I searched the forum and couldn’t find an answer…
I just got a few Kauf Smart plugs online on my WLAN subnet and they are not getting discovered by HA on a different VLAN / IoT network. I do not have ESP32 or ESP8266 connected to my HA VM either.
I’m considering adding additional NIC’s to my HA VM to connect to my WLAN subnet via VLAN trunk…
But before I do so, what is best practice and/or my options for getting these Kauf plugs added to HA.
Hi Lee,
Segmented networks are not officially supported within HA.
HA is designed and expects a flat subnet to work as intended.
This is because every segmented network is different for IP’s and number of segments and firewalls and sharing rules and about 650495849085 other things.
This does not mean you can’t use them or that they can’t be made to work, it means that to get them working you are the support structure on your own subnet(s).
Please keep this in mind when you are trying to do this kind of thing.
My answer to that is use a flat network.
As Sir_Goodenough say, a flat network is what HA is expecting.
Very few discovery protocols support routing, so if you want it to work, then you need to study all the different discovery protocols and set up broadcast reflectors/helpers on your router, which of course means your router needs to support it.
VLAN will also cause issues with IPv6, which Matter depends on.
If you want to use VLAN, then put ALL IoT devices in one VLAN with the HA server, because then the network is flat for those devices.
Your companion and web clients can be in a different VLAN with just the routing ports opened up in the firewall, because those are just basic protocols like HTTP or HTTPS on port 8123.
Thank you!
I appreciate it, thank you for information.
I migrated from a HA Docker to HA OS on a bare-metal Mini PC form factor and I’m not Looking Back.
I put everything on a dedicated IoT VLAN and it’s working great so far!
I got 3 Kauf PlF12 plugs and failed to get any of them on to my WIFI. I shutdown the 5ghz signal thinking that might be the problem. The symptom is that I plug the smart plug in, it blinks 1/sec I connect to the generated wifi signal from the plug, that takes me to a web page at 162.168.4.1 and I select my network, and enter the network credential. And then nothing happens. I never see the device on my network (one person in an Amazon comment said it joined his network temporarily). At this point I can unplug it and re-plug it and it gives me the network temporarily, and if while the network is up, I go to the web address, I get a no-data sent error.
This happened for all 3 devices in exactly the same way. In an attempt to diagnose the problem and make sure that I didn’t do something stupid, I asked for help from ChatGPT. That led me to check the wifi parameters (all good) and walked me through trying to reset the plugs (should get a fast flash) that never worked. ChatGPT told me They probably had the wrong software on the device, and if I didn’t want to get out a soldering iron and reflash the device I should return them. I’m writing this here to hopefully save someone a day of their life.
This is ChatGPT’s final analysis
KAUF sells the same PLF 1.2 hardware with different firmware SKUs, and Amazon fulfillment sometimes mixes them.
Some KAUF plugs ship with:
On those units:
That is exactly what you’re seeing.
You didn’t get three bad plugs — you got three plugs flashed for local control, not cloud onboarding.
If you have VLANS then you will add that device to your VLAN. On firewall side you should punch holes in firewall so your device can communicate with ha and vice versa.
And that is all to it. You device will be added in ha like it is on the same network.
Wrong!
Discovery protocols are usually non-routable with standard IP routing, so you need to set up proxies/reflectors for those.
That is the pitfall many people fall into.
VLANs are not just opening up a few holes in the firewall.
VLANs are routing, both IP routing and routing of other protocols.
I don’t understand your replay?
If you are using VLANS then probably you are using router that can route packages.
As for discovery protocols goes, I don’t see a problem.
Just don’t use property crap. mdns reflectors can be installed and used on any proper router firmware.
True, but do you have the knowledge to route the packets you need to route.
Both IPv4 and IPv6?
And discovery protocols like SSDP, ZeroConfig, uPNP?
Are you sure your devices do not use proprietary protocols?
First of all I dont use ipv6 because I dont need it.
I don’t use matter because I prefer zigbee and I don’t believe in fairy tales.
Some of my devices, like vacuum cleaners and few switches are probably using proprietary software and are using cloud aceess to work, but this is the reason why they are on separated VLAN.
Lets get back to op.
It is not true that you need ha on the same network as devices you want ot control. You can keep ha on your main network and isolate devices as you wish. And thing will work.
You just need some firewall rules and proper tool for the job. Proper tool means Openwrt or Opnsense on gateway side. No property crap. Just real software that works.
True, you do not need HA on the same network as your devices, but then you need t know all your devices and all the protocols the use.
That is the pitfall to many.
They think VLANs are just a firewall rule.
It is routing!
And I do simply not get people that use VLANs to “secure” their network and then just install third party integrations into HA.
That security hole have much bigger impact and much higher chance of being exploited.
If you want VLANs to secure your network, then also do a code review on each new third party integration and update of such you install. Do not rely on the forum. Only yourself can do it or a by you trusted reviewer. The forum or the user base can never be trusted in such a way.
I know. I put them on VLAN and gave them access they need to communicate with ha. But nothing more.
I don’t know what someone think but if you have VLAN than probably you know some basic things.
It is too much. You can review for time to time what your devices are doing. You can use sqm or traffic sharper to ban any high usage of your network from vlans.
There are a lot of things you can do about it.
That is why you should learn it by yourself. Invest your time in things and see how it goes.
Everything is doable if you invest enough of your time.
At the end of the day it’s everyone house. If someone what to let it open for anyone well that is his decision.
But the important thing imo is that he/she was warned about this.
You might know it, but many do not and that is why we get so many questions about VLAN issues.
If an user do not know what protocols a device use and how those protocols are routed, then an user should not use VLANs.
That is too late. Once you discover the problem, then the accident have already happened.
I can program a lot of different languages, but doing a code review on each integration is simple not possible.
I trust a single company, even a Chinese, more than I trust third party code maintainers.
There are already lots of examples of malicious users becoming co-code maintainers and then adding malware.
I can sort of guess what the company will do with my data, and also China, but a malicious code maintainer that is far worse.
You can always check it in you firewall if you are using the right tool for the job. Again don’t use crap. On opnsene you can see live what every device is using to access internet. What port, what ip address, everything. Does is need time to learn it? Yes it does but this doesn’t mean we should discourage people from using VLANS. They should be using it for their own protection.
Maybe.
And that is excatly why people should use VLAN. In zigbee they can’t do much about it, but in wifi devices they can.
Somewhat true.
It is true if you gather all the unsafe devices in the same VLAN then.
That means HA too!
I had a few of these Kauf PLF12 and they were unreliable in the beginning, where they had false positives for power off events. But they partially worked for my application.
Fast forward after approx. 6mo, they all lost connection to HA and became unresponsive. I tried to factor reset them, but I was not successful.
Also, I was not impressed by their custom service either.
I would love to know if there is any way to resurrect them?
If not, I will continue to replace them with my trusted and true Thirdreality Zigbee smart plugs with energy monitoring.
This is ridiculous discussion about nothing.
Should people use VLAN? Yes, they should regardless of home assistant.
A lot of companies are selling nowadays routers with, lets say VLAN capabilities, in their firmware. The great majority of them doesn’t work even on paper.
If anyone wants to use VLAN there is alternative called Openwrt and there this does work. And that is one of the reason why Openwrt is one of the best if not the best solution for smart home out here no matter what someone say.
It is full feature firmware for routers with more capabilities that average person did even heard of.
But in the end of the day it is everyone call.
No, they should not.
Rarely do they gain any more security than what a firewall rule can do on a single flat LAN setup.