Setup VLAN and HA tutorial

many thanks for this. i’m starting exactly the same way. i didn’t want to get caught out with changing SSID wireless settings later on down the track and isolating devices, so i’ve created a new VLAN which is tagged through all switches and setup on my edgerouter with a separate DHCP scope. i’ve added a separate SSID on my ubiquiti AP’s on this same VLAN so it’s all dedicated just for home automation.

but i couldn’t work out how to change the hass.io config to suit to permit discovery on both VLAN’s.

your guide worked a treat. many thanks :slight_smile:

1 Like

Great! I’m actually considering multiplying VLANs and separating IoT devices according to categories and/or rooms, but I have not had the time to think it over (no real reason to have all IoT devices living under the same network, sharing the same wifi - if you have several APs around the house, you could distribute clients per area or type of access, 2.4 and 5ghz - except for easiness of setup).

Segregation would be beneficial when it comes to limiting what information each sensor can obtain from the network (imagine what could happen if a hacked/proprietary temperature sensor could collect information about the door locks’ state just from packets traversing the network between HA and IoT locks).

I believe the better the segregation the more you can control your network and what is happening inside of it. Is it more complex? Yes, absolutely, but no keys/doors at home is also more convenient, still nobody complains about having them, right? :smile:

Any input on strategies for IoT segregation is very welcome!

1 Like

Thank you, worked perfectly for me :slight_smile: I omitted the static ip, gateway and dns to use my dhcp for it and it works just great.

First of all, great HOWTO, great work!

For everyone running Proxmox having hassio in in an own VM, the guide above will definitely work, but you will create a network assignment insight the VM instead of having it managed in Proxmox.
So if you like to have everthing maintained by proxmox, here my cents.

1.) Add Network Interface in Proxmox

image

2.) Connect to Hassio with SSH (use community SSH addon)

My config is simple, but I only activate it manually, so no issue.

Putty login by user and password specified.
A command like "login" is not required. When you are in, you are in and we can start.


3.) Check available  devices and status
`nmcli device status`
In my case a device called enp0s18 is disconnected

image

4.) Enable enp0s18 by adding a connection name (HassOS-vlan) + DHCP
`nmcli con add type ethernet con-name HassOS-vlan ifname enp0s18`

In case you would like to have a static IP adress use (of course change it to your needs!)

nmcli con add type ethernet con-name HassOS vlan ifname enp0s18 id 10 ip4 192.168.10.220/24 ipv4.dns 192.168.10.254 gw4 192.168.10.254

5.) Check your IP Leases in your router if the Hassio came up with another interface, in my case a mikrotik router

6. To be on the safe side, ping hassio and open the website on the new IP adress

image

11 Likes

Could someone help me out? I cannot get this to work.
When I add the VLAN, I cannot acces both addresses. My router does show the VLAN, offers a DHCP but it never gets accepted.
If I remove the VLAN interface, my regular interface (eth) works again right away.

I use Home Assistant in a VM.

I finally ended up manually editing the files under /etc/NetworkManager/system-connections, removing the default and adding 2 new ones (one for each network-interface, I handle VLANs having 1 dedicated interface per VLAN between my switch and hypervisor box to increase throughput without expensive >1Gbps gear)

I very strongly recommend static IPs for everything – that will avoid a LOT of problems and things falling apart if you ever have your network go down (e.g. rebooting router/switch) at the moment something tries to do a call. I didn’t do this at first and my whole system imploded when I was upgrading my router and it took many hours to realize that my nightmares were caused by some things caching old IPs for DNS, and the new router not yet having got the DHCP request to put it in DNS yet. Ever since moving to static IPs everywhere I’ve not had a single issue, even when I have a network connectivity failure the automations and addons keep chugging along flawlessly.

Many consumer routers if you reboot them (or your ISP does, if its an all-in-one modem+router) you will lose the DHCP client list and DNS cached hostnames…which causes the same issues.

Open up the HassOS console, it won’t work thru the sandboxed ssh container.
Log in as “root”
At the ha> prompt type “login” to get to the REAL hassos
At the # prompt, cd to /etc/NetworkManager/system-connections

image

Then, using vi (it only has the most basic editor it seems) you can modify the config files. I put the “original” in a folder called “hold” in case I messed up.

Here is my “internet” connection (the main trusted network)

And then my restricted local-only IoT device network configuration

And then I just connect them to the proper bridge on my hypervisor

I did have to use some trial and error to figure out which “device” in the VM was which NIC on the host…but with 2 choices it wasn’t too hard.
image

6 Likes

I think it depends in the used hardware and your knowledge if DHCP or Static IPs should be used.

