Setup VLAN and HA tutorial

THANK YOU!
This was what finally worked for me.

My HA is in ‘Main’ vlan. I have many it devices in IOT and NOT vlan. My Samsung tv is in NOT vlan and HA needs to be in the same vlan for setup (not sure if it needs to be in same vlan after setup).

So I followed the guide. and finally samsung tv can be added. But in unifi log I see that HA is constantly jumping around vlans. Is that normal? should I expect any issues?

image1318×802 138 KB

Update1:

I realized all my Tasmota devices are unavailable from Tasmota integration. And saw from unifi log that Tasmota devices are dropped because of “DROP invalid state” rule. Once I disabled the rule, they were back in HA. Should I leave them like this? Is this a good practice for the firewall rule?

I have a rule that prevents IOT and NOT devices from accessing their respective gateway ports (80, 443, 22). HA is also blocked constantly by this rule. Is it necessary for HA to access this? should I make an exception to the rule?

I also have the feeling that my motion trigger automation are not working properly. all the devices are involved in the automation are zigbee devices (zigbee2mqtt by USB). I don’t understand why :-/

I know I’m late to the game here but hoping you still monitor this thread.

I am running Home Assistant on a Raspberry Pi4. My network hardware consists of a TP-Link ER605 router and a TP-Link 24 port POE switch. I have created VLAN50 for my Raspberry Pi and VLAN20 for my IoT devices. I can access my IoT devices from HA and not vice versa. However HA will not auto discover new IoT devices which is why I’m attempting to follow your tutorial.

I have installed the SSH & Web Terminal add-on. When I login to terminal and issue the whoami command it confirms I am the root user. However when I issue the nmcli command all it does is give me a long list of parameters and values. It does not take me into the nmcli configuration tool with the #nmcli prompt and ability to issue commands and save files.

Am I missing something or is this capability no longer available in HA?

Any help is greatly appreciated.

Hi,
will try to help, but much information is missing to give a proper suggestion.
Yes, it needs to live in the same VLAN, because if you change network segments the IP will change, and you’ll have to re-discover/re-add the devices to HA.
Tasmota devices should live in the same VLAN as HA to avoid firewall issues (they should belong at least to one common VLAN)
What gateway are you talking about? Firewall? HA? I don’t know how you set up your network to understand this question. Your setup is quite different from what is suggested in the tutorials above, as it seems you have only one VLAN to which HA belongs, right? If you detail better what you have and want to achieve, I might be able to help more

Hi, it all depends on what version of HA you are using. Check these posts and see if you can configure your VLANs using the UI

Ok. I will try to explain the situation in more detail.

My HA (192.168.1.109) was in the Main VLAN.

My Tasmota and Samsung TV are in NoT VLAN (192.168.4.XXX).

Without any VLAN configuration (before applying your guide), I can control the Tasmota devices. Because I set a firewall rule that allows the NoT to communicate with HA. But I can’t add my samsungTV, because Samsung integration doesn’t like vlan (here).

So to solve this problem, I used your guide. And here is what I did

#added 2 vlan interfaces
nmcli con add type vlan con-name end0@vlan2 dev end0 id 2 ip4 192.168.2.109/24 ipv4.dns 192.168.1.194 gw4 192.168.2.1
nmcli con add type vlan con-name end0@vlan4 dev end0 id 4 ip4 192.168.4.109/24 ipv4.dns 192.168.1.194 gw4 192.168.4.1

#set the priority
nmcli con modify end0@vlan2 ipv4.route-metric 400
nmcli con modify end0@vlan4 ipv4.route-metric 401

#reboot HA machine
#uncheck auto in "system>network>network adapter" and manually selected all 3 interfaces.
#reboot HA machine again

1. Then I tried to add my samsungtv, and it worked!
2. Then I saw in unifi controller that HA is moving between networks. Not sure if this is expected.
3. All my Tasmota devices are unavailable. and didn’t try to re-add them, just tried to reload. I have a rule DROP Invalid state in unifi. after disabling the rule, tasmotas are back again.
4. My wife and I noticed that motion sensor-based automations are not instant like before. Devices involved in the automation are Zigbee devices by the way. So only possible reason I could find is that HA sent the command to turn on the light late because it was switching the network?! My Zigbee network is also connected to HA by USB, not any network adapter.

After all that, I reverted back and living my life without samsungTV integration .

I understand your config better now, thanks, but still there are important things to be considered.

1. Same network segment and everything works because there is no intermediate firewall/routing involved (except whatever filtering you do in both client and HA)
2. I don’t know how unifi works (I don’t use it), but remember that HA should only have ONE default gateway set up (although you have 2 network interfaces in it - Main VLAN and NOT VLAN, right?) You have TWO default gateways set up “gw4 192.168.2.1 / gw4 192.168.4.1” , and that is wrong. If Unifi sees the same hostname in two networks it might be confused or suspicious, but it should not be a problem, disabling whatever it is triggering.
3. You need to reconfigure the tasmotas and re-add them to use the ip of HA that belongs to the same VLAN as the clients. It can’t be going across VLANs.
4. I have a Zigbee usb and there is no waiting involved. Your network is not properly configured as per number 2 and 3

Thanks for your reply. I am using
HA 2024.5.3
Home Assistant OS 12.3
TP-Link ER605 router
Raspberry Pi 4

After reading through the posts you provided it appears I can use the “ha network vlan” to create an HA VLAN. What I’m not sure about is do I need to create a VLAN with a static ip address for each device in my IoT VLAN or can I set it up for any device that appears on the VLAN?

