How to setup router rules to setup and secure network and adding devices to HA from different vlan?
- Main network
- VLAN for HA
- VLAN for IoT devices connected to HA
How to setup router rules to setup and secure network and adding devices to HA from different vlan?
Well, there is no generic answer to this. You should have a look into the manuals of your router, network switch and Wifi access point on how to configure VLANs. Once the VLANs are configured, and access ports on your switch configured, and Wifi SSIDs tied to VLANs, and devices on different VLANs can still communicate, you could start configuring firewall rules to limit access between VLANs and into the Internet.
To add, how things are done will vary by the router and switch(s) and the network layout you have. Not all routers or switches support VLANs so you may need to replace some items.
After router is setup:
Do I need to do some extra coding in HA’s config Yaml file to deploy communication with devices on VLANs or I just need proper IPs on different VLANs of those devices?
The biggest difference you will run into is that you will need to manually configure everything by IP/hostname, as most autodiscovery relies on multicast based technologies like UPNP/mDNS etc, which won’t cross broadcast domains (VLANs).
this is my first post and attempt to contribute to HA amazing community.
I have been reading a lot lately about this problem because I too have a “VLANned” setup at home, effectively separating sensors and so what from my LAN. Case is that when I tried to discover my Xiaomi Air Purifiers with HA it failed miserably because of routing (even with firewall completely down between LAN and sensors VLAN). I double checked by testing the mirobo tool from a linux system on different network segments, so I knew from then that it was a networking problem.
After many hours of reading different threads and pages on this subject, I manage to achieve a working VLAN setup in HA (L3) where the HA eth0 interface (cabled one, as my wifi is off) is subdivided into 2 interfaces: eth0 and eth0.10. The eth0 is on the LAN side and eth0.10 is on the VLAN sensors side. This serves my purpose and it works (so far). My Xiaomi Air Purifiers are now discoverable and reporting to HA, although belonging to a different network than the rest of my LAN. You can adjust it to your needs, I guess, by adding more VLANS or even making it an L2 with complete separation (no routing whatsoever).
Some would argue it would just be better to put HA on the sensors side of the network and leave it there, but I wanted to be able to discover other devices on my LAN side too (media players, etc), so that would force me to punch a hole in my firewall to let HA in and in addition I would get the same old routing problems.
So to help others, here goes my description of what I did to achieve VLAN integration. Please comment and correct whatever you see fit for improvement. This configuration is still not “battle proven” so attempt it at your own risk
It only works for HassOS but you can use the generated config to apply it in ResinOS version too, via USB import, I guess.
My main source of information were these three pages with information regarding nmcli (NetworkManager command line tool):
VLAN in HA:
Log into as root to the HASSOS base system via a console
hassio > prompt, type
From here you will use the
nmcli configuration tool.
#nmcli connection show will list the “HassOS default” connection in use.
Create the VLAN interface with a static adress on eth0 (parent interface), defining ip, gateway and dns (adjust to your needs)
#nmcli con add type vlan con-name [email protected] dev eth0 id 10 ip4 10.0.0.2/8 ipv4.dns 10.0.0.1 gw4 10.0.0.1
Show connections again and it should list your new VLAN (fake uuids)
#nmcli connection show
NAME UUID TYPE DEVICE
HassOS Default aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa ethernet eth0
[email protected] bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb vlan eth0.10
To see more detailed info about the connection
#nmcli -p con show [email protected]
Now enter the nmcli editor to “edit” your connection
#nmcli con edit [email protected]
Just save the settings and properties and it should report a successful update to the connection
To double check settings of the vlan interface
#nmcli> print ipv4
Quit the nmcli editor
Check for the creation of a new file with VLAN definitions (there should be a [email protected] file)
#ls -la /etc/NetworkManager/system-connections/
(optionally) Check the contents of the file (possible output bellow)
#cat /etc/NetworkManager/system-connections/[email protected]
[connection] [email protected] uuid=bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb type=vlan permissions= timestamp=1546212011 [ethernet] mac-address-blacklist= [vlan] egress-priority-map= flags=1 id=10 ingress-priority-map= parent=eth0 [ipv4] address1=10.0.0.2/8,10.0.0.1 dns=10.0.0.1; dns-search= method=manual [ipv6] addr-gen-mode=stable-privacy dns-search= method=auto
Exit the session and reboot the HA host to test (after rebooting you can login to HassOS again like in 1st step and see if file with definitions still exists)
Hope this helps someone getting somewhere!
many thanks for this. i’m starting exactly the same way. i didn’t want to get caught out with changing SSID wireless settings later on down the track and isolating devices, so i’ve created a new VLAN which is tagged through all switches and setup on my edgerouter with a separate DHCP scope. i’ve added a separate SSID on my ubiquiti AP’s on this same VLAN so it’s all dedicated just for home automation.
but i couldn’t work out how to change the hass.io config to suit to permit discovery on both VLAN’s.
your guide worked a treat. many thanks
Great! I’m actually considering multiplying VLANs and separating IoT devices according to categories and/or rooms, but I have not had the time to think it over (no real reason to have all IoT devices living under the same network, sharing the same wifi - if you have several APs around the house, you could distribute clients per area or type of access, 2.4 and 5ghz - except for easiness of setup).