Having an all in one box is never a good idea, most of the consumer products are good for a standard home setup with max. 2 floors. I would agree, using static ip is a really good idea

But if you have more floors, on each floor an access point connected to your router or even a switch in between, you probably have selected your devices with some care.

Personally I have the following setup chosen:
4X AccessPoint = Zyxel NWA 1123v2
24 Port Netgear GS724 v4 (L3 Webmanaged switch = bought it used for 50 Euro)
Mikrotik router (I don’t remember the model)

The VLAN Routing is done in the switch already, so I only use the mikrotik router for assigning the ips and saving static dns entries based on the tags ( no routing between the vlans)

With my setup I am more than happy to dhcp.

A short warning, if you are not an network expert, be careful with mikrotik, it is far away from being intuitive.
I spend many hours on the configuration. Mikrotik can more or less do everything you want, but it is really difficult to get it working.

IMHO, if you plan to have a more intuitive router I would look for Sophos appliance or zyxel router. (Ubiquiti is like MAC, way to expensive in my eyes)

1 Like

I would like to preface this post by stating a I am absolutely new to layering my network. I have just recently got my entire network on my UDM Pro and AP’s
LAN 192.168.1.1 - Unraid/Servers/KVMs/Hass.io/Personal Device
vlan20 192.168.20.1 - IoT

SSID’s for - lan / vlan20 / vlan30

Had a static IP set for my Hassio VM at 192.168.40 but could no longer get certain integrations to find devices on vlan20 even through I opened up all firewall between HA Server and IoT network.

@cr0muald0 great workup and there is absolutely no way I could have got that all to work without this. After following all the steps when logging into my router I now see my HomeAssistant Server showing on my IoT Network and a IP of 192.168.20.40 which I set following the guide. I can ping 192.168.1.40 which was the static IP of my HA server originally.

In my UniFi Devices I dont see 192.168.1.40 anymore just the new static of the added HA Vlan. I assume this is right? I see the IP jumping back and forth in the WebUI. Any other changes I need to make?

Great to know :slight_smile: My Pi after many Home Assistant updates continues rock solid!

Yes, this is the way I to go, if you move to a VM. Nice job! :slight_smile:

I guess it’s all up to you and your switch/router/firewall now, depending on your setup and what segregates your traffic.

Just remember to adjust the ports where you want the traffic belonging to this HA VLAN to flow, so that you don’t let it “escape” to other networks. A good test is to try and ping the HA VLAN IP from places where you should not be able to ping (your normal LAN).

Ideally you should tag the HA VLAN traffic all the way from the HA to the router/firewall network tagged port and only untag any other ports if they need untagging (any devices that are cable connected and can’t tag/untag packets).

Then if you use wireless to reach HA, create a separate wifi network that will be tagged from the moment a client IOT device connects to it. If your wifi AP is not capable of tagging and separating traffic, then you might consider using a dedicated wifi AP connecting via cable to an untagged port of your switch with a PVID matching your HA VLAN. Problem solved :slight_smile:

Just wanted to say thanks for the guide how to add second ethernet for IoT VLAN in Proxmox. Works like a charm! :slight_smile:

Okay new issues seem to arise out of nowhere after the security update. Been running fine for months based on @cr0muald0 write up and this board

I just recently after one of the new updates could no longer update some of my plug-ins. I noticed the log kept giving me a “No Route to Host”

I found items like Community Add-Ons like ESPHome installs with no issue. I assume its not a docker container using the internal docker container dns of 172.30.32.1.

However all fails and reference “https://ghcr.io/v2/”: dial tcp 192.30.255.165 :443: connect: no route to host"

From terminal plugin in HA I can’t ~$ ping 192.30.255.165

Found the error when running terminal in HA
~$ traceroute 192.30.255.165
traceroute to 192.30.255.165 (192.30.255.165), 30 hops max, 46 byte packets
** 1 d7b954-nodered.local.hass.io (172.30.32.1) 0.004 ms 0.003 ms 0.001 ms**
** 2 192.168.20.40 (192.168.20.40) 3081.201 ms !H 3070.861 ms !H 3071.967 ms !H**

192.168.20.40 is my actual VLAN IP of the Homeassitant. Anyone know how to get this directed to the correct dns of 192.168.20.1?

In my network setting under supervisor host I have (2) IP’s

eth0 - DHCP (Its static on my router 192.168.1.40/24)
eth0.20 - Static (IP:192.168.20.40/8, Gateway:192.168.20.1, DNS:192.168.20.1)

This should be referencing 192.168.1.1 or 192.168.20.1

if use nmcli con delete my vlan all updates and installs work again but can no longer talk to my devices on separate vlans…

EDIT: FIXED THIS ISSUE. I had the VLAN20 set to 192.168.20.40/8. Needed a subnet mask of 24 and all works great now.

1 Like

Great :slight_smile: I was going to say that it was probably a routing/network configuration issue because my HA is updated and the VLANs are still working as they have been for some time now.

I’ve been trying to set up something along these lines as well. I’m running HASSOS on Proxmox (set up a few days ago with whiskerz’ script, core-2021.2.3, supervisor-2021.02.11).

The proxmox server’s physical NIC is connected to a trunk line (among others: 192.168.20.0/24 untagged, 192.168.40.0/24 tagged VID 40). Subnet 20 family is for trusted machines, subnet 40 things is for IoT devices.

I have assigned virtual network cards enp0s18 (subnet 20) and enp0s19 (subnet 40) to the HA VM. Everything works great with a single network card. Via DHCP it obtains always the same IP (mapped to the virtual NIC’s MAC address), as the information displayed after SSH login shows:

System information
IPv4 addresses for enp0s18: 192.168.20.x/24
IPv6 addresses for enp0s18: 2a02:2455:ce4:…/64, fe80::d185:…/64
IPv4 addresses for enp0s19:

The Hassio dashboard (menu “Supervisor->System”) shows the same informations enp0s18: IPv4 DHCP, IPv6 DHCP; enp0s19: IPv4 Disabled, IPv6 DHCP Disabled.

I access the HA instance via https and a public duckdns.org address which is statically routed to the local IP 192.168.20.154.

But as soon as I bring up the link of enp0s19 and run (the nmcli command does not work because NetworkManager is not installed)

ha network reload

the second network card card is recognized and obtains IPv4 and IPv6 addresses via DHCP as well (and reachable via ping):

System information
IPv4 addresses for enp0s18: 192.168.20.x/24
IPv6 addresses for enp0s18: 2a02:2455:ce4:…/64, fe80::d185:…/64
IPv4 addresses for enp0s19: 192.168.40.y/24
IPv6 addresses for enp0s19: 2a02:2455:ce4:…/64, fe80::c468:40a5:e42b:f9f8/64

But according to Proxmox the VM’s CPU usage goes up from around 10% to almost 100%, and the “Supervisor” menu in the Hassio dashboard loads slowly. ps -A and top on the HA’s SSH login look normal. There seems to be a lot of traffic on the network, and after a while on my Macbook pops up a message that it obtained another name <old name> (1)>, then <old name> (2), an so forth. Looks like a discovery storm or so.

Any ideas what went wrong?

Can I still use above tutorial for HassOS (Hass Blue)? What I would love to achieve:

Have two isolated VLANs connect o Hass Blue over the single ethernet connection (so no untagged access port, but a trunk port I assume?)
Connect Hass to my IoT VLAN
Connect the Unifi Addon to the Unifi devices via the default Unifi management VLAN

If this is possible, how to achieve this?

If both VLANs are totally separated I’ll probably need some additional firewall rule to see the Unifi web portal via Hass on the IoT VLAN.

So I’ve successfully setup multiple vlans, the only problem is that phoscon in the deconz add-on is no longer accessible via the eth0 interface and instead uses the vlan interface (although the deconz VNC still works fine), so I am unable to connect to phoscon via the home assistant interface, and instead have to connect to it via a web browser on the tagged vlan. Anyone know how to set which interface phoscon uses?

Edit: Seems to be working fine now.

I just set it up with Home Assistant Blue. Getting core SSH access took a lot of trial an error (for some reason, despite the walkthrough saying the USB could be formatted in NTFS, only FAT worked). My only problem is that now the deconz web ui (phoscon) is using the vlan interface instead of the main interface.

Hi, I have proxmox running, and it is great.
Now I received my udm-pro and after making the vlans…
All work but…
tts to google cast is not working anymore.
When I put the “sent” mini nest makes the wake up sound.
But then nothing.
All worked before… so it is not the yaml settings,
I just put the vlan on the proxmox and all works. only tts not…
help…

just did a check…
I removed the vlans from proxmox and tts working again!
More to investigate!