OK, we’ll see what I end up with.Right now the house isn’t even built. Prepped a lot of outlets though. 
Hi, I recently replaced the standard firmware for Merlin in an 88 and trued to figure out how doing this but I seem not to be skilled enough and missed the trick. Can you give a little hint about how you did this in your 68 ?
(and thanks for all those valuable posts)
Absolutely. Sorry to others for the off-topic post. I will give basic guidelines, although longish, and you should be able to get there on your own. If not, just tell me here or via private message, so I can help you further. (I just did these procedures on a second rt-ac68u, so everything is fresh)
- Enable AP mode on the router, enable the number of virtual ssids you wish to have in guest wifi settings and lastly enable the jffs partition setting
- ssh into the router
- First test all the commands for vlan creation/config and bridge creation/config in sequence and copy them one by one to a notepad, so you can slowly but steadily create your own script (and if something goes wrong, you can always reboot the router and start over without any problems)
- When all commands are prepared, create/edit a file named “services-start” under /jffs/scripts/ and “chmod a+x services-start” after, so it can be executed by the system (I again recommended doing all rules and commands first in notepad or equivalent because any commands saved to this file will be executed during boot. Any wrong configuration could leave your router with no access/not working, and you’ll have to reset and restart (happened to me, and it’s not a tragedy anyway)
- To configure vlan’s you should use a tool called “robocfg”
robocfg show
will output your current vlan config, each number is a port on the router + cpu port
This is a default config output without any configuration:
1: vlan1: 0 1 2 3 4 5t
2: vlan2: 5t
This is mine after adjusting the router to my needs:
1: vlan1: 0t 5t
2: vlan2: 5t
10: vlan10: 0t 5t
20: vlan20: 0t 1 2 3 4 5t
Important notes:
- 0 is the WAN port used as tagged uplink to switch
- 1,2,3,4 are LAN ports
- 5 is the CPU internal port (newer router versions might have CPU port as number 8, check your model)
- vlan1 and vlan2 are internal to how the system works LAN and WAN respectively, so try to either adjust your vlanning to them, or just leave them alone and use higher vlan numbers like I did
- the “t” indicates a tagged port
So as you can see, in my settings, all traffic is tagged before leaving the router to the switch.
Next, you’ll need to create vlans and bridges to attach the network interfaces to them. Here goes my example of configuration:
/usr/sbin/robocfg vlan 1 ports "0t 5t"
/usr/sbin/robocfg vlan 2 ports "5t"
/usr/sbin/robocfg vlan 10 ports "0t 5t"
/usr/sbin/robocfg vlan 20 ports "0t 1 2 3 4 5t"
Next, create the nonexistent vlans (adjust numbers) and up them:
/sbin/vconfig add eth0 10
/sbin/vconfig add eth0 20
/sbin/ifconfig vlan10 up
/sbin/ifconfig vlan20 up
- Next we create/adjust the bridges.
First check the status:
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.3c7c3f728380 yes vlan1 #vlan1 interface
eth1 #eth1 wireless 2.4ghz interface
eth2 #eth2 wireless 5ghz interface
wl0.1 #fist guest/virtual wireless 2.4ghz
wl1.1 #first guest/virtual wireless 5.ghz
Now an example on how to set up the bridges
brctl addbr br20
brctl stp br20 on
ifconfig br20 192.168.20.20 netmask 255.255.255.0 #config br20 ip
brctl addif br20 vlan20 #add vlan20 interface to br20
brctl delif br0 eth1 #remove eth1 from br0
brctl delif br0 eth2 #remove eth2 from br0
brctl delif br0 wl0.1 #remove wl0.1 from br0
brctl delif br0 wl1.1 #remove wl1.1 from br0
brctl addif br20 eth1 #add eth1 interface to br20
brctl addif br20 eth2 #add eth2 interface to br20
brctl addif br20 wl0.1 #add wl0.1 interface to br20
brctl addif br20 wl1.1 #add wl1.1 interface to br20
ip link set br20 up
Just use the above to create additional bridges, like br10 or your own.
It should produce this:
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.3c7c3f728380 yes vlan1
br10 8000.3c7c3f728380 yes vlan10
br20 8000.3c7c3f728380 yes vlan20
eth1
eth2
wl0.1
wl1.1
Important notes:
- bridges are needed to join interfaces (physical and virtual) into one network
- each bridge should belong to a separate network
- each guest/vssid created in the webui creates a new interface that needs to be added to a bridge
- we are using the same rules for ssid separation, there are plenty of examples/tutorials out there:
https://gist.github.com/b1tman1ac/3d2cad0094e78a587f217a0720c9c11c
is a good starting point
- Wrap up the internal mechanisms
Check the last link in point 6 to create good formatting and to create the nvram rules necessary for your new bridges, lans, etc
Down goes a possible example for what we have above.
nvram set lan_ifnames="vlan1"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan20 eth1 eth2 wl0.1 wl1.1"
nvram set lan1_ifname="br20"
nvram set lan2_ifnames="vlan10"
nvram set lan2_ifname="br10"
nvram set br0_ifnames="vlan1"
nvram set br0_ifname="br0"
nvram set br20_ifnames="vlan20 eth1 eth2 wl0.1 wl1.1"
nvram set br20_ifname="br20"
nvram set br10_ifnames="vlan10"
nvram set br10_ifname="br10"
nvram commit
killall eapd
eapd
- copy rules/commands to services-start, save and restart after proper formatting and checking!
