Setup VLAN and HA tutorial

How to setup router rules to setup and secure network and adding devices to HA from different vlan?

  1. Main network
  2. VLAN for HA
  3. VLAN for IoT devices connected to HA
5 Likes

Well, there is no generic answer to this. You should have a look into the manuals of your router, network switch and Wifi access point on how to configure VLANs. Once the VLANs are configured, and access ports on your switch configured, and Wifi SSIDs tied to VLANs, and devices on different VLANs can still communicate, you could start configuring firewall rules to limit access between VLANs and into the Internet.

To add, how things are done will vary by the router and switch(s) and the network layout you have. Not all routers or switches support VLANs so you may need to replace some items.

1 Like

After router is setup:

Do I need to do some extra coding in HAā€™s config Yaml file to deploy communication with devices on VLANs or I just need proper IPs on different VLANs of those devices?

The biggest difference you will run into is that you will need to manually configure everything by IP/hostname, as most autodiscovery relies on multicast based technologies like UPNP/mDNS etc, which wonā€™t cross broadcast domains (VLANs).

2 Likes

(A more up-to-date version of this tutorial and working with more recent versions of Home Assistant is here.) Bellow is left for those working with olders versions of Home Assistant.

Hi everyone,
this is my first post and attempt to contribute to HA amazing community.

I have been reading a lot lately about this problem because I too have a ā€œVLANnedā€ setup at home, effectively separating sensors and so what from my LAN. Case is that when I tried to discover my Xiaomi Air Purifiers with HA it failed miserably because of routing (even with firewall completely down between LAN and sensors VLAN). I double checked by testing the mirobo tool from a linux system on different network segments, so I knew from then that it was a networking problem.

After many hours of reading different threads and pages on this subject, I manage to achieve a working VLAN setup in HA (L3) where the HA eth0 interface (cabled one, as my wifi is off) is subdivided into 2 interfaces: eth0 and eth0.10. The eth0 is on the LAN side and eth0.10 is on the VLAN sensors side. This serves my purpose and it works (so far). My Xiaomi Air Purifiers are now discoverable and reporting to HA, although belonging to a different network than the rest of my LAN. You can adjust it to your needs, I guess, by adding more VLANS or even making it an L2 with complete separation (no routing whatsoever).

Some would argue it would just be better to put HA on the sensors side of the network and leave it there, but I wanted to be able to discover other devices on my LAN side too (media players, etc), so that would force me to punch a hole in my firewall to let HA in and in addition I would get the same old routing problems.

So to help others, here goes my description of what I did to achieve VLAN integration. Please comment and correct whatever you see fit for improvement. This configuration is still not ā€œbattle provenā€ so attempt it at your own risk :slight_smile:

It only works for HassOS but you can use the generated config to apply it in ResinOS version too, via USB import, I guess.

My main source of information were these three pages with information regarding nmcli (NetworkManager command line tool):

https://docs.fedoraproject.org/en-US/Fedora/22/html/Networking_Guide/sec-Configure_802_1Q_VLAN_Tagging_Using_the_Command_Line_Tool_nmcli.html

VLAN in HA:

  1. Log into as root to the HASSOS base system via a console

  2. At the hassio > prompt, type login

  3. From here you will use the nmcli configuration tool.
    #nmcli connection show will list the ā€œHassOS defaultā€ connection in use.

  4. Create the VLAN interface with a static adress on eth0 (parent interface), defining ip, gateway and dns (adjust to your needs)
    #nmcli con add type vlan con-name eth0@vlan10 dev eth0 id 10 ip4 10.0.0.2/8 ipv4.dns 10.0.0.1 gw4 10.0.0.1

  5. Show connections again and it should list your new VLAN (fake uuids)
    #nmcli connection show

NAME UUID TYPE DEVICE
HassOS Default aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa ethernet eth0
eth0@vlan10 bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb vlan eth0.10

  1. To see more detailed info about the connection
    #nmcli -p con show eth0@vlan10

  2. Now enter the nmcli editor to ā€œeditā€ your connection
    #nmcli con edit eth0@vlan10

  3. Just save the settings and properties and it should report a successful update to the connection
    #nmcli> save

  4. To double check settings of the vlan interface
    #nmcli> print ipv4

  5. Quit the nmcli editor
    #nmcli> quit

  6. Check for the creation of a new file with VLAN definitions (there should be a eth0@vlan10 file)
    #ls -la /etc/NetworkManager/system-connections/

  7. (optionally) Check the contents of the file (possible output bellow)
    #cat /etc/NetworkManager/system-connections/eth0@vlan10


[connection]
id=eth0@vlan10
uuid=bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb
type=vlan
permissions=
timestamp=1546212011

[ethernet]
mac-address-blacklist=

[vlan]
egress-priority-map=
flags=1
id=10
ingress-priority-map=
parent=eth0

[ipv4]
address1=10.0.0.2/8,10.0.0.1
dns=10.0.0.1;
dns-search=
method=manual

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

  1. Exit the session and reboot the HA host to test (after rebooting you can login to HassOS again like in 1st step and see if file with definitions still exists)

  2. Profit! :wink:

Hope this helps someone getting somewhere!
Good luck!

