I have never dug too much into this, so I don’t know what ports are necessary for what (I guess it might depend on add-ons installed (samba and so), but you can always check with nmap from the outside or Wireshark. If you read the documentation about http integration, that you just referred to, at HTTP - Home Assistant you’ll see that most interactions from HA and IoT equipment uses APIs on top of http integration (it’s more or less a yes to your question). The NO part to your question would be that the IoT “client” would have to be aware of standard ports to connect to them (think of browsers and web pages) and by changing the listening port from 8123 you’d break everything and this isn’t true 
So that leads me to believe that configuration in Home Assistant integrations is mostly done via discovery of devices that make themselves announced/available or explicit configuration in HA and not the contrary, which to me speaks volumes about what device is more open/visible. There are many ways to protect Home Assistant 8123 port: http integration definitions, reverse proxy with nginx, firewall filtering, etc. Or even using mqtt as an intermediary between HA and IoT equipment.
Check your options and context, so you can choose adequate solutions
Found this post while searching for similar issue. I have been running HA in Proxmox as a VM for at least a year now. Have quite similar setup with 3 networks. 2 of the networks are vlans for IoT and NoT devices. Reason why I am doing this is due to me using Xiaomi devices and the gateway uses mDNS/multicast to communicate, something along that line.
All was working very well until I am not sure which release of HA or could it be Unifi…the exact behavior was seen as described by @nikipore. Upon further investigation and troubleshooting, I realized that all my other systems in the network were also having almost 100% CPU usage. The minute I pulled the network cable, the CPU usage went down to <10%. This is only affecting one CPU core so you might not catch it if you do not turn on the logical processor view in task manager. Weird thing is it does not affect the system if using wifi. The moment you plug the network cable back, the CPU usage of CPU 0 will shoot up again.
I initially thought it could be the VM corrupted and I setup another new Proxmox system. All was looking good initially till I added the necessary network cards to talk to the other 2 vlans. Then I am back with the same problem. 
Could anyone else confirm if they are seeing such behaviors? Or better still how to solve it.
Edit: I was searching around and found this other thread (Multicast container causing feedback loops · Issue #1 · home-assistant/plugin-multicast · GitHub) which looks like the issue here. Will troubleshoot further. Hopefully someone also has some ideas how to solve.
Update: I was testing out a few things and I believed I have solved the issue. What I did was to turn off the mDNS option in the vlans and only have that option turned on in the main network. Now there is no more 100% CPU usage and every sensors is still working in HA. Will continue to monitor for a day and see.
Firewalla gold all the way!
Thank you Raymond for reactivating my interest with your post. However, it haven’t had to change my mDNS repeater settings (my router is also Ubiquiti, but not UniFi, but ER-X). Instead, I found in your cited thread that the multicast plugin has been updated very recently s.t. the plugin no longer acts as an mDNS repeater between the connected NICs, cf. this post. It works now and the plugin has been merged into the stable channel of supervisor.
Yes…I indeed also found some issues in the last few days with the mDNS repeater settings turned off for the 2 vlans in Unifi. Even though everything works fine in HA, I was not able to find my Denon receiver using the Denon app. The same also happens when I use the Google app to connect to the Google Home speakers. Funny thing is Spotify is able to find all the GH and allow casting to them. As I don’t usually use the app so much, I temporarily connect to the particular ssid if I need to control them. I will definitely try updating to the beta plugin over the weekend to see if that resolves everything.
Thanks @nikipore for confirming on your Ubnt setup.
I just wanted to jump in and reply with a thank you as well for your post. There’s a couple of other details people may want to consider if they are following this. Hopefully “future me” also finds this helpful.
The parent interface configuration:
It is likely that if you are using VLANs that you don’t want your host sending untagged traffic, or basically doing anything on the untagged interface at all. This can be achieved by setting the parent interface to not autoconnect on boot. I did this with the following commands:
nmcli con edit Supervisor\ eth0
set connection.autoconnect no
save
quit
This has the effect that the “Supervisor eth0” connection will show as down when you do a nmcli con show but the VLAN sub interfaces will remain operational.
Note: it is not sufficient to just delete the “Supervisor eth0” connection, HA will automatically recreate it on reboot with default settings including autoconnect enabled.
Route Metrics:
If you want to control routing so that your preferred network is used as your default route, you can set the route metrics on your non-preferred networks to a high value. For example, I run two IOT VLANs, one which does not have Internet access (VLAN 100), and one that does (VLAN 101), plus I have a management/system network (VLAN 1) with Internet access. I want HA to use VLAN 1 as its default route. If all route metrics are equal, HA may just decide to use VLAN 101 for its preferred default route which I don’t want. To fix this I used the following commands:
nmcli con edit eth0@vlan100
set ipv4.route-metric 2000
set ipv6.route-metric 2000
save
quit
nmcli con edit eth0@vlan101
set ipv4.route-metric 2000
set ipv6.route-metric 2000
save
quit
All my interfaces use DHCP configuration (and DHCP reservations on my router), and the route metrics on routes advertised through my eth0.1 interface get a metric value of 400 (as set by HA). Setting the other interfaces to use a metric of 2000 means the eth0.1 interface routes are preferred (lowest metric number wins).
