Setup VLAN and HA tutorial

nikipore · February 28, 2021, 6:40pm

I’ve been trying to set up something along these lines as well. I’m running HASSOS on Proxmox (set up a few days ago with whiskerz’ script, core-2021.2.3, supervisor-2021.02.11).

The proxmox server’s physical NIC is connected to a trunk line (among others: 192.168.20.0/24 untagged, 192.168.40.0/24 tagged VID 40). Subnet 20 family is for trusted machines, subnet 40 things is for IoT devices.

I have assigned virtual network cards enp0s18 (subnet 20) and enp0s19 (subnet 40) to the HA VM. Everything works great with a single network card. Via DHCP it obtains always the same IP (mapped to the virtual NIC’s MAC address), as the information displayed after SSH login shows:

System information
IPv4 addresses for enp0s18: 192.168.20.x/24
IPv6 addresses for enp0s18: 2a02:2455:ce4:…/64, fe80::d185:…/64
IPv4 addresses for enp0s19:

The Hassio dashboard (menu “Supervisor->System”) shows the same informations enp0s18: IPv4 DHCP, IPv6 DHCP; enp0s19: IPv4 Disabled, IPv6 DHCP Disabled.

I access the HA instance via https and a public duckdns.org address which is statically routed to the local IP 192.168.20.154.

But as soon as I bring up the link of enp0s19 and run (the nmcli command does not work because NetworkManager is not installed)

ha network reload

the second network card card is recognized and obtains IPv4 and IPv6 addresses via DHCP as well (and reachable via ping):

System information
IPv4 addresses for enp0s18: 192.168.20.x/24
IPv6 addresses for enp0s18: 2a02:2455:ce4:…/64, fe80::d185:…/64
IPv4 addresses for enp0s19: 192.168.40.y/24
IPv6 addresses for enp0s19: 2a02:2455:ce4:…/64, fe80::c468:40a5:e42b:f9f8/64

But according to Proxmox the VM’s CPU usage goes up from around 10% to almost 100%, and the “Supervisor” menu in the Hassio dashboard loads slowly. ps -A and top on the HA’s SSH login look normal. There seems to be a lot of traffic on the network, and after a while on my Macbook pops up a message that it obtained another name <old name> (1)>, then <old name> (2), an so forth. Looks like a discovery storm or so.

Any ideas what went wrong?

spudje · April 7, 2021, 8:53pm

Can I still use above tutorial for HassOS (Hass Blue)? What I would love to achieve:

Have two isolated VLANs connect o Hass Blue over the single ethernet connection (so no untagged access port, but a trunk port I assume?)
Connect Hass to my IoT VLAN
Connect the Unifi Addon to the Unifi devices via the default Unifi management VLAN

If this is possible, how to achieve this?

If both VLANs are totally separated I’ll probably need some additional firewall rule to see the Unifi web portal via Hass on the IoT VLAN.

TonyInHiro · June 6, 2021, 11:00pm

So I’ve successfully setup multiple vlans, the only problem is that phoscon in the deconz add-on is no longer accessible via the eth0 interface and instead uses the vlan interface (although the deconz VNC still works fine), so I am unable to connect to phoscon via the home assistant interface, and instead have to connect to it via a web browser on the tagged vlan. Anyone know how to set which interface phoscon uses?

Edit: Seems to be working fine now.

TonyInHiro · June 6, 2021, 11:02pm

I just set it up with Home Assistant Blue. Getting core SSH access took a lot of trial an error (for some reason, despite the walkthrough saying the USB could be formatted in NTFS, only FAT worked). ~~My only problem is that now the deconz web ui (phoscon) is using the vlan interface instead of the main interface.~~

mupsje · June 22, 2021, 5:41pm

Hi, I have proxmox running, and it is great.
Now I received my udm-pro and after making the vlans…
All work but…
tts to google cast is not working anymore.
When I put the “sent” mini nest makes the wake up sound.
But then nothing.
All worked before… so it is not the yaml settings,
I just put the vlan on the proxmox and all works. only tts not…
help…

mupsje · June 22, 2021, 6:06pm

just did a check…
I removed the vlans from proxmox and tts working again!
More to investigate!

msymms · December 6, 2021, 6:46pm

Christian, thanks for this. Let me understand this. So running HA in PxMx, we need to create in PxMX (at the VM level) a new interface for each VLAN that needs access to HA. And I suppose I can just set the IP for each interface with the same last octet. (eg. 10.0.0.44 (LAN) 10.0.10.44(VLAN 10) etc) to keep things simple.
Then we need to enable these new interfaces (at the VM level) through nmcli?

This is also assuming that there exist no FW rules blocking this traffic.

I am running an Edgerouter 4 with Unify switch and 2 AC-pro APs.
I have HA running in PxMx along with another debian VM.

-mark

autoX · December 6, 2021, 8:01pm

Hi Mark

Yes this is correct, first add a new interface in proxmox and enter the vlan tag, e.g. 10

When the interface in Proxmox is set you need to reboot your vm and check inside the vm with nmcli on the new interface just added.

Using the same octet in different vlans is fine.
I did the same.

To get it working your vlans must be configured in your router/switch.
Depending on how your router is supporting vlans you may have to tag your normal interface as well.

Just as info, it may help you:
Debian host running proxmox: 192.168.5.200 (untagged vlan)
Home Assistant VM: 192.168.5.220 (untagged vlan)
Home Assistant VM: 192.168.10.220(tagged vlan for communicating to my iot devices)

So HA is having a nic in both networks.
One is simply my home network 192.168.5.0 with internet
One is there to have all iot stuff in it 192.168.10.0 without internet

Just give it a try.

Good luck

msymms · December 7, 2021, 2:34pm

Thanks Christian, that is what I understood. But doesn’t this place the HA VM on all the VLANs and essentially defeat the purpose of VLAN separation?

Sorry to be a bother, but it seems that this would be a core feature for HA (PxMx and network issues aside) being able to separate the networks. What am I missing?

-mark

Zedda · December 21, 2021, 11:09am

Yes you shouldn’t do that. This will bridge the IoT network with the other network which gives a way for the IoT devices to get onto the other network.
Have two different VLANs with different networks and let a firewall route between the networks and then you only allow what should be allowed in the firewall and block the rest.

fireheadman · December 29, 2021, 5:39pm

did something similar, seemed easier… but wanted to get some opinions on this method.
I plugged in a second ethernet cable, ran the nmcli command to name it.

then opened up HA → System and clicked the ‘change’ for ip address

then updated to a static on the new interface and rebooted.
I also have my FW rules in place for keeping things in their respective lanes

After the reboot, I am starting to get my undiscovered devices back online
I am using ubiquiti UDM Pro, which seems to have an issue with IGMP across VLANs not implemented correctly and not interested in the hack run a podman container to make it work (hoping they will push an update on this in the future)

autoX · December 30, 2021, 12:49am

You are not bothering me.
All fine.

Now, yes and no.

Assume you have 2 vlans, isolated from each other, so the devices in the vlan are unable to ping each other.
Vlan 5 - home Network
Vlan 10 - iot Network

So, first question, why do you do that?
My answer:
1.) I want to avoid that vlan5 (home) is flooded by all the iot stuff, which makes it difficult to do any qos (quality of service) for e.g. prioritizing my work notebook, telephony etc.

2.) I want to have my iot (infrastructure) protected from any access of my kids, wife, even accidentally.
Plus, my wife is granting access to all friends if needed, while there is a dedicated guest vlan as well

Okay.
My main intention should be clear. I have a my iot stuff and especially my wifi(2 ssid) separated.
My iot network is a big hall where a lot devices are shouting and flooding by multicast, while my home network in vlan5 is fine, with only notebooks, mobiles and some smart tvs.

But this has a downside.
My home assistant shall have a connection to my iot devices and to the devices I use in my home network.
So to say, my chromecast is in vlan5, so I am able to use it by my mobile.
But my esphome devices are in vlan10 (iot) and ha need to connect to them as well.

You have different possibilities to overcome that.
A) you are configuring a route for home assistant to be able to access vlan10 and vlan5.
But, mdns won’t work here, so you have to use static dns (if your router supports that) and you have to enable the new esphome feature “ping on ip adress” otherwise all nodes will stay offline in esphome.
Pro: ha is still only in vlan5 and is able to interact with vlan10 as well (or the other way around, depending on what you prefer)

B) you have a second network card or in our case a second virtual network card and you don’t touch the router.

I decided to have a second network card, as this is very easy to deactivate, especially with use of proxmox.

And it does not break the whole vlan concept, as my main purpose is to keep my home network as clean as possible from multicast.
The bridge of home assistant is not forwarding these multicasts.
Ha is only part of both Networks, and will respond on the corresponding interface.

So, yes it is a work around as it is very hard to have a clear separation of the devices.
All devices which will be used to interact with your mobile, need to be put in your home network.
To name some:
Chromecast, alexa, nas storage…

But all the other device just leveraging the data you need can stay in your iot vlan.
E.g. smart meter, heat pump, photovoltaic, roller shutters, smart plugs, relay boards, temperature sensors, access controll system and many more.

So, yes Home assistant is part of both networks, so in security terms the bad guy here, but there is no other device able to access the vlan10, of course I have a sort of work around on my admin PC as well, different story.

Concluded, you have to decide yourself how you want to set it up and as always it depends on the expectations and requirements you have in regards to the different vlans.
There are potentially safer solutions, e.g. routing and limiting the services in your firewall… it depends on your willingness to setup and honestly also on your devices and their ability of taking care of such configurations.

Stay healthy!

autoX · December 30, 2021, 12:59am

Hi
My opinion, you did the same I did, you only used the ha ui instead of doing the stuff all on os.

Nevertheless, IGMP is tricky in regards to vlans, but you obviously are aware about that already.

