Hello?
I would like to disable IPv6 on HAOS or disable broadcasting because the IPv6 address of Home Assistant is sending requests EVERY second. As you can see on my firewall. This generates a huge amount of packets. How can I do this?
Have a good day.
I don’t think you have a clear idea on the number of tcp/ip packets going through your network every seconds 
5353/udp is mDNS. You can disable it in HA by not using default_config: in your configuration.yaml but enumerating all the services you need, and Zeroconf is the one generating those packets.
See https://github.com/home-assistant/core/blob/d49bccf123f9266f01cf219835d99691f71a0f82/homeassistant/components/default_config/manifest.json for what default_config includes.
Thanks you for the reply, now I have :
# Loads default set of integrations. Do not remove.
#default_config:
assist_pipeline:
bluetooth:
cloud:
conversation:
dhcp:
energy:
history:
homeassistant_alerts:
logbook:
map:
media_source:
mobile_app:
my:
stream:
sun:
usb:
webhook:
#ssdp:
#zeroconf:
homeassistant:
customize: !include customize.yaml
allowlist_external_dirs:
- /tmp
- /config/www
- /media
- /config
# Load frontend themes from the themes folder
frontend:
themes: !include_dir_merge_named themes/
extra_module_url:
- /local/card-mod.js
logger:
default: warning
recorder:
purge_keep_days: 30
exclude:
domains:
- automation
- update
entity_globs:
- sensor.*_battery
- sensor.*_humidity
- sensor.*_pressure
- sensor.x1c_00m09a3b1900399*
- camera.roborock_s5
### INCLUDE ###
template: !include template.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
climate: !include climate.yaml
switch: !include switch.yaml
sensor: !include sensor.yaml
shell_command: !include shell.yaml
alexa: !include alexa.yaml
command_line: !include command_line.yaml
# Text to speech
tts:
- platform: google_translate
http:
use_x_forwarded_for: true
trusted_proxies:
- 10.0.0.254
- 10.0.0.5
- 127.0.0.1
opnsense:
url: https://10.0.0.254/api
api_secret: !secret API_SECRET
api_key: !secret API_KEY
tracker_interfaces: BRIDGE_HOME
verify_ssl: false
### TELEGRAM ###
telegram_bot:
- platform: polling
api_key: !secret telegram_token
allowed_chat_ids:
- !secret id_telegram_maison
notify:
- platform: telegram
name: telegram
chat_id: !secret id_telegram_maison
### ROBOROCK ###
camera:
- platform: xiaomi_cloud_map_extractor
host: !secret xiaomi_vacuum_host
token: !secret xiaomi_vacuum_token
username: !secret xiaomi_cloud_username
password: !secret xiaomi_cloud_password
name: "Roborock S5"
map_transformation:
scale: 2
#rotate: 180 #à effectue une rotation de 0, 90, 138, 360 degré de la carte
trim:
top: 20
bottom: 20
left: 20
right: 20
sizes:
charger_radius: 3
vacuum_radius: 4
draw: ['all']
colors:
color_map_outside: [28, 28, 28]
color_path: [255, 255, 255]
color_robo: [255, 255, 255]
attributes:
- calibration_points
- charger
- goto
- goto_path
- goto_predicted_path
- image
- is_empty
- map_name
- no_go_areas
- no_mopping_areas
- obstacles
- path
- room_numbers
- rooms
- vacuum_position
- vacuum_room
- walls
- zones
auto_update: true
And I have always the broadcast with IPV6. What I doing wrong ?
You should be able to deactivate IPv6 in the Settings → System → Network, but you will then also make Matter and Thread unable to work.
Besides that the future is going towards IPv6, so you will have to tackle that beast in the future.
Maybe it is an addon then.
IPV6 is not disabled, as you have an IP. “FE80” addresses (link-local) are non-routed addresses that always exists on any ipv6 enabled interface.
That “disabled” pertains to DHCP, I think.
I think the fe80 is related to docker bridge, where the “public” local IP is also residing.
IPv6 might be disabled in HA, but the docker bridge might still have it enabled to support addons.
It is really just a guess though, because the IPv6 support in HA is a bit half-baked.
At the end of the day, you can only completely enable/disable IPV6 at the OS or docker level. Whether HA or addons are actually using it is another story but clearly there is IPV6 support up to docker level, here.
A query to [ff02:fb] :5535 is a standard mDNS lookup on an Ipv6 network. THIS IS NORMAL TRAFFIC stop trying to block it.
No. It’s not huge. On the grand scheme of TCP/IP. One packet per second (an MDNS lookup is miniscule And it’s your mDNS lookup. It’s doing what it’s supposed to do.
Stop blocking that port and move along.
Its the default multicast address for mDNS according to the spec, Wally.
fe80 is used for a lot of other stuff too, like DAD (Dupplicate Address Detection) checks in relation to SLAAC and auto-configuration of IPv6 addresses.
Maybe this will help…
Link Local Scope - One can think of as a Layer 2 LAN or if one is using VLANs, its a single VLAN. So multicast address of Link Local Scope are not to traverse beyond the LAN/VLAN, and unicast addresses are unique only within the LAN/VLAN.
BTW, I kind of agree that this is not that much traffic.
As for disabling IPv6, nmcli is usually the tool of choice for HAOS, but its a bit of work to use it, and I’ve found some of the settings don’t persist across reboots anyway.
Link local scopes can not really be compared to anything IPv4 or VLAN/LAN.
It is a unique feature of IPv6 and that fact that every interface will have a FE80 link local scope, but might or might not share the subnet they are connected to will confuse people coming from an IPv4 only POV.
/me wonder what are the “denies” in the OP post…
fe80::/64 is not supposed to go through a firewall nor are multicasts…
fe80 will still hit the firewall, because any interface connected to an IPv6 network will have have an address on that network.
And some routers see the ff02 as a different subnet than fe80, so it is thinking it is supposed to route it.
The firewall is usually in front of the router, even though they are physically one device.
I have Home Assistant running on my Proxmox server, and I can’t disable IPv6 because I need it for another project.
I dislike this broadcast because it’s unnecessary for me, and it’s the only device that appears in my firewall blocks, thus filling up my logs.
Why can’t I disable the broadcast? Why is it being blocked without giving me the option to choose?
It’s your network. You do what you want at this point you know its not a problem and it’s not hurting anyone or anything.
Ive been doing IT ops for well over 20 years at this point… Two things you try to avoid or it leads to pain.
Putting configuration in place to work around a non-issue - it’s just busy work.
Creating nonstandard configurations because inevitably sometime on the future - you need that thing and you forget that a few years ago you configured something that breaks the config and developers RARELY test non-standard configuration so you may also be opening yourself up to random bugs because things expect it to be there.
And FINALLY it’s only a log in the router.
A that said. If you block it do I expect you to have issues. Probably not - but you need to be aware of the ramifications of doing so. Future troubshooting is MUCH easier when you know you don’t have no standard configurations.
After googling around some, I couldn’t find why a firewall would flag IPv6 packets it received with ff02 link local multicast destinations with source fe80 link locals as they shouldn’t be forwarded anyway. But it does seem that others have complained about their firewalls do indeed log these. One solution I saw hints at setting rules in the firewall that don’t log these particular events.