This is something you need to decide on your own (your network architecture), but I can give you my example. I have multiple VLANs, all divided into categories of IOT devices (sensors, media, lights, etc), that is, those you want to/should/can see each other and those you don’t want to/shouldn’t see each other. Example: do you want your TV to see your Tasmotas? Not really, so create different VLANs and attach them each to their own VLAN. Each VLAN member should definitely have its own IP (static is good, but you can also have a dhcp server there). If you happen to have some other media device that you want to be able to see your TV (stream to it, for example), attach it to the same VLAN, and so on and forth. You can have as many VLANs as you want, and then just make HA/RPI4 belong to all of them by creating different network interfaces/VLANs.
Also remember, you should have one main network (usually what you get by default by plugging the RJ45 to your switch, if you don’t want to VLAN it specifically, you don’t have to, and it will sit in your PVID for that port from the switches config) that serves as a gateway to access the internet or the LAN, where no IOT device that you feel unsafe should be connected/allowed to (call it the safe/unsafe VLAN if you will)

A more direct answer to your last question is: you create a VLAN not for each client but for each group of clients + HA/RPI4. Every client that joins that group/VLAN will/should be able to talk to HA/RPI4 via IP in the same network segment/VLAN, that is not going through a firewall or router.

I know the thread is long, but there are many interesting posts with suggestions for you to pick from. Here’s a picture:

Hello @cr0muald0

first thanks for your huge help to the community! never found it by myself.

One question i have (perhaps a silly one, sorry by advance…)

Your LAN network is the physicall one? means its the Vlan1? i m right ?

Thanks.

Because i see any example if you have HA in Vlan10 with yur TV, pc…and have Vlan20 with yur IOT.
Is it the same and your config will applied?

I mean my goal is put my LAN in Vlan10 and my IOT in Vlan20. But when i look at your exemple, seems i better let my LAN by default in Vlan1 (which is not really a Vlan, just the default route) and put my IOT in Vlan20 and use your config.

EDIT : find your reply already : https://community.home-assistant.io/t/setup-vlan-and-ha-tutorial/87705/56?u=olivier974

so it’s more clear: Your LAN is VLAN1, defaut one. Do you declare it as VLAN1 in Pfsense? seems yes on your schematic, but i thought Vlan1 is a reserved one. I m possible wrong…

I read in Pfsense Docs that’s its not recommanded to use the physical interface (eg: re0) for LAN if you have Vlan on it. But in YouTube i see several videos don’t take this into account and use physical LAN as Local LAN, then add 2 or more Vlan “on top” of it.

I have only see one time a guy that delete the physical interface after had created 2 VLAN on it.

Sorry if its not clear, English is not my native language.

So i am really disappointed about use physical NIC for LAN or create a VLAN1 for LAN.

Thanks if you can take some time to reply.

Hi @Olivier974 ,

You’re welcome I already had it both physically separated VLANs, with different cables coming from the server hosting the firewall software (although it is not required) and virtual/logical VLANs in OPNSense, which I use now (I use OPNSense, but the same procedure can be applied to PFSense).

VLAN1 is historically the default VLAN for all ports, so all belongs to VLAN1 by just plugging a cable to any port on an out-of-the-box managed switch. Because of this, VLAN1 should be left for admin purposes only, isolated from other devices, but it really depends on your setup. If you have virtualized PFSense, you should configure it from the beginning to use the main LAN network in some VLAN other than VLAN1, created in your switch to isolate your main LAN (could be any other number, VLAN10 or VLAN11, for example, does not matter, as long as it is available and is according to your switch’s capabilities).

If you already use the default/VLAN1 for your main LAN in PFSense and your switch, that means access and configuration/admin will also be connected and available to all LAN connected devices, and you might want to avoid that, as it is considered bad security practice. Again, your LAN should be attached to a different VLAN for security reasons, if you want to isolate any devices (not only IOT) from the administration network.

One other option, if your switch allows, would be to configure it to be adminned in some other VLAN (admin specific and some switches have such options), but that depends on what kind of switch you have.

You need to understand how VLANs, tagging and PVIDs work in a switch: when you use re0 in PFSense (read “physical untagged default LAN”) it only means that it will use the PVID (default untagged VLAN in your switch).

Like I was explaining before, when you plug any network cable from any device that does not support VLAN tagging, how can you put it in a specific VLAN? Answer: You configure the PVID of that port to be of the VLAN you want the device to belong to.

Quick example: imagine you have a laptop that you don’t trust, and you want to connect it with a network cable to your switch and to a specific VLAN (ex., VLAN44 where all devices are dangerous) and you can’t configure that laptop’s network card, how will you attach it to a VLAN44? Answer: You configure that specific port on that switch to have a PVID of VLAN44 (that is, by changing the default VLAN of that port from VLAN1 to VLAN44) and any device attached by cable to that port is now by default on VLAN44.