Crossing fingers that unifi will bring a update soon.
While, I don’t get why you want to route your igmp across vlans.
Do you have streaming like live TV locally across vlan?
Would be interested to know about your intention of this use case

fireheadman · December 30, 2021, 1:23am

I’m still playing around with configs… but I have my Sonos setup on the IoT network along with Roku devices. Both the Sonos and Roku apps (mobile/computer) will not see the devices when on another subnet (like my main WiFi or LAN) networks. I hate having to flip over to the IoT network to launch the Sonos controller…

However, I have found that creating a Roku and Sonos panel to control these does work via HA.
I have read that IGMP is messed up and having that ironed out might bring light to our issues in managing across VLANs? (I might be mixing things up).

autoX · December 30, 2021, 4:45pm

Ahh.
This is exactly why such devices are running in my home network and not in the iot one.
Igmp routing across vlan is very difficult and causing strange behaviors…

But obviously you don’t have a igmp issue but an multicast one.
This is why you need to switch networks…
Igmp issue are maybe there for roku in addition.(I don’t use roku)
E.g. netflix does not need any igmp, not sure if roku does need it.

Btw. Your are not only in different subnets but vlans right?
Sending multicasts across subnets is easy, while vlan is isolated

fireheadman · December 30, 2021, 8:17pm

Here my setup…

LAN (can’t set a VLAN) - Wired devices are on LAN (Plex stack, Home Assistant, Unifi switches/APs/Cams, Webservers…etc)
VLAN20 - Wireless (exclusive to family iPhone/iPad/Macbooks…etc) go to WiFi Main (2.4/5Ghz)
VLAN30 - Friends/External family/guests can use a throttle Guest network. (2.4/5Ghz)
VLAN40 - IoT devices (if I can’t access the device OS) it goes on IoT (2.4Ghz)

IoT devices would be: lights, switches, plugs, appliances, streaming devices (roku/sonos), alexa, tvs, gaming consoles, thermostats, garage openers

Here’s the Lan-IN rules I have in place… obviously the Sonos/Roku ones do nothing… experimenting with them.

autoX · December 30, 2021, 10:04pm

Understood.
I think you should asking in a unifi forum, as the idea is clear but does not work as it should.

But this is a pretty good example why I wanted to avoid the changes applied to the router.

Btw.
If you want enterprise features (working) for low cost, check out mikrotik. But be warned, its far away from simple, but can do whatever you like.

tofu · December 31, 2021, 10:58am

I’m a bit confused what most here are accomplishing…

You separated your iot and trusted devices, which is great, but then you bridged the two VLANs with home assistant? Doesn’t that defeat the purpose of your security measures?

If you are savvy enough to set up HA and segregated VLANs, you can surely setup avahi reflector and enable igmp snooping.

autoX · January 4, 2022, 12:30pm

See my replies somewhere above why HA is connected to both VLANs

AVAHI (mdns) uses broadcasting…
1.) Broadcasting/Multicast → Spaming your network.
2.) Having multicast between VLANs is not intended to happen and if done by a work around it is exactly against of what I want to achieve.

Question:
Why do you think my HA Bridge (Promox Bridge) is defeating my VLAN purpose?
IMHO, and I have not yet wiresharked it, but my purpose is to keep the broadcast / multicast in their own networks.

cr0muald0 · January 9, 2022, 6:41pm

Hi all,
Just to add some more info here regarding separation and forwarding packets from one network/interface to the others, some important things that might help one to decide, how good/secure of a strategy this is.

I have it setup like that, and I don’t feel it to be insecure.

By putting two network interfaces in HA and connecting them physically to two different networks, does it make it potentially less secure? Absolutely! No cable means no connection, so 100% secure. Two cables/networks means 100% more insecure than one cable/network. So is HA 100% bulletproof secure with only one network? Not really.

The main objective, just like mentioned before by Christian is to allow HA to be available in multiple networks and at the same time avoid unfiltered contact between all the segregated HA clients/networks. I don’t want my smart TV to see my sensors, so separation should be done at multiple levels/networks/vlans. Having a virtualized HA makes all this easy as pie as one can add as many vlans/network interfaces as you wish, as long as you have a switch that supports tagging.

Obviously routing through the firewall would be a better strategy (keeping HA inside a DMZ), but unfortunately this breaks communications that require broadcasting, which does not survive routing (thankfully).

So moving on from the tinfoil hat approach, we can take into consideration a few things:

Packets are only routed between networks by HA if it is set up as a router (meaning it can move packets from one network to another)
HA has to be a gateway to other devices in any of the networks it belongs to.
net.ipv4.ip_forward needs to be set up (‘sysctl net.ipv4.ip_forward’ should show “net.ipv4.ip_forward = 1”)
iptables needs to be set up to allow packet forwarding (‘iptables -L | grep FORWARD’ should show “Chain FORWARD (policy ACCEPT)”)

Taking this into consideration, just follow your instincts