I installed HA here in my lab using the installation tutorial and HA was able to find all of the ESPhome devices on my network. When I moved it to a new network it seems the HA bridge configuration changed from a bridge to the host network to a NAT configuration, so the host no longer had a homeassistant.local address, thus I couldn’t even login to HA.
After a lot of time troubleshooting I changed the XML for the HA VM’s NIC from NAT to host network bridge and all worked as in my lab.
Having HA run in a VM behind a NAT layer would provide a measure of security through isolation, but it seems that HA can’t see the ESPhome devices that way.
In my lab a dnsmasq systemd service was enabled and running. That was fine if the VM was isolated so the dnsmasq daemon on the VM didn’t conflict with the host’s.
The question is the default / recommended way to setup the bridge for HA so HA addresses are in the host’s address space or it’s own behind the NAT? I like the idea of using the NAT, but when I moved the system to another network the same configuration I used in the lab no longer worked, and I had to change the bridge, despite avahi running on the host to provide mDNS.
HA depends a lot on receiving IPv4 and even IPv6 link-local multicast (i.e. well-known multicast) for discovery and communications (ex. DNS-SD/mDNS) . I don’t think NAT will allow these to pass through from the host to the VM.
It is not the NAT part that is the issue. It is the routing.
Discovery protocols like mDNS, SSDP and so on pretty much all use mutlicast or broadcasts and such packets are not routed by default in a TCP/IP network. This is also why many have issues with VLANs.
But this is different. The context here is more about the internal networking between a Virtual Machine and the Host computer/machine the VM is running on. Some systems like a Libvirt/QEMU/KVM by default, when you create a virtual machine, build and enable NAT on the virtual NIC the VM is running on. This NAT shouldn’t be allowing link-local multicast arriving from the outside world at the host’s NIC to get to the VM. That’s why most remove this NAT and enable connectivity of the virtual NIC directly to a kernel level bridge. This bridge passes these multicasts on to the VM.