Segregation would be beneficial when it comes to limiting what information each sensor can obtain from the network (imagine what could happen if a hacked/proprietary temperature sensor could collect information about the door locks’ state just from packets traversing the network between HA and IoT locks).
I believe the better the segregation the more you can control your network and what is happening inside of it. Is it more complex? Yes, absolutely, but no keys/doors at home is also more convenient, still nobody complains about having them, right?
Any input on strategies for IoT segregation is very welcome!
Thank you, worked perfectly for me I omitted the static ip, gateway and dns to use my dhcp for it and it works just great.
First of all, great HOWTO, great work!
For everyone running Proxmox having hassio in in an own VM, the guide above will definitely work, but you will create a network assignment insight the VM instead of having it managed in Proxmox.
So if you like to have everthing maintained by proxmox, here my cents.
1.) Add Network Interface in Proxmox
2.) Connect to Hassio with SSH (use community SSH addon) My config is simple, but I only activate it manually, so no issue.
Putty login by user and password specified. A command like "login" is not required. When you are in, you are in and we can start. 3.) Check available devices and status `nmcli device status` In my case a device called enp0s18 is disconnected
4.) Enable enp0s18 by adding a connection name (HassOS-vlan) + DHCP `nmcli con add type ethernet con-name HassOS-vlan ifname enp0s18`
In case you would like to have a static IP adress use (of course change it to your needs!)
nmcli con add type ethernet con-name HassOS vlan ifname enp0s18 id 10 ip4 192.168.10.220/24 ipv4.dns 192.168.10.254 gw4 192.168.10.254
5.) Check your IP Leases in your router if the Hassio came up with another interface, in my case a mikrotik router
6. To be on the safe side, ping hassio and open the website on the new IP adress
Could someone help me out? I cannot get this to work.
When I add the VLAN, I cannot acces both addresses. My router does show the VLAN, offers a DHCP but it never gets accepted.
If I remove the VLAN interface, my regular interface (eth) works again right away.
I use Home Assistant in a VM.
I finally ended up manually editing the files under /etc/NetworkManager/system-connections, removing the default and adding 2 new ones (one for each network-interface, I handle VLANs having 1 dedicated interface per VLAN between my switch and hypervisor box to increase throughput without expensive >1Gbps gear)
I very strongly recommend static IPs for everything – that will avoid a LOT of problems and things falling apart if you ever have your network go down (e.g. rebooting router/switch) at the moment something tries to do a call. I didn’t do this at first and my whole system imploded when I was upgrading my router and it took many hours to realize that my nightmares were caused by some things caching old IPs for DNS, and the new router not yet having got the DHCP request to put it in DNS yet. Ever since moving to static IPs everywhere I’ve not had a single issue, even when I have a network connectivity failure the automations and addons keep chugging along flawlessly.
Many consumer routers if you reboot them (or your ISP does, if its an all-in-one modem+router) you will lose the DHCP client list and DNS cached hostnames…which causes the same issues.
Open up the HassOS console, it won’t work thru the sandboxed ssh container.
Log in as “root”
ha> prompt type “login” to get to the REAL hassos
# prompt, cd to /etc/NetworkManager/system-connections
vi (it only has the most basic editor it seems) you can modify the config files. I put the “original” in a folder called “hold” in case I messed up.
Here is my “internet” connection (the main trusted network)
And then my restricted local-only IoT device network configuration
And then I just connect them to the proper bridge on my hypervisor
I did have to use some trial and error to figure out which “device” in the VM was which NIC on the host…but with 2 choices it wasn’t too hard.
I think it depends in the used hardware and your knowledge if DHCP or Static IPs should be used.
Having an all in one box is never a good idea, most of the consumer products are good for a standard home setup with max. 2 floors. I would agree, using static ip is a really good idea
But if you have more floors, on each floor an access point connected to your router or even a switch in between, you probably have selected your devices with some care.
Personally I have the following setup chosen:
4X AccessPoint = Zyxel NWA 1123v2
24 Port Netgear GS724 v4 (L3 Webmanaged switch = bought it used for 50 Euro)
Mikrotik router (I don’t remember the model)
The VLAN Routing is done in the switch already, so I only use the mikrotik router for assigning the ips and saving static dns entries based on the tags ( no routing between the vlans)
With my setup I am more than happy to dhcp.
A short warning, if you are not an network expert, be careful with mikrotik, it is far away from being intuitive.
I spend many hours on the configuration. Mikrotik can more or less do everything you want, but it is really difficult to get it working.
IMHO, if you plan to have a more intuitive router I would look for Sophos appliance or zyxel router. (Ubiquiti is like MAC, way to expensive in my eyes)