This is really useful information and thanks for that! I still use the untagged interface for HA internet access, where no sensor lives but it’s an excellent option for those who want everything tagged and tidy on their switches!
This is interesting info… one of my main HA stumbling blocks has been full detection of some of the equipment on my IoT vlan. Some stuff works great, others, not so much. I think adding a second interface to HA, directly on the IoT vlan, is likely a solid solution. (Albeit at the cost of some security, but I think I can live with the tradeoff) I’m using UniFi equipment, too, so this seems like a good path forward on my HA journey.
My issue is I’m not using ProxMox… I’m running HA in a Docker container on my Synology NAS, which does not (normally) have access to the IoT vlan. Any tips on adding a second virtual interface to my HA container, and how to enable IoT vlan traffic to the Synology (but ONLY for HA?) would be greatly appreciated.
Are you already running multiple tagged VLANS in your network? When you log in to the HA terminal (use the terminal addon and run “nmcli connection show”) what connections do you see?
There are two ways (maybe more?) to add VLANs to virtualized HA: 1) add more interfaces to vm/container via the hypervisor 2) configure the VLANS on the existing interface through HA terminal
Both of these ways are covered in this thread, you just need to go up and read
I’m not new to doing this…I’ve had it tagging up and running on my PI4 (Ubuntu) for years.
However, I can’t get anything to work on HA Yellow. None of these commands work. None of the traditional linux commands work.
I’m at a loss. Does anybody have any idea how to do this on Yellow???
As I don’t know how HA Yellow works, this is just a long shot question, but have you tried enabling ssh connection to the host OS and trying the commands there?
I started by doing this when HA was still HassOS and to be able to configure network you had to ssh into the host operating system, not the container. As ssh access to the host OS was disabled by default, you had to enable it first
Maybe these threads can help you
Good luck!
Yeah, I did.
I figured it out. I enabled the wrong SSH Add-On. You have to use the “community” one, not the “official” one.
Great work!
Hmmm
Ok I got a question for you, do you know how to create virtual adapters in HAOS?
For example, I have vlans setup, and HA is on a trunk port and lives on an untagged network, and I’ve setup routing similar to you, but still only have one IP, on the untagged network of the trunk port.
However I have one integration, that I’d like to setup a virtual interface with an IP so HAOS ‘exists’ in that VLAN/subnet too. I’d prefer not to add a USB NIC or other Ethernet cable.
Its VLAN3 where I have media devices, namely my Samsung TV’s. And Samsung TV’s don’t allow control from outside a /24 subnet range.
If anyone has a guide how to make a virtual interface for a vlan to assign an IP in that subnet, I would greatly appreciate it.
Hi,
sorry for the late reply. What you are describing is exactly what’s implemented in the first tutorial: one physical network interface (eth0, as it all began from one rpi3b+ physical limitations) and not wanting to add usb network interfaces, nor use the wlan interface. You can create virtual network interfaces that are tagged with defined ids and that work at layer 3 level, having a unique ip and all other network configuration (you can also have multiple ips configured to a unique interface in linux with aliases, but they will travel the same “pipe”, so only with proper subnet masking could you segregate these interfaces from “seeing” each other. A bit more like a security through obscurity kind of thing. By adding vlans on top of that physical hardware, you are fully segregating networks.
Something like:
#nmcli con add type vlan con-name eth0@vlan3 dev eth0 id 3 ip4 "your_vlan3_ip_here/your_vlan3_subnet_mask_here" ipv4.dns "your_vlan3_dns_ip_here" gw4 "your_vlan3_gateway_here"
Hope this helps
Well I feel silly that I completely overlooked that reading through the post. Thank you very much @cr0muald0
It is me who should thank you Your last post is a living proof to other readers that the tutorial lives on!
Hi. I have my Home Assistant in other VLAN 10 than VLAN where is my Samsung QLED TV VLAN default.
Communication between this two VLANs is setu as access. From Home Assistant to TV and from TV to Home Assistant. But i can not add TV to HA because it is in ither VLAN. Is any solution for it ?
My network in home is build on Ubiquiti UDM pro and switches.
Home Assistant i have installed as Home Assistant operating system on my HP T630 termina. HA is connected by LAN. HP T630 also has wifi card but when i connect from HA by WIFI to VLAN SSID whee is TV it looks that works but sometime HA has a problem because try get from Ubiquiti the same address on LAN and WIFI. I have setup FIX IP on wifi from TV VLAN but it no working also…
Hi, a bit of a confusing setup, but why would you create two different VLANs to allow access between them? Sounds you are defeating the separation purpose. Do they have different networks / ip ranges?
My option would be to create/add a new network interface and proper VLAN in HA that matches whatever VLAN your Samsung TV already has and let them talk directly (via switch, obviously). In summary:
- Create in HA an interface with the same tagged VLAN id as your Samsung TV.
- Configure your ubiquity switches to allow tagged “vlan id of samsung TV” packets to travel to your HA new VLAN tagged network interface.
- Turn off wifi on Samsung TV to avoid routing problems, if you don’t need it.
or…
You can use mDNS, just like explained here:
Vlan with HA has other adresses.
How on HA create other interface with VLaN ? I use Home assistant operating system 9.5
Wifi on TV i no use. Tv is connected by LAN wire.
Do i must in setup tv disable wifi?