34 Likes

many thanks for this. iā€™m starting exactly the same way. i didnā€™t want to get caught out with changing SSID wireless settings later on down the track and isolating devices, so iā€™ve created a new VLAN which is tagged through all switches and setup on my edgerouter with a separate DHCP scope. iā€™ve added a separate SSID on my ubiquiti APā€™s on this same VLAN so itā€™s all dedicated just for home automation.

but i couldnā€™t work out how to change the hass.io config to suit to permit discovery on both VLANā€™s.

your guide worked a treat. many thanks :slight_smile:

1 Like

Great! Iā€™m actually considering multiplying VLANs and separating IoT devices according to categories and/or rooms, but I have not had the time to think it over (no real reason to have all IoT devices living under the same network, sharing the same wifi - if you have several APs around the house, you could distribute clients per area or type of access, 2.4 and 5ghz - except for easiness of setup).

Segregation would be beneficial when it comes to limiting what information each sensor can obtain from the network (imagine what could happen if a hacked/proprietary temperature sensor could collect information about the door locksā€™ state just from packets traversing the network between HA and IoT locks).

I believe the better the segregation the more you can control your network and what is happening inside of it. Is it more complex? Yes, absolutely, but no keys/doors at home is also more convenient, still nobody complains about having them, right? :smile:

Any input on strategies for IoT segregation is very welcome!

1 Like

Thank you, worked perfectly for me :slight_smile: I omitted the static ip, gateway and dns to use my dhcp for it and it works just great.

First of all, great HOWTO, great work!

For everyone running Proxmox having hassio in in an own VM, the guide above will definitely work, but you will create a network assignment insight the VM instead of having it managed in Proxmox.
So if you like to have everthing maintained by proxmox, here my cents.

1.) Add Network Interface in Proxmox

image

2.) Connect to Hassio with SSH (use community SSH addon)

My config is simple, but I only activate it manually, so no issue.

Putty login by user and password specified.
A command like "login" is not required. When you are in, you are in and we can start.


3.) Check available  devices and status
`nmcli device status`
In my case a device called enp0s18 is disconnected

image

4.) Enable enp0s18 by adding a connection name (HassOS-vlan) + DHCP
`nmcli con add type ethernet con-name HassOS-vlan ifname enp0s18`

In case you would like to have a static IP adress use (of course change it to your needs!)

nmcli con add type ethernet con-name HassOS vlan ifname enp0s18 id 10 ip4 192.168.10.220/24 ipv4.dns 192.168.10.254 gw4 192.168.10.254

5.) Check your IP Leases in your router if the Hassio came up with another interface, in my case a mikrotik router

6. To be on the safe side, ping hassio and open the website on the new IP adress

image

11 Likes

Could someone help me out? I cannot get this to work.
When I add the VLAN, I cannot acces both addresses. My router does show the VLAN, offers a DHCP but it never gets accepted.
If I remove the VLAN interface, my regular interface (eth) works again right away.

I use Home Assistant in a VM.

I finally ended up manually editing the files under /etc/NetworkManager/system-connections, removing the default and adding 2 new ones (one for each network-interface, I handle VLANs having 1 dedicated interface per VLAN between my switch and hypervisor box to increase throughput without expensive >1Gbps gear)

I very strongly recommend static IPs for everything ā€“ that will avoid a LOT of problems and things falling apart if you ever have your network go down (e.g. rebooting router/switch) at the moment something tries to do a call. I didnā€™t do this at first and my whole system imploded when I was upgrading my router and it took many hours to realize that my nightmares were caused by some things caching old IPs for DNS, and the new router not yet having got the DHCP request to put it in DNS yet. Ever since moving to static IPs everywhere Iā€™ve not had a single issue, even when I have a network connectivity failure the automations and addons keep chugging along flawlessly.

Many consumer routers if you reboot them (or your ISP does, if its an all-in-one modem+router) you will lose the DHCP client list and DNS cached hostnamesā€¦which causes the same issues.

Open up the HassOS console, it wonā€™t work thru the sandboxed ssh container.
Log in as ā€œrootā€
At the ha> prompt type ā€œloginā€ to get to the REAL hassos
At the # prompt, cd to /etc/NetworkManager/system-connections

image

Then, using vi (it only has the most basic editor it seems) you can modify the config files. I put the ā€œoriginalā€ in a folder called ā€œholdā€ in case I messed up.

Here is my ā€œinternetā€ connection (the main trusted network)

And then my restricted local-only IoT device network configuration

And then I just connect them to the proper bridge on my hypervisor

I did have to use some trial and error to figure out which ā€œdeviceā€ in the VM was which NIC on the hostā€¦but with 2 choices it wasnā€™t too hard.
image

6 Likes

I think it depends in the used hardware and your knowledge if DHCP or Static IPs should be used.