Good luck!
p.s. - another possible helpful link for ac86u
1 Like
Side question - is it possible to limit which network interface(s) HASS Management interface listens on?
I have just had to give HASS an interface in my “IOT” VLan (which I consider semi-trusted, and therefore want to segregate it from my main LAN; but at the same time I want to add some security).
I have two NICs on my HASS VM (HASSOS, running on Proxmox) - enp6s18 and enp6s19. The first is my LAN, the second is my IoT VLAN. How can I make HASS only listen on enp6s18 for HTTPS TCP 8123, but not at all on enp6s19?
Edit - Ok - managed to somewhat solve this. I added the below in my HASS config
http:
server_host: 10.1.2.50
Where 10.1.2.50 is the IP of my HASS LAN in the “Trusted” network.
Edit 2: Doing this makes my Mi devices on my IoT Lan not respond. I guess they need the web server to communicate with HASS? If this is infact the case how do I safely lockdown the HASS WebUI (and any other relevant ports)?
I have never dug too much into this, so I don’t know what ports are necessary for what (I guess it might depend on add-ons installed (samba and so), but you can always check with nmap from the outside or Wireshark. If you read the documentation about http integration, that you just referred to, at HTTP - Home Assistant you’ll see that most interactions from HA and IoT equipment uses APIs on top of http integration (it’s more or less a yes to your question). The NO part to your question would be that the IoT “client” would have to be aware of standard ports to connect to them (think of browsers and web pages) and by changing the listening port from 8123 you’d break everything and this isn’t true So that leads me to believe that configuration in Home Assistant integrations is mostly done via discovery of devices that make themselves announced/available or explicit configuration in HA and not the contrary, which to me speaks volumes about what device is more open/visible. There are many ways to protect Home Assistant 8123 port: http integration definitions, reverse proxy with nginx, firewall filtering, etc. Or even using mqtt as an intermediary between HA and IoT equipment.
Check your options and context, so you can choose adequate solutions
Found this post while searching for similar issue. I have been running HA in Proxmox as a VM for at least a year now. Have quite similar setup with 3 networks. 2 of the networks are vlans for IoT and NoT devices. Reason why I am doing this is due to me using Xiaomi devices and the gateway uses mDNS/multicast to communicate, something along that line.
All was working very well until I am not sure which release of HA or could it be Unifi…the exact behavior was seen as described by @nikipore. Upon further investigation and troubleshooting, I realized that all my other systems in the network were also having almost 100% CPU usage. The minute I pulled the network cable, the CPU usage went down to <10%. This is only affecting one CPU core so you might not catch it if you do not turn on the logical processor view in task manager. Weird thing is it does not affect the system if using wifi. The moment you plug the network cable back, the CPU usage of CPU 0 will shoot up again.
I initially thought it could be the VM corrupted and I setup another new Proxmox system. All was looking good initially till I added the necessary network cards to talk to the other 2 vlans. Then I am back with the same problem. 
Could anyone else confirm if they are seeing such behaviors? Or better still how to solve it.
Edit: I was searching around and found this other thread (Multicast container causing feedback loops · Issue #1 · home-assistant/plugin-multicast · GitHub) which looks like the issue here. Will troubleshoot further. Hopefully someone also has some ideas how to solve.
Update: I was testing out a few things and I believed I have solved the issue. What I did was to turn off the mDNS option in the vlans and only have that option turned on in the main network. Now there is no more 100% CPU usage and every sensors is still working in HA. Will continue to monitor for a day and see.
Firewalla gold all the way!
Thank you Raymond for reactivating my interest with your post. However, it haven’t had to change my mDNS repeater settings (my router is also Ubiquiti, but not UniFi, but ER-X). Instead, I found in your cited thread that the multicast plugin has been updated very recently s.t. the plugin no longer acts as an mDNS repeater between the connected NICs, cf. this post. It works now and the plugin has been merged into the stable channel of supervisor.
Yes…I indeed also found some issues in the last few days with the mDNS repeater settings turned off for the 2 vlans in Unifi. Even though everything works fine in HA, I was not able to find my Denon receiver using the Denon app. The same also happens when I use the Google app to connect to the Google Home speakers. Funny thing is Spotify is able to find all the GH and allow casting to them. As I don’t usually use the app so much, I temporarily connect to the particular ssid if I need to control them. I will definitely try updating to the beta plugin over the weekend to see if that resolves everything.
Thanks @nikipore for confirming on your Ubnt setup.
I just wanted to jump in and reply with a thank you as well for your post. There’s a couple of other details people may want to consider if they are following this. Hopefully “future me” also finds this helpful.