That’s why your re0 in PFSense is by default, without any configuration on the switch, a member of VLAN1, unless you change the configuration of your switch and PFSense. Proper configuration should be like this:

1. Configure/create all the VLANs you want in your switch (VLAN10 and VLAN20 or more/other, if you will)
2. Choose the port in the switch where PFSense will connect to (port 1 for ex.).
3. Add VLAN10 and VLAN20 as accepted tagged VLANs in port 1 of your switch’s configuration.
4. Install/configure PFSense/OPNSense and choose/configure the network card that is attached to port 1 of the switch as LAN network (re0 for example, could be other), using/configuring VLAN10 tagged as the main LAN and VLAN20 as IOT network, for example)
5. Choose other network card/cable for internet WAN and configure firewall rules according

That’s it!

thanks a lot for your explanations and time!

its really more clear now.

have a nice day

Unfortunately, it seems do doesnt work anymore :

Warning: nmcli (1.46.0) and NetworkManager (1.44.2) versions don't match. Restarting NetworkManager is advised.
Error: Failed to add 'enp2s0@vlan10' connection: connection.autoconnect-ports: unknown property

and when i read this, i was really disapointed :

The error with the version mismatch is coming from the fact that you're accessing the Network Manager backend from nmcli running in a container, so it's not a surprise the versions don't match. While HAOS has a specific version coming from the latest Buildroot (plus eventually some HAOS modifications), the containers use nmcli from the Alpine Linux repositories. A (very dirty) workaround would be to manually install/compile an older version of the nmcli and use that.

However, using NM directly is something that's rather unsupported and discouraged - now that HAOS has ha network ... commands in the CLI, those should be used instead. In case you're missing any functionality there, please file a feature request for that, as it's the way how we should move forward. Closing this, since it's not an OS issue.

from here : https://github.com/home-assistant/operating-system/issues/3396

Are you aware from this problem or i am the ony concerned?

Thanks

Hi,
i have the same problem.
after loading a backup on a new sd-card, everything else runs fine, only the nmcli commands doesn’t work.
same error message

Holy sh…,
i found the solution…
do not use “nmcli”, the new command ist “ha network”

Usage:
ha network vlan [interface] [id] [flags]

Examples:
ha network vlan eth0 10 --ipv4-method auto --ipv6-method disabled

now it works

For those still struggling, HA has changed a lot in the network configuration section (namely VLAN), so you can do most of it just using the UI, and we had already accounted for that earlier in this thread. Old tutorials were left for those who have older versions of HA and need to configure VLANs that way.
For reference:

Hi,

i used nmcli the whole time and never had any issues before.
my first motivation was to up or downgrade the networkmanager or to understand which propertys are missing After a long search I stumbled across one of the posts and my first thought was just W…T…F…, that was stupid.

The communication that nmcli can no longer be used could have been a little bit better.

But thanks for the hint
have a nice day

Yes, sorry for that late edition. I already edited the tutorial with a warning for those that have a more recent version of HA. I think that it can still be done via terminal (haven’t tested it myself) but you have to access the proper container, and it’s not easy to get there anymore. Better stick to the UI

Just another update taking into consideration another post here where I “updated” the procedure to use a more recent approach, so I’ll just paste it here and organize it for future reference and to help anyone looking for a solution still. Older tutorials for older version of HA are V1 here and V2 here.

1. Install and configure (according to documentation) the “Home Assistant Community Add-on: SSH & Web Terminal” add-on in System > Add-ons

2. After installation, enter the terminal and run:

ha network -h

to have a list of commands and examples shown to you.
OR/AND

ha network info

to have detailed info about your network and existing interfaces

OR/AND

ha network vlan -h

to have detailed help on VLAN creation/management

3. Create your virtual VLANed interfaces, one per each network you want to create/segregate in your network, and have HA exist in them and talk to its members.
   (If you are using PROXMOX or other virtualization system, this is how you should be doing it! You should create your network interfaces using the webGUI of the hypervisor!)
   If you are using a bare metal installation of HomeAssistant OS, the following applies to you:

If static IP execute: (adjust the capitalized variables below to your needs/context!)

ha network vlan REAL_INTERFACE_NAME VLAN_ID --ipv4-method static --ipv6-method disabled --ipv4-address IP/NETMASK --ipv4-gateway IP_GATEWAY --ipv4-nameserver IP_DNS

if DHCP execute: (adjust the capitalized variables below to your needs/context!)

ha network vlan REAL_INTERFACE_NAME VLAN_ID --ipv4-method auto --ipv6-method disabled 

Use only ONCE the “–ipv4-gateway IP_GATEWAY” variable in the main interface that you want HA to use to go to the internet (usually main LAN interface). Many or per interface defined gateways or poorly configured routing WILL bring you problems and cause configuration errors.

4. In HA webGUI, go to Settings / System / Network in HA and check if the interfaces/networks added are properly configured and set up. Choose the star for the main adapter in this same page.

5. Configure your VLANS in your switch/network and test!

6. Profit!

Good luck