switch… it goes into my unraid at 192.168.0.3 its also tagged for 2 other network cards for Vlan 10 and 20

in unraid i have
192.168.0.3 for unraid LAN
192.168.0.12 for HA VM on LAN
192.168.10.2 for Unraid Cameras Interface
192.168.10.12 for HA IP for Cameras Vlan
192.168.20.2 for Unraid IOT Devices Interface
192.168.20.12 for HA IP For IOT Devices

i also use a Asus router for now from the cisco/switch for IOT Devices to be on LAN if i stick it on Vlan HA cant see them… but pfsense sees them but the auto discovery in HA doesnt work
but i havent had chance to watch video to find out why vlans dont auto detect inside HA

What are you trying to gain by segmenting your network?
Normally you would segment a network to split up the broadcast domain, which affect exactly auto discovery services that usually use broadcast or you want to limit access between devices, which would require a routing aware device, like a router and possible with a firewall.
HA is NOT a router and you have already gained the effect of limiting the broadcast domain, but you do not want it, so what is the purpose?

i have no idea what your talking about
the purpose is i ran out of ips in 192.168.0.1 and i wanted to split up my network
LAN for home stuff
Cameras of least 30 cameras
IOT Drives at least 100 devices

do not know what a broadcast domain is
i know HA isnt a router not sure where you though i said that…
still dont know what your talking about i already gained the effect of limited broadcast domain… you need to explain what are you talking about as i dont understand least for dumb people like me

If you can’t look up what a broadcast domain is you shouldn’t be messing with vlans.

Honestly, you’re going to be better off moving to a larger subnet - from a /24 to a /23 (or even a /16 if you’ve no idea what a subnet is).

With 192.168.0.1/16 you can use every IP from 192.168.0.1 to 192.168.255.254 - you’re not going to run out in a hurry.

When you have a network like yours, 192.168.0.0/24 (/24 = subnet mask 255.255.255.0), then you have a broadcast IP address for that network, which is the last IP address in range, ie. 192.168.0.255
If a device wants to send a message to all devices, then it sends the message to that broadcast address and the network gear will make sure that all devices in the subnet receives the message.
If you have a network, like 192.168.10.0/24, then that network will not receive the broadcast from the 192.168.0.0/24 subnet.
If the broadcast should be received at the devices on 192.168.10.0/24 subnet, then the broadcast address 192.168.10.255 should be used.
Broadcast addresses are as standard not routed, because there are a lot of broadcast traffic, which does nothing other than public information to other devices on the same network, so routing it would often mean a lot of unnecessary noise in the form of published information that are useless to other networks.
Your Windows machine might publish that it is on the network and that it might have a shared folder available or a printer connected that can be used over the network. This is an information you would probably want to keep on that specific subnet.
Remember that the 192.168.0.0/24 and 192.168.10.0/24 are just 2 subnets here. There will probably be at least one more and that is the subnet of your internet connection, which you also certainly do not want to publish your information about your Windows machine on.

You can make published information move from one subnet to another subnet, but that requires routing and this is where my router comment comes in, but it can be a big mess to handle broadcasts over different subnets and it requires a router with options for advanced routing.

Your idea of having HA on multiple subnets is not something HA is built for.
HA can not just run a single instance of each of the many discovery services and then connect those services to the different network, because most discovery services are autonomous in selecting a master accountant for the list of services and when that master accountant device gets shutdown, then another will be selected.
If HA gets selected, then the information from the different subnets would mixed together and you will have polluted lists from then on.

A router will run a separate instance of the discovery services for each subnet, but this is not something HA is built for and it is a complex error-prone undertaking to make it happen.
One error in these discovery services and you might have to shutdown all devices in the network to make sure that no master accountant holds a list with the error due to the autonomous nature of those services.

I would say as Tinkerer, use a bigger subnet instead.
A /24 subnet will give you 256 IP addresses and 254 are usable for hosts.

A /23 will double that to 512 IP addresses and 510 of these are usable for hosts.
Using 192.168.0.0/23 will give add 192.168.0.0/24 and 192.168.1.0/24 together in the same subnet and broadcast domain.

