HUE bridge separate vLAN, HASS cannot find

I am trying to move my Philips HUE bridge into a separate IoT vLAN. Moving it is not a problem, but HASS cannot find the bridge after moving.

I am using PfSense 23.05. I have enabled Avahi but not 100% sure how to config this.

I have a block all rule from IoT vLAN to RFC1918. And allow all from LAN to IoT vLAN.

I can ping the bridge no problem and it gets an IP address from the DHCP.

Something is being blocked, not sure what.

Any ideas?

What’s the exact problem?
Using discovery in HASS for descovering the bridge, or actual traffice between hass and the bridge?

Port 80 = Webtraffic
Port 53 = DNS
Port 123 = NTP
Port 443 = HTTPS
Port 1900 = SSDP

Probably broadcast traffic is not allowed between the vlans. I can’t help with Avahi.

I’ll suggest to add a rule any <-> any between the vlans, just to confirm your routing is working and work from there.
I see couple of changes applied which we don’t know if they are really working.

  • vlan-tagging → working?
  • Routing → working?
  • firewall rules applied → working

Also use the trace/log option of the fw to see if anything is blocked or dropped.

The exact problem has cannot find my bridge anymore (because it was at 192.168.100.1/24) so i have to connect it again by pressing the button. But ZHA cannot find the bridge when it is place on the IoT vLAN (10.10.50.1/24) - So discovery is the problem at the moment.

From LAN (HASS is at 192.168.100.1/24) nothing is being blocked by the firewall afaik. There is no block rule. I can also ping the bridge from LAN network.

My DHCP server is at 192.168.100.1/24, the IoT is getting an address (DHCP relay) so vlan tagging and routing is working then … right?

I thought/think you need Avahi for multicast/broadcast/mdns. You don’t think so?

I’m not familiar with PFsense, but a quick google seems to cover mdns.

But this is not in play if you just add it by IP.
So I would definitly look into firewall rules first, and check logs what is being blocked/dropped.

I have my hue bridge in a different subnet on a different vlan and it is working fine, even without mDNS in place.

Can you ping the bridge from the HA machine?

Yes i can ping from HASS to bridge.

Are you allowing 1900 FROM IoT vLAN to LAN / rest?

Initially yes, but I started with a any any rule for easy setup… then closed it down and see what breaks.

What does your FW log says? There should at least be traffic visible at the interface which isn’t handled.
That should direct you in the right way.
in my case all my broadcast traffic is dropped by default and I see that in my logs.

Probably reconnecting will also not work in your setup. I could do the same. Remove the block rule allow all and connect.

It is a working around, i prefer to know why something isn’t working the way i want it to work.

I will check my fw log tomorrow. After midnight over here.

1 Like

@safritjuh88

Thanks for your help. I fixed it, i just changed the IP address in HASS config file:

config/.storage/core.config_entries

.storage is a hidden folder.

Now it is working fine. To clarify i skipped the discovery process this way.

1 Like

Good to hear, thanks for providing your solution :slight_smile:

Keep in mind that if you have any other devices (e.g. google chromecast or alexa) which rely heavily on the broadcast domain, the IGMP proxy of mDNS is a requirement to keep things working as it should.

But for such applications, I do not bother to set up a mDNS for just a press of a button :slight_smile: