thought it would be helpful to explain what works for network configuration related to Thread. Specifically we saw Eve devices which is an early adopter of Thread and Matter behave erratically within HA but solid to Apple.
The focus of this discussion is limited to getting your Matter devices to work reliably on a local subnet if you are having problems.
The Theory
Matter is a relatively high level device interoperability protocol that can work over Thread which is a lower level IPv6-based protocol largely using mDNS which is itself based on UDP. Matter can also work over WiFi and therefore IPv6 and mDNS as well.
For Thread, a border router is used to communicate with Thread devices and anything else on your network like HA. A Thread border router may be an AppleTV, and Apple HomePod, a SkyConnect device, Google devices, or any anything implementing the Thread border router protocol. You may have more than one Thread border router and these can talk to other Thread border routers.
A border router may use or support services in a dual stack network that are IPv4 in addition to supporting the IPv6 Thread/Matter network (for example supplying a means for some app on the IPv4 network to control a Thread device through the border router). The communication here isnât direct of course between IPv4 app and Thread device.
The network requirements
HA documentation states that the HA instance and the border router must be on the same subnet/VLAN. The underlying mDNS traffic is âlink-localâ which means it is not routable between subnets/VLANs.
Thread devices themselves like Eve Window/Door set up their own communication IPv6 network using the Thread border router radio and then the border router communicates over your LAN or subnet to HA. On the network Thread resolves to mDNS and mDNS broadcast for service discovery.
So aside from HA and the Thread border router being on its subnet what needs to happen?
Your Eve/Thread devices may still be unreliable if mDNS traffic cannot operate within a single subnet. Some routers, especially custom managed routers, may not allow link-local traffic without some rules. In addition, a host firewall (i.e, HA host for example) may block mDNS or not allow traffic on the required ports.
Thread/mDNS traffic on the Ethernet/WiFi network is normally IPv6 that uses mDNS port 5353 and Matter uses 5540 for its service multicast. mDNS over IPv6 uses the multicast address ff02::fb.
In addition HA is known to use mDNS over IPv4 multicast address 224.0.0.251. This traffic may be related HA may broadcasting over IPv4 for the âMatter over WiFiâ case but there maybe another reason unrelated to Matter.
Router Traffic
So letâs look at this mDNS traffic from a network routerâs perspective and then the HA firewall.
First, the router must allow mDNS traffic on the local subnet in which HA, the border router and the Thread devices reside. Some routers may allow this traffic by default. Some may have a check box to allow mDNS traffic, or if you manage your own router you need to have rules in place for the subnet where HA and the border router reside.
As an example, the following rules would suffice for a pfsense router firewall if the IOT subnet/VLAN was where the HA, border router, and Thread devices reside:
In this case the following aliasâ definitions are in place for the first three rules:
Source Addresses:
- VLAN69_IOT net = the local subnet interface network, i.e., any device address (IPv4 or IPv6) on this subnet as the source address, i.e., those assigned by DHCP/RA/SLAAC.
- link_local_IPv6 = fe80::/10 (link-local), fd00::/8 (ULA) as the source address
- link_local_IPv4 = 169.254.0.0/16 (also known as APIPA/self-assigned as source address; disabled if you donât allow IPv4 self-assigned addresses as this is an edge case for brain dead devices).
mDNS_broadcastScope as the following IPv6 and IPv4 destination addresses
- ff02::fb (IPv6 mDNS broadcast, typically Thread or any other IPv6 mDNS implementation)
- 224.0.0.251 (IPv4 relates to HA mDNS broadcast for things like IPP)
mdns_Port = 5353, 5540 (mDNS port and Matter operational discovery port)
Note that these rules only address traffic on this subnet, not traffic entering the subnet/VLAN because the traffic is link-local by definition.
The second two rules relate specifcally to Apple HomeKit and HA, not Thread or matter although your border router may also require this traffic.
UnprivilegedPorts = 1024:65535
HA Firewall
Aside from those router rules, the HA host firewall on your HA instance or Host/HA network must allow that local mDNS/Matter traffic in addition to its own limited subset of unprivileged ports like 8123 TPC as well.
Limitations
Does all of this mean that you canât seperate your IOT devices from your trusted network where HA would otherwise reside? One answer is it seems useful to put untrusted devices, non-Thread devices, on a separate network or VLAN from HA. The rub is that Thread is link-local and therefore the HA/Border Router restriction to one network segment is pertinent.
As far as I know there is no such limitation with Matter over WiFi if the devices are not simply using link-local IPv6 addresses. But that may be an implementation detail.