A /22 will double the /23 network and give you 1024 IP addresses and 1022 of these are usable for hosts.
Using 192.168.0.0/22 will give add 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 in the same subnet and broadcast domain.

The 2 IP addresses in each subnet that is not available to hosts are the first one, like 192.168.0.0 in a /22 network, which is the network IP address and the last one, like 192.168.3.255 in a /22, which is the aforementioned broadcast address. In a 192.168.0.0/22 subnet the IP addresses 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.0.255, 192.168.1.255 and 192.168.2.255 will be available to hosts, because they are not used for network and broadcast IP addresses here. Only the first and the last one of the entire subnet is reserved for this.

@WallyR ah ok ya i basiclly understood that about the 255.255.255.255 broadcasts its the way ou said it all what i trying to segment my network and also “you have already gained the effect of limiting the broadcast domain” is what i was really asking for what you mean cuz to me didnt make sense… my disylexia gets in the way i write it the way i think it should sound but gets confusing for someone else…

i did find a link where they modify home assistant to detect vlan stuff… but apparently it doesnt work anymore
Setup VLAN and HA tutorial - Configuration - Home Assistant Community (home-assistant.io)

and i was on the pfsense forums but they didnt help much… and i said i better off to just expand my network… but i also was told i should break up my network

my current way of doing my IoT lan vpn dmz gaming
is i split up my 192.168.0.1 to 254 in segaments… so i made 1-20 say for servers etc… 21-50 for non vpn 51-200 for IoT Devices 201-254 for Vpn clients… basiclly like that… then was told on pfsense in the past that i shouldnt do it… that way that you want vlans…

and then i thought once vlans are setup and home assistant has 3 network cards in it… that at boot… instead of home assistant just scanning 192.168.0.x network it would be scanning 192.168.0.x 192.168.10.x and 192.168.20.x at boot up… is what i thought it would be doing so it would scan the first network… then when its done it scans the 2nd network then it would scan 3rd network…

but your saying i should do what i been doing just expand more… to a /23 or 22 i just liked how the vlan worked … setup the dhcp as what i do for each one is a dhcp then reservation it… to get it in the range but i basiclly ran out and now my iot devices are on my VPN network

but ya orginally i thought it was just that simple but the link i provided i guess did that it made home assistant be able to scan the vlans to find cameras… but the link inside the link doesnt work anymore and people reporting the trick doesnt work anymore…

but ya i orginally squezzed it in /24 network but then was told i should be using vlans but then ha just didnt scan them and even if they pre setup on the LAN and i moved them over to Vlan’s ha doesnt see the ip changes… and then on pfsense forums they said maybe you can manually change the IPs of the Iot and Cameras to move them from LAN to Vlans but i dont know if you can do that?

and they didnt tell me about routing just about msdn and avihi something and i only part way through the lawerence video above i got linked to watch…

guess nothing perfect… and i always learning… and least you went in depth more which i appreciate too…

oh and i also thought for auto discovery for reolink the broadcast is set for 255.255.255.255 i thought that supposed to cover ip range like 1.1.1.1 to 255.255.255.254 if you had that on your network so i though that should scan my 3 network interfaces least thats what i thought

You can choose to do VLANs, but you will probably not get auto discovery to work.
Most (I would say all) connection in HA will work with manually setting them up though, so you do not really need auto discovery.
As for having multihomed servers (which is what you have with your setup with 3 netcards), then it is really not best practice and in the few cases where it is still used it is not the same service that are running on the different netcards.
It is best to let a router handle the VLAN interconnections and then you can also add a firewall on top of that.

VLANs can be a nice thing to do, but you really should have a complete network infrastructure ready to handle it. Many devices are VLAN pass-through, which means that they will not interfere with a VLAN packet stream, but they can also not act on it. Some devices are not even VLAN pass-through tested and how those react to a VLAN packet stream is unknown. Especially the unmanaged switches are a concern here.
VLAN devices that can not act on a packet stream will not be able to use different VLANs on ports.

Regarding Reolink, then I do not know why 255.255.255.255 is set as broadcast.

My advice is to to go with a bigger subnet for now and maybe even go to a 192.168.0.0/20 which will give from 192.168.0.1 to 192.168.15.254 for hosts, which will have a subnet of 255.255.127.0, so you have enough IPs for the future and to design your IP reservations as you like.

