I just wanted to jump in and reply with a thank you as well for your post. There’s a couple of other details people may want to consider if they are following this. Hopefully “future me” also finds this helpful.
The parent interface configuration:
It is likely that if you are using VLANs that you don’t want your host sending untagged traffic, or basically doing anything on the untagged interface at all. This can be achieved by setting the parent interface to not autoconnect on boot. I did this with the following commands:
nmcli con edit Supervisor\ eth0
set connection.autoconnect no
save
quit
This has the effect that the “Supervisor eth0” connection will show as down when you do a nmcli con show but the VLAN sub interfaces will remain operational.
Note: it is not sufficient to just delete the “Supervisor eth0” connection, HA will automatically recreate it on reboot with default settings including autoconnect enabled.
Route Metrics:
If you want to control routing so that your preferred network is used as your default route, you can set the route metrics on your non-preferred networks to a high value. For example, I run two IOT VLANs, one which does not have Internet access (VLAN 100), and one that does (VLAN 101), plus I have a management/system network (VLAN 1) with Internet access. I want HA to use VLAN 1 as its default route. If all route metrics are equal, HA may just decide to use VLAN 101 for its preferred default route which I don’t want. To fix this I used the following commands:
nmcli con edit eth0@vlan100
set ipv4.route-metric 2000
set ipv6.route-metric 2000
save
quit
nmcli con edit eth0@vlan101
set ipv4.route-metric 2000
set ipv6.route-metric 2000
save
quit
All my interfaces use DHCP configuration (and DHCP reservations on my router), and the route metrics on routes advertised through my eth0.1 interface get a metric value of 400 (as set by HA). Setting the other interfaces to use a metric of 2000 means the eth0.1 interface routes are preferred (lowest metric number wins).
This is really useful information and thanks for that! I still use the untagged interface for HA internet access, where no sensor lives but it’s an excellent option for those who want everything tagged and tidy on their switches!
This is interesting info… one of my main HA stumbling blocks has been full detection of some of the equipment on my IoT vlan. Some stuff works great, others, not so much. I think adding a second interface to HA, directly on the IoT vlan, is likely a solid solution. (Albeit at the cost of some security, but I think I can live with the tradeoff) I’m using UniFi equipment, too, so this seems like a good path forward on my HA journey.
My issue is I’m not using ProxMox… I’m running HA in a Docker container on my Synology NAS, which does not (normally) have access to the IoT vlan. Any tips on adding a second virtual interface to my HA container, and how to enable IoT vlan traffic to the Synology (but ONLY for HA?) would be greatly appreciated.
Are you already running multiple tagged VLANS in your network? When you log in to the HA terminal (use the terminal addon and run “nmcli connection show”) what connections do you see?
There are two ways (maybe more?) to add VLANs to virtualized HA: 1) add more interfaces to vm/container via the hypervisor 2) configure the VLANS on the existing interface through HA terminal
Both of these ways are covered in this thread, you just need to go up and read
As I don’t know how HA Yellow works, this is just a long shot question, but have you tried enabling ssh connection to the host OS and trying the commands there?
I started by doing this when HA was still HassOS and to be able to configure network you had to ssh into the host operating system, not the container. As ssh access to the host OS was disabled by default, you had to enable it first
Ok I got a question for you, do you know how to create virtual adapters in HAOS?
For example, I have vlans setup, and HA is on a trunk port and lives on an untagged network, and I’ve setup routing similar to you, but still only have one IP, on the untagged network of the trunk port.
However I have one integration, that I’d like to setup a virtual interface with an IP so HAOS ‘exists’ in that VLAN/subnet too. I’d prefer not to add a USB NIC or other Ethernet cable.
Its VLAN3 where I have media devices, namely my Samsung TV’s. And Samsung TV’s don’t allow control from outside a /24 subnet range.
If anyone has a guide how to make a virtual interface for a vlan to assign an IP in that subnet, I would greatly appreciate it.
Hi,
sorry for the late reply. What you are describing is exactly what’s implemented in the first tutorial: one physical network interface (eth0, as it all began from one rpi3b+ physical limitations) and not wanting to add usb network interfaces, nor use the wlan interface. You can create virtual network interfaces that are tagged with defined ids and that work at layer 3 level, having a unique ip and all other network configuration (you can also have multiple ips configured to a unique interface in linux with aliases, but they will travel the same “pipe”, so only with proper subnet masking could you segregate these interfaces from “seeing” each other. A bit more like a security through obscurity kind of thing. By adding vlans on top of that physical hardware, you are fully segregating networks.
Something like:
#nmcli con add type vlan con-name eth0@vlan3 dev eth0 id 3 ip4 "your_vlan3_ip_here/your_vlan3_subnet_mask_here" ipv4.dns "your_vlan3_dns_ip_here" gw4 "your_vlan3_gateway_here"
Hi. I have my Home Assistant in other VLAN 10 than VLAN where is my Samsung QLED TV VLAN default.
Communication between this two VLANs is setu as access. From Home Assistant to TV and from TV to Home Assistant. But i can not add TV to HA because it is in ither VLAN. Is any solution for it ?
My network in home is build on Ubiquiti UDM pro and switches.
Home Assistant i have installed as Home Assistant operating system on my HP T630 termina. HA is connected by LAN. HP T630 also has wifi card but when i connect from HA by WIFI to VLAN SSID whee is TV it looks that works but sometime HA has a problem because try get from Ubiquiti the same address on LAN and WIFI. I have setup FIX IP on wifi from TV VLAN but it no working also…
Hi, a bit of a confusing setup, but why would you create two different VLANs to allow access between them? Sounds you are defeating the separation purpose. Do they have different networks / ip ranges?
My option would be to create/add a new network interface and proper VLAN in HA that matches whatever VLAN your Samsung TV already has and let them talk directly (via switch, obviously). In summary:
Create in HA an interface with the same tagged VLAN id as your Samsung TV.
Configure your ubiquity switches to allow tagged “vlan id of samsung TV” packets to travel to your HA new VLAN tagged network interface.
Turn off wifi on Samsung TV to avoid routing problems, if you don’t need it.
Disable multicast DNS in Ubiquiti no resolve me my problem.
Create network terminal is not the same as connect from Home Assistant from Settings > Network ?
I installed addon terminal to my Home Assistant OS. I try login to root, hassos and admin and i can not. I dont know how i can do it to create this vlan.
But if i have in my terminal HP T630 also wifi card i can create interface with VLAN on this wifi card ?
First go to Settings / Add-ons and install “SSH & Web Terminal” from the HA repository, configure the add-on as per instructions in add-on documentation, then you’ll be able to have root access in terminal and proceed from the “nmcli” commands found in tutorial to create VLANs.
I think you should ALWAYS use cable connection whenever possible, but you can use wireless if no other option is available…
Here is my Terminal add-on output:
~ whoami
root
With root access you can proceed to create interfaces. If you have no root, something is wrong with add-on configuration.
Now i use wire interface LAN on my HP T630 terminal with Home Assistant operating system . But if i good understand i must create next interface on HA and connect it to vlan where is my Samsung TV ? And then Home Assistant will be use two interface one LAN interface to vlan IOT and second which now you suggest me to configure with VLAN Samsung TV?
Remember, each VLAN and interface should have different networks (ex: 192.168.0.0, 192.168.1.0) and different gateways. HA is only a member of the network segment and not the gateway for the network clients!
Samsung should be able to see the HA interface on the same network segment but have a different gateway and dns server (your firewall/router, maybe?)
but it’s an excellent option for those who want everything tagged and tidy on their switches!
