Hi,
I getting ready to deploy home assistant for my protect cameras and some other IOT. Mosy of my solution will use local push, but I do have some Cloud Pull I will need.
for any cloud pull communication it would be my responsibility to reverse engineer this and open communication from Home Assistant to cloud , say for Lacrosse view etc correct?
for any local push automation is it safe to say Home Assistant needs no internet access to work properly?
thank so much for this open source project it amazing what was done
HA will need internet access for updates and installs. It pulls the appropriate modules and source from github as appropriate. If you’ve got it blocked these WILL fail.
During normal use your need for connectivity will likely be more tied tk what integrations you run
As @NathanCu said, it really depends on your integrations. Most of the time, it’s pretty easy to sniff the traffic and figure out what is going where. There are some you will want to keep open because they are 100% reliant on the cloud (like the Lacrosse View integration which completely stops working if you block the API calls… ask me how I know lol). Some others, like the Wiz integration, can be blocked from their public MQTT broker and still work locally (provided you have enabled local lan communication in the app). I only allow most of my devices to communicate with the internet once a month for updates (should there be any).
However, one thing you can do with the UDM-PRO pretty easily is limit the traffic speed if you have an IOT vlan setup. I’ve done this and no device on my IOT vlan (that isn’t blocked) can get more than 100kb/s down and 50kb/s up. This is great for stopping botnet DDoS attacks and such. Works great for devices where you need to have cloud access for them to work, but don’t want them to be able to send and receive too quickly.
Actually, I let HA have full internet access and is on my management vlan. I also make sure that any integrations that I use are vetted and I can see what traffic they use. The WiFi devices I worry about (bulbs, switches, fans, etc) are all on my IOT vlan and thus restricted. But generally speaking, I don’t consider HA to be a risk.
thanks I wanted to really put HA on my management vlan which will make it much easier
there still is some risk doing this but now that you replied I am learning to also place on management vlan , if HA is not placed on managment vlan I see firewalls all over the place being needed to lan devices
Ha yeah… so, in full disclosure, I do have a few devices on my management vlan: Sonos speakers, Amazon echos, my Dyson fans, Apple TVs and Harmony Hubs.
The reason being that mDNS is a pain in the ass to route reliably and also multicast UDP across subnets was just sheer hell. I had something like 15 different firewall rules just for traffic shaping and routing and finally got sick of trying to code around Unifi’s weird infra rules. So, I threw those devices on my management clan and a few firewall rules on them and everything is pretty much golden now.
Actually, no. I’ve been kind of avoiding matter. I have a couple of Aqara T1 light strips that are matter capable that I have been meaning to test. But I think they are matter over thread. Not entirely sure. It’s on my list to test sometime in the next few weeks.
With that said, I have IPV6 setup on all my vlans and traffic has been traversing subnets with no issues that I’ve seen. I have a couple of docker swarm nodes sitting in my .92 vlan using IPV6 (because apparently I like to make things difficult on myself lol). I haven’t seen any issues with the UDM routing that traffic, both TCP and UDP.
lol