How to make Matter devices work while having multiple VLANs

jakeshbazi · November 12, 2025, 1:11am

Ok So , i am writing this tutorial, as I spent hours trying to figure this out. I have a full Unifi networking setup, and I have multiple VLANs. I have my trusted VLAN and an IoT VLAN. All my smart home devices are on my IoT vlan, with specific ports being allowed to be accessed from IoT to Trust, such as 5353, 5540, etc. Also additional rules so that IoT cannot access anything else on my network.

I recently updated my Leviton Smart Switches to the firmware that supports Matter, Matter over Wifi specifically. Until now I was using the following integration via hacs https://github.com/schmittx/home-assistant-leviton-decora-smart-wifi to bring my Leviton switches into HA. I also use Homekit bridge to add them to my Apple Home app.

I noticed that when i Physically turn the lights on (or off), there definitely was a 15-30 sec delay IN HA and HOMEKIT to see their status update.

However If i turn them on (or off) from HA or apple home, the response in seeing the light it self turn on is instant. This made sense to me as the status change is obtained from the cloud (leviton). So given that I have OCD and i cant help myself, i went down the rabbit hole of “hey it supports matter, that should not need to go out to the internet to fetch status”

so here are things i realized and problems i ran into

I was able to add Leviton switch to my apple home using matter code, when my phone was on my trusted vlan, or to HA directly. This means id factory reset the switch, then pair using matter code, and in my Unifi console i’d see it now sisting on my trusted vlan. Cool… but that defeats the whole purpose of me having my IoT devices on a seperate vlan. The response was very fast, if i phsyically turned it on, or off, HA and Apple home would update with in a second or two, at most.
I could put the switch (after factory reset) on the IoT VLAN using the Leviton app, but then if adding it to homekit using my iphone or to HA using matter integration , given those devices are on the trusted vlan would not work. They could not even see the device. Thats because with most peoples configurations IPV6 (which matter uses) cannot communicate across vlans
when i then factory reset the switch, put in pairing mode, put my phone on the IoT VLAN They would pair!!! and would get added to apple homekit , but, after about 30-60 seconds it would become unresponsive. As most often matter over wifi, the initial pairing happens with ipv4, and then rest with ipv6. Well many people would say “turn on ipv6, turn on ipv6”, yea… that doesnt really do much even if its turned on. IPV6 is very different than V4. It all has to do almost always with your ISP. Notice i said almost always. For most people who are using multiple VLANs, only one of your vlans gets an ipv6 IP internally.

So why would it pair when both devices were on IoT VLAN, but then stop responding even tho my phone was still on IoT vlan , well, Once pairing finishes, the Matter stack (and Apple’s HomeKit framework) tries to form a persistent, routable IPv6 connection using each device’s global or ULA address — not the link-local one.

That’s because:

Link-local addresses can’t cross routers.
The HomePod (your hub) may be on another VLAN later.
Matter’s secure channel (CASE) is bound to a stable IPv6 address, not fe80::.

But your IoT VLAN had no ULA or global prefix, so the Leviton never got any routable address.
It only had fe80::…, which isn’t valid once the phone or controller stops using link-local discovery.

so what are / were the solutions for this.
A. Your ISP needs to give you a delegate prefix (DP) that is /64 or greater /60 or /56. SOME people have this, they dont even know it, have no clue what it is, and simply just turning on ipv6 for both vlans, just works for them, nothing to do. However most people including me, do not. Most ISPs wont give it to you either.

B. in the absence of A, your other solution is to *NAT66 Prefix Translation. The following steps are ONLY for UNIFI as thats what i have. FIrst and foremost Look at your TRUST, or “main” vlan. under ipv6, You will have a gateway IP/ Subnet. In your Other VLAN, it will be blank. Thats because of the /64 PD, you are getting from your ISP

In your IoT VLAN, Assigned private ULA prefix fd00:2::/64 to IoT VLAN. (of course enable ipv6 on both vlans, set to prefix deligate, and RA enabled)
SSH into your unifi router, and test out by running ip -6 addr show | grep 2600:. This should return two inet 6 values.
from a clien on your IoT vlan run ping6 fd00:2::1 , this should return results
Wait from your unifi gateway to assign an ipv6 address or factory reset and add to the iOT vlan again. Then run
ip -6 neigh show | grep -i <MAC ADDRESS OF YOUR DEVICE>
this should return a result saying “reachable”
Then ssh into your Unifi router and run
ip6tables -t nat -A POSTROUTING -s fd00:2::/64 -j NETMAP --to <gateway ip/subnet value from your trusted (main) vlan>
'ip6tables -t nat -A PREROUTING -d <gateway ip/subnet value from your trusted (main) vlan> -j NETMAP --to fd00:2::/64
note you will probably see a 1 right before the /64, leave that out.

thats it. Now it should all work.

if you had any firewall rules, make sure you account for them to be active for ipv6 too

IOT7712 · November 12, 2025, 1:19am

Lots of gotchas for newbies. Thanks for the writeup.

jakeshbazi · November 12, 2025, 1:21am

Hey im a newbie man. Also my networking knowledge is not good, but its amazing what chatgpt can do. I know how to research and I know how to test. So it helps>

do you have the same setup @IOT7712 ?

IOT7712 · November 12, 2025, 1:24am

Nope, but I can see others are having related issues that could be troubleshooted by following some of the steps outlined by you.

WallyR · November 12, 2025, 5:05am

Just a heads up on this.

IPv6 takes precedence over IPv4, so once you set up IPv6, then your devices might switch to that protocol and that means you not only need to handle mDNS, but also all the other protocols used by the devices.

IOT7712 · November 12, 2025, 5:11am

IPv6 and DNS? What DNS?

WallyR · November 12, 2025, 5:12am

Not DNS, but mDNS.

wmaker · November 12, 2025, 8:33pm

I would be interested in what you found that indicates this is what is actually happening?
AFAIK, both commissioning and operational phases of Matter only use IPv6.

My general comment however is that most of the problems with separate VLANs is that multicast-DNS is heavily used by Matter to discover the devices and their addresses and mDNS is link-local scoped (meaning confined to the VLAN it is sent out on and thus not across to other VLANs) both IPv4 and IPv6. I’m not 100% positive, but my read of the spec, I don’t think Matter stores a device’s IP address in a persistent manner (it is cached for some time), after all, a device’s IP address could change over time. So as long as Matter is getting mDNS advertisements from the device, it will know what its current address is. I should add that another solution that others have had some success with is some form of mDNS relay/reflector so that the mDNS advertisements get relayed from the IoT VLAN to the other VLAN(s).

So yeah, I would also be interested in your findings that says its persistent.

jakeshbazi · November 12, 2025, 9:10pm

I was looking at the packets and the traffic. When i did not have the ip / gateway for ipv6 set, what would happen it it would pair, would show up in my homekit (apple home), (phone on IoT Vlan, switch on iot vlan, and matter server ie… homepod on trusted vlan), and then it would be unavailable . It would need to reach out but again my trsuted was using UGA, and my IoT didnt, hence i had to fuck with the routes,

of course with local ipv6 addresses, thats solved . however i know many people that have /60 or bigger from ISP, and they dont get that, and it works