Then in the future when you replace your network gear try to upgrade it so you have true VLAN capability on all devices. Especially the access point is nice to have VLANs on, so you can make different WiFi nets for gear, like IoT.
VLANs are probably the future for networks with IoT and HA users are in the front here, which your 100 IoT devices clearly show, so you will probably go that way eventually, but get your hardware up to speed too and make sure that especially your router is capable of handling the load this will put on it.

@WallyR another reason i went the 3 network cards is to not bog down my unraid…
since i also plan to have 30 cameras throughout my property only at 5

but everything goes through my 1gb network card on my unraid… so Plex, File Server, Vms, Web Server, Game Server, HA, Shinbo or BlueIrs so i also figured if everything goes through 1 nic its going to bog it down to copy over the network… so i figured put cameras on there own nic so cant bog down network…

my cisco/linksys is an older business server… with vlans on it not sure if its a layer 2 or 3… my managed switch is a CSS326-24G-2S+ mikrotik and has the vlans in it. i have 1 AP a Tplink EAP650 AX3000 with Vlans on it. and router i just use to orginally set things up i wanted to get outside antenna and maybe ubuqiti unfi aps i dunno if you can mesh the tplink with the unifi and other brands read about this sdn omega u need or something

i did look in pfsense i saw u can have pools i doubt i can make vlans using pools … so you have your range of 192.168.0.1 to 192.168.200.1 say and in the additional pool you set 192.168.10.1-192.168.12.1 as a vlan linked to adition pool this way you can stay on the LAN but its split as a vlan… doubt you can do that but be cool

as for the reolink ya if you install the reolink discovery its default broadcast is 255.255.255.255 so i figured it would scan all 3 network cards… maybe in a future HA that be more reliable
as for my router its nothing special i bought a micro onboard motherboard… it is Intel(R) Celeron(R) J4105 CPU @ 1.50GHz Current: 1500 MHz, Max: 1501 MHz 4 CPUs: 1 package(s) x 4 core(s)

id like to also go 10gb the mikrotek has 2 10gb uplinks but 10gb network rackmount switchs so expensive still

A poor man’s alternative to 10G Ethernet is NIC teaming, if supported by the switch and the vm server. It allows to aggregate NICs, giving you more bandwidth and reliability.

To alleviate high bandwidth usage you should use another NIC on the unraid. Simply using a bunch of VLANs on the same NIC won’t do it.

the cisco/linksys switch connected to unraid server has the lagg in it. not sure the mik one

also my unraid has 5 nics in it i use 3 of them so far

i never did get the lagg to work or least didnt notice… like round robbin or the 5 different options you choose from backup etc…
so instead i did now
1 for unraid
1 for Cameras
1 for Iot Devices
and 2 others just spares at moment… and i have other vlans i playing with dmz, guest, and then i have my vpns…

ya i figured if i had 10gb then you can run unraid in an uplink port and then vlans be on all that … then lot of room for speed… well i dunno really in theory right lol

The managed switch should be able to handle that traffic I’d assume. Unless you are really hammering it. Hardware stats (CPU, etc) should give an idea on what’s slowing it down

nothing slow yet i using a ryzen 3700x cpu i ment if i streaming 4 machines plex copying files at same time vms running and then having 30 cameras recording or so i figured 1gb nic would be slow reason i split things into 3 sections so it splits it off the load on the unraid network card…so like blue iris or shinobi be on the cameras nic… but not sure if i get another mik switch if u can plug the unraid into the uplink port and use a 10gb nic in the unraid machine to take all the traffic then and no slow down… as it uses a fibre uplink so i dont have fibre cables

A 10G port would handle all that without noticing. It would just be a matter of which devices have an SPF port for fiber.

ah ok ya i was thinking spf link to unraid box with a 10gb nic id have to change my switch to a mik also from the cisco one

and do you happen to know if you can mix match brands of APs i have a tplink eap650 but wanted to mesh it if i got other brands like unifo as i just want a couple wifi ssids… i only have the one but curious if you can mix and match if you happen to know