Having an all in one box is never a good idea, most of the consumer products are good for a standard home setup with max. 2 floors. I would agree, using static ip is a really good idea

But if you have more floors, on each floor an access point connected to your router or even a switch in between, you probably have selected your devices with some care.

Personally I have the following setup chosen:
4X AccessPoint = Zyxel NWA 1123v2
24 Port Netgear GS724 v4 (L3 Webmanaged switch = bought it used for 50 Euro)
Mikrotik router (I donā€™t remember the model)

The VLAN Routing is done in the switch already, so I only use the mikrotik router for assigning the ips and saving static dns entries based on the tags ( no routing between the vlans)

With my setup I am more than happy to dhcp.

A short warning, if you are not an network expert, be careful with mikrotik, it is far away from being intuitive.
I spend many hours on the configuration. Mikrotik can more or less do everything you want, but it is really difficult to get it working.

IMHO, if you plan to have a more intuitive router I would look for Sophos appliance or zyxel router. (Ubiquiti is like MAC, way to expensive in my eyes)

1 Like

I would like to preface this post by stating a I am absolutely new to layering my network. I have just recently got my entire network on my UDM Pro and APā€™s
LAN 192.168.1.1 - Unraid/Servers/KVMs/Hass.io/Personal Device
vlan20 192.168.20.1 - IoT

SSIDā€™s for - lan / vlan20 / vlan30

Had a static IP set for my Hassio VM at 192.168.40 but could no longer get certain integrations to find devices on vlan20 even through I opened up all firewall between HA Server and IoT network.

@cr0muald0 great workup and there is absolutely no way I could have got that all to work without this. After following all the steps when logging into my router I now see my HomeAssistant Server showing on my IoT Network and a IP of 192.168.20.40 which I set following the guide. I can ping 192.168.1.40 which was the static IP of my HA server originally.

In my UniFi Devices I dont see 192.168.1.40 anymore just the new static of the added HA Vlan. I assume this is right? I see the IP jumping back and forth in the WebUI. Any other changes I need to make?

Great to know :slight_smile: My Pi after many Home Assistant updates continues rock solid!

Yes, this is the way I to go, if you move to a VM. Nice job! :slight_smile:

I guess itā€™s all up to you and your switch/router/firewall now, depending on your setup and what segregates your traffic.

Just remember to adjust the ports where you want the traffic belonging to this HA VLAN to flow, so that you donā€™t let it ā€œescapeā€ to other networks. A good test is to try and ping the HA VLAN IP from places where you should not be able to ping (your normal LAN).

Ideally you should tag the HA VLAN traffic all the way from the HA to the router/firewall network tagged port and only untag any other ports if they need untagging (any devices that are cable connected and canā€™t tag/untag packets).

Then if you use wireless to reach HA, create a separate wifi network that will be tagged from the moment a client IOT device connects to it. If your wifi AP is not capable of tagging and separating traffic, then you might consider using a dedicated wifi AP connecting via cable to an untagged port of your switch with a PVID matching your HA VLAN. Problem solved :slight_smile:

Just wanted to say thanks for the guide how to add second ethernet for IoT VLAN in Proxmox. Works like a charm! :slight_smile:

Okay new issues seem to arise out of nowhere after the security update. Been running fine for months based on @cr0muald0 write up and this board

I just recently after one of the new updates could no longer update some of my plug-ins. I noticed the log kept giving me a ā€œNo Route to Hostā€

I found items like Community Add-Ons like ESPHome installs with no issue. I assume its not a docker container using the internal docker container dns of 172.30.32.1.

However all fails and reference ā€œhttps://ghcr.io/v2/ā€: dial tcp 192.30.255.165 :443: connect: no route to host"

From terminal plugin in HA I canā€™t ~$ ping 192.30.255.165

Found the error when running terminal in HA
~$ traceroute 192.30.255.165
traceroute to 192.30.255.165 (192.30.255.165), 30 hops max, 46 byte packets
** 1 d7b954-nodered.local.hass.io (172.30.32.1) 0.004 ms 0.003 ms 0.001 ms**
** 2 192.168.20.40 (192.168.20.40) 3081.201 ms !H 3070.861 ms !H 3071.967 ms !H**

192.168.20.40 is my actual VLAN IP of the Homeassitant. Anyone know how to get this directed to the correct dns of 192.168.20.1?

In my network setting under supervisor host I have (2) IPā€™s

eth0 - DHCP (Its static on my router 192.168.1.40/24)
eth0.20 - Static (IP:192.168.20.40/8, Gateway:192.168.20.1, DNS:192.168.20.1)

This should be referencing 192.168.1.1 or 192.168.20.1

if use nmcli con delete my vlan all updates and installs work again but can no longer talk to my devices on separate vlansā€¦

EDIT: FIXED THIS ISSUE. I had the VLAN20 set to 192.168.20.40/8. Needed a subnet mask of 24 and all works great now.

1 Like

Great :slight_smile: I was going to say that it was probably a routing/network configuration issue because my HA is updated and the VLANs are still working as they have been for some time now.