Securing a vlan & ESPHome Devices

petro · June 1, 2020, 12:09pm

Hello friends,

I’ve had a esphome sensor set up in home assistant for quite some time. I recently decided to strengthen my network security. I separated my iot devices into their own network and blocked access to the internet using some firewall rules. Currently, I’m allowing the IOT network to only talk with HA’s IP, over 5 or 6 ports for MQTT & ESPHome. I can’t remember the ports, I’ll have to list them later. I also have the auto discovery setting enabled.

The problem that I’m having is that it doesn’t appear as if the device is connecting to my network. I’ll see it connect for about 2 minutes then drop. Any attempt to access the device when connected ends in failed connection errors (when viewing logs in ESPHome add-on).

The network appears to be unable to attach an IP address to it.

Does anyone have firewall settings setup on a IOT network? Do esphome devices require internet connection?

ronytomen · June 1, 2020, 12:19pm

Vlans have nothing to do with it.

I would bet you have missed the port that the ESPHome API uses.

Quote the documentation:

Configuration variables:

port (Optional, integer): The port to run the API Server on. Defaults to 6053.

And

The ESPHome native API is based on a custom TCP protocol using protocol buffers.

So make sure you have TCP port 6053 open between your IoT network and your Home Assistance Instance.

petro · June 1, 2020, 12:21pm

Well yeah, but it’s my firewall rules that I added to the entire vlan. So it sorta has something to do with it.

Already have that port enabled along with 3232 and 8266.

Also allowing DNT through as well through a separate rule.

tom_l · June 1, 2020, 1:25pm

Do your ESP devices have static IP addresses?

If not, is DHCP set up for the IoT VLAN.

petro · June 1, 2020, 1:32pm

You know, that’s one thing I never checked. I’ll have to look. I assumed that’s always on for additional vlans. I’ll look tonight.

petro · June 1, 2020, 1:37pm

What network gear are you using?

tom_l · June 1, 2020, 2:22pm

At the moment a bit of everything. EdgerouterX, Unifi and Linksys switches and Unifi APs.

I’m going to sort that out when I get home next year.

nickrout · June 2, 2020, 5:30am

Also, and I am not overly familiar with vlans, but I know esphome makes use of mDNS which is a multicast protocol. Are those multicast packets able to cross from your iot vlan?

petro · June 2, 2020, 10:45am

I believe I set that up properly already. Although that could be the culprit. Unfortunately, I can’t test any of this because I fried the device in question when flashing it (sleepy incorrect wiring). I have to wait until the new part comes in to revisit this.

Kosh42 · July 31, 2020, 6:38pm

Did you ever get any luck with this? My devices get IPs, work fine, etc. But in the ESPHome page they all show as unavailable. When you tail a log, it connects, then the same as you after a couple of minutes goes to unavailable. This means if you try anything like an OTA update, it gets part way through then bugs out and says it’s not available. But it still works fine.

petro · July 31, 2020, 7:01pm

Yes I did. Basically my local domain was not named ‘local’. This is because the default on my gateway was named ‘localdomain’. By default, the esphome configuration I was flashing had the domain as ‘.local’. Pretty much should have paid more attention to my network settings.

petro · July 31, 2020, 7:08pm

Also, it was a bit of human error. My networking knowledge is limited. When calling out a device it was unclear to me that you needed to include the domain name with the hostname; hostname.domain. So all around, PICNIC error.

nickrout · July 31, 2020, 10:35pm

So was the solution to rename your domain to local, or to flash localdomain to the esphome devices?

petro · August 1, 2020, 9:38am

I ended up fully renaming my iot domains, and flashing that to the device