The parent interface configuration:
It is likely that if you are using VLANs that you don’t want your host sending untagged traffic, or basically doing anything on the untagged interface at all. This can be achieved by setting the parent interface to not autoconnect on boot. I did this with the following commands:
nmcli con edit Supervisor\ eth0
set connection.autoconnect no
save
quit
This has the effect that the “Supervisor eth0” connection will show as down when you do a nmcli con show but the VLAN sub interfaces will remain operational.
Note: it is not sufficient to just delete the “Supervisor eth0” connection, HA will automatically recreate it on reboot with default settings including autoconnect enabled.
Route Metrics:
If you want to control routing so that your preferred network is used as your default route, you can set the route metrics on your non-preferred networks to a high value. For example, I run two IOT VLANs, one which does not have Internet access (VLAN 100), and one that does (VLAN 101), plus I have a management/system network (VLAN 1) with Internet access. I want HA to use VLAN 1 as its default route. If all route metrics are equal, HA may just decide to use VLAN 101 for its preferred default route which I don’t want. To fix this I used the following commands:
nmcli con edit eth0@vlan100
set ipv4.route-metric 2000
set ipv6.route-metric 2000
save
quit
nmcli con edit eth0@vlan101
set ipv4.route-metric 2000
set ipv6.route-metric 2000
save
quit
All my interfaces use DHCP configuration (and DHCP reservations on my router), and the route metrics on routes advertised through my eth0.1 interface get a metric value of 400 (as set by HA). Setting the other interfaces to use a metric of 2000 means the eth0.1 interface routes are preferred (lowest metric number wins).
2 Likes
This is really useful information and thanks for that! I still use the untagged interface for HA internet access, where no sensor lives but it’s an excellent option for those who want everything tagged and tidy on their switches!
This is interesting info… one of my main HA stumbling blocks has been full detection of some of the equipment on my IoT vlan. Some stuff works great, others, not so much. I think adding a second interface to HA, directly on the IoT vlan, is likely a solid solution. (Albeit at the cost of some security, but I think I can live with the tradeoff) I’m using UniFi equipment, too, so this seems like a good path forward on my HA journey.
My issue is I’m not using ProxMox… I’m running HA in a Docker container on my Synology NAS, which does not (normally) have access to the IoT vlan. Any tips on adding a second virtual interface to my HA container, and how to enable IoT vlan traffic to the Synology (but ONLY for HA?) would be greatly appreciated.
1 Like
Are you already running multiple tagged VLANS in your network? When you log in to the HA terminal (use the terminal addon and run “nmcli connection show”) what connections do you see?
There are two ways (maybe more?) to add VLANs to virtualized HA: 1) add more interfaces to vm/container via the hypervisor 2) configure the VLANS on the existing interface through HA terminal
Both of these ways are covered in this thread, you just need to go up and read
I’m not new to doing this…I’ve had it tagging up and running on my PI4 (Ubuntu) for years.
However, I can’t get anything to work on HA Yellow. None of these commands work. None of the traditional linux commands work.
I’m at a loss. Does anybody have any idea how to do this on Yellow???
As I don’t know how HA Yellow works, this is just a long shot question, but have you tried enabling ssh connection to the host OS and trying the commands there?
I started by doing this when HA was still HassOS and to be able to configure network you had to ssh into the host operating system, not the container. As ssh access to the host OS was disabled by default, you had to enable it first
Maybe these threads can help you
Good luck!
Yeah, I did.
I figured it out. I enabled the wrong SSH Add-On. You have to use the “community” one, not the “official” one.
Great work!
Hmmm
Ok I got a question for you, do you know how to create virtual adapters in HAOS?
For example, I have vlans setup, and HA is on a trunk port and lives on an untagged network, and I’ve setup routing similar to you, but still only have one IP, on the untagged network of the trunk port.
However I have one integration, that I’d like to setup a virtual interface with an IP so HAOS ‘exists’ in that VLAN/subnet too. I’d prefer not to add a USB NIC or other Ethernet cable.
Its VLAN3 where I have media devices, namely my Samsung TV’s. And Samsung TV’s don’t allow control from outside a /24 subnet range.
If anyone has a guide how to make a virtual interface for a vlan to assign an IP in that subnet, I would greatly appreciate it.
Hi,
sorry for the late reply. What you are describing is exactly what’s implemented in the first tutorial: one physical network interface (eth0, as it all began from one rpi3b+ physical limitations) and not wanting to add usb network interfaces, nor use the wlan interface. You can create virtual network interfaces that are tagged with defined ids and that work at layer 3 level, having a unique ip and all other network configuration (you can also have multiple ips configured to a unique interface in linux with aliases, but they will travel the same “pipe”, so only with proper subnet masking could you segregate these interfaces from “seeing” each other. A bit more like a security through obscurity kind of thing. By adding vlans on top of that physical hardware, you are fully segregating networks.
Something like:
#nmcli con add type vlan con-name eth0@vlan3 dev eth0 id 3 ip4 "your_vlan3_ip_here/your_vlan3_subnet_mask_here" ipv4.dns "your_vlan3_dns_ip_here" gw4 "your_vlan3_gateway_here"
Hope this helps
1 Like
Well I feel silly that I completely overlooked that reading through the post. Thank you very much @cr0muald0
1 Like