My setup…: Behind a firewall (Blocking ouside → in (obvious) also a lot of inside out being blocked. Remote access from phones using a Wireguard tunnel.
NO mDNS, no UPnP, (udp 5353, udp 1900) used anywhere, except on devices that can not be set to not use them.
VLAN’s available through the home using Switched network.
Setup Relevant to this:
Core network (servers etc) - Homeassistant Frontend (users)
IOT-network - Homeassistant VLAN extra interface
IOT-network - ESP32Home - Aquara remote - Solar converter etc… (RPi with Zwave, Zigbee, SmartMeter interface).
User Wireless: Restricted access to Core, Internet (using Pi-Hole).
Guest Wireless: (Unrestricted internet, severly restricted access to internal, almost the same as Internet)
IOT-network has a Oneway-Access policy (restricted in, nothing out), Firewall does have a link into this to provide DHCP. Limited tools can access from the core into IOT.
During Voice setup…
The device is powered using a USB, recognized in HA.
Configuration starts, Firmware upload did work, when configuring as Assistant it fails… getting sounds.
I tested access on the IOT-network if HA is usable, it is.
I guess the ESPHome is given the front address of the HomeAssistant (enp2s0 interface) instead of the IOT-interface.
ESPHome lights can be controlled from HA so there is Some communication.
The easiest way to solve this is to simplify your network. ESPHome and HA will work best together if you have them on the same VLAN. If you don’t, you have to get mDNS working across VLANs and then (assuming you are isolating the two VLANS) figure out all the ports you have to open.
After you do that, it will probably never work smoothly, so make sure to set aside plenty of time for troubleshooting and care and maintenance. Some days the mDNS will be fine. Other days it will just refuse to work.
As others have said simplify, I only have two VLANs:
Automation (50) - Where HA and my IOT devices live.
Default (1) - Where everything else lives.
For automation the default is locked down:
Nothing out.
Inbound only possible from Default VLAN.
Return packets for active connections allowed.
HA and one other device need internet access, so I use an explicit FW rule for those IPs - otherwise the default (no access) would apply. End devices never see the VLANs - it’s handled entirely by the switches and router - all end device packets are untagged.
So to HA and the other IOT devices the network looks flat.
Voice devices get response audio from the address set in HA ui >> settings >> system >>network >> local network. If the device cannot access files at this address you will not get voice audible response. if you look at logs you will see the text response and weblink of response audio
Well the HA device DOES have access in the IOT lan, if i hook up a laptop there, i can do anything…
The HA device Also has access on the LAN interface (for regular use), that also works.
Presumably HA doesn’t communicate the right name / address to the ESP Home. (There is no way to tell this in the setup panel).
Also there is an issue with names… DNS name haos.domain.lan
Where the HA stack appends a .local for no reason.
Functional Similar although there are more VLANs’ here like one for NAS with Jumbo frames, DMZ, …)
Effectively only two are relevant here LAN (Wire Core) + IOT. (Wired & Wireless).
Another observation…
Powered everything off, and the Choice ESPHome is “deconfigured”…
It doesn’t remember it’s config? At least it doesn’t reconnect on Wireless.
When USB is replugged from power adapter to HA system, it is recognized as “New Device”… not very reliable, also not a setup with a system in the attic and a few USPHomes in several rooms… for Voice activation?
There are a plethora of threads covering this topic, but if you still haven’t figured it out, here -
Home Assistant is designed to be on a flat network. Doesn’t matter how you setup your firewall for the traffic. You’ll still need to bounce the frames using a reflector for mDNS and/or AVAHI. Reflectors can be a PIA to setup and get working right. For this reason, several users dual-home their HA machine using 2 NIC’s to bypass the mDNS/AVAHI traffic hurdle. If the HA machine doesn’t have 2 NIC’s via hardware, you can use nmcli in terminal to create a secondary virtual NIC and assign it to a VLAN. There are plenty of people on this forum that are adamant against using this adaptation, as it can create a new set of security issues if you don’t know how to harden your networks.
Considering you already understand how to setup firewall rules between your networks, that is half the battle. You can still harden your HA machine further using ip-ban and CrowdSec App, especially if you’re not using a wildcard domain when granting external access. If you are against dual-homing your HA on both networks, good luck getting a reflector to work.
Turned off mDNS huh? (you need an mDNS reflector in every subnet you intend to use with Haa. Ha DNS is already weird kill mDNS and God help you… Yes even with static ip. mDNS is not DNS)
Also chill the tone. Yes we understand you don’t want a flat net. Sorry HA isn’t designed that way m nor is Matter and Matter also requires Ipv6 so if you’re going to segment you have a lot of studying to do. You’re going to have to turn those rules into Swiss cheese and stay on top of em. You’ll need reflectors an lots of. Em you’ll need to rebroadcast discovery messages… It’s not just ‘open a port’ you need to be a full time network engineer now. Sorry.
Do you mean mdns?
.local is default and cant be changed. (my understanding/i found no documentation)
Are you trying to use haos.domain.lan? you need to set that at router.
esp device logs will show you exactly what address HA is sending and will give you the weblink to the audio file for response. Have you checked this?
HA will send the link based on whatever you have set in network settings. previously mentioned. Did you check there and verify it is accessible from IOT vlan?
just realized i never asked a question, not sure what your replying to here? I had no doubt HA can reach IOT. I presume you understand that is required. What I am wanting you to check is are you sending an IP/domain reachable by the voice devices? Can IOT reach the IP HA is sending it and what is that IP/domain?
If you just let local network setup by default no telling what is happening so its best to check
Just to be clear. The issue is “voice assistant will not respond” or are you looking for assistance setting up vlans?
The HA device is Dual homed using a VLAN in IOT Vlan. No problem there,
All IP based devices are in that VLAN, so no problem there.
If devices need mDNS inside that VLAN no problem as well. INTRA LAN traffic is not suppresseed
IOT VLAN has no way out. (except for HA) if it starts acting as a router.
wrt. Network settings: (@tmjpugh )
Hostname set: haos.domain.lan
Local was automatic…, i will set that to the URL with the IOT Lan address hardcoded. (add… That was a struggle to keep the automatic button set to off.
IOT LAN was DHCP, now manual address. I’ll try later tonight.
The setting of the Front URL didn’t seem to have any effect.
If it is only meant to allow acces by pblic internet resources…, it can be blank anyway. (Not going to happen.)
Access to all stuff from Mobile Phone to LAN (any devices) is using a Wireguard VPN. No need for public exposure for anything else than a Wireguard port.
Alright, so you have it dual-homed. There is no way for HA to act as a router, it is a host device, unless you’re explicitly saying that because you’re using traditional intellectual networking lingo. You should be using static IP’s on each interface. Is ESPHome running as an App within HA, or as a virtual machine (ie: Proxmox or Docker?), or as an entirely different machine in the network? Sorry, that is where the confusion must be when I read the OP. If you’re using HAOS with ESPHome App, dual-homing HA with 2 static IP’s (one for each interface), then despite ESPHome assigning it’s own .local mDNS within the dockerized container, your network mDNS shouldn’t have any issues with discovery. Been there, done that.
I am going to sound repetitive (with the other commenters), if I am reading your posts correctly the only practical differences between your setup and mine is that:
My Home Assistant installation is single homed.
Home Assistant is connected to the same VLAN/Subnet as all my IOT devices.
So from the HA/IOT devices perspective the network looks flat.
Those are the only two changes I am recommending for you: