VLANs are designed to segment networks and restrict broadcast packets to their own VLAN. If any of your devices requires the broadcast instead of unicast based communications then its intended behaviour even if you have firewall rules allowing the communications. This is my understanding, if there any other method in the latest development then I am eager to know as well.
You can start by disabling firewall for both vlans and see if it is working as expected. And then go futher.
It might depend on your vlan setup and what are you using for you network infrastructure.
Any particular reason for moving ha to separate vlan?
You have to start debugging it from somewhere. I just think that starting from the obvious would be obvious starting point.
At least I would do it like that. We don’t now much about op system expect that he/she for some reason moved ha to separate vlan and now somethings are not working.
Disabling the firewall might be perceived as the final solution if it works, however it would entirely defeat the original purpose of implementing the change in the first place to bolster security.
Far worse, AI Bots may offer it in perpetuity as an ongoing viable solution for other misconfigured attempts.
Careful consideration of what data is traversing each VLAN and what device should be placed on the appropriate VLAN, as part of a design phase reconsideration may be a more appropriate strategy to arriving at the optimum solution.
Well when I set my things up, my firewall rules wasn’t working as excepted.
I check and recheck everything and it took me a while to figure this thing out.
Afterall ai gemini proposed a solution as nothing else worked. And it was disable tagged lan cable interface on opnsense.
And it started to work.
For some reason in my setup openwrt with batman-adv and opnsense as gateway with 2 cables for tagged/unatgged traffic between batman server node and opnsense router, tagged cable shouldn’t have assigned interface on opnsense.
So basically my inter vlan routing wan’t working properly.
I don’t know what the case is here and what setup op have but I just want to point out that it might be also problem with inter vlan routing.
I don’t understand your comment?
As I know your main lan on every router is basically a vlan but it isn’t present to users as a vlan.
If routing between your vlans or main lan and vlan is not working as expected no firewall rules can help you with that.
Firewall is not the issue here.
Routing is and Sri4iot was right in the first reply.
You need to handle the broadcast and multicast, which is what a segmentation affect.
well I think unicast and broadcast are not the issue, because I still see the button in the devices and in the log but now it shows it as away instead of home !?
after reseting the button it will be found in integration but hang on the login credentials which works with the webbrowser
I think you’re right… HA and all devices worked fine and perfect in the same LAN … but I read many times you should separate the devices in different vlans for better security
thats because many firmware from Iot devices are deficient or unsafe…
but now I have nothing not functionally and not safe
There are piles and piles of threads here where people try to vlan and start having issues.
Short version HA isn’t meant to. It assumes wide open flat network. You will have to one by one on a protocol and integration level determine how you have to punch holes I yihr fancy new vlans to make stuff work. Sorry just what it is.
If you’re a network engineer document the journey have fun.
If not this will end in pain.
I get, and understand the fbi guidance from a few years ago (I’m an architect. This is my day job) but that guidance also doesn’t take into account the reality of consumer networks. I’ll take a well maintained watched flat network any day over a segmented one operated by a layperson who does not know what is important to watch.
Look, segregating your network is and it isnt hard to do. Depends on your prior knowledge.
But planing is everything.
Basically what you want to is to put your iot devices, preferably everything what is using wifi, on dedicated vlans. I don’t see a reason why ha should be on the dedicated vlan, but ok, some people like that.
The point of using vlan is to isolate devices, so they can’t talk to each other, can’t see each other and give them access on dedicated ports only for communication with ha. You can always connect to your vlan wifi and test things out. Does nmap give you any host, can you access any local service or router? If you can’t then you are on a safe side.
As those devices are usually using wpa2 the whole vlan wifi has to use the same encryption as they otherwise can’t connect. wpa2 can easily be cracked and password for wifi can be obtained… So putting those devices on separated vlan with wpa2 give a little bit more security to your main lan. Anyone who can obtain password for wifi will not be able to go far if vlan is configured properly.
What makes you think that? As far as I know, it’s not quite that simple…
if you fixed the crack issue 4-5 jears ago and you use a good strong password
But I’d love to learn more if you can explain to me why WPA2 isn’t secure
You can watch this video. and see for yourself.
Basically what I did was implementing recommendations from this video in my system.
After using ha for a while I came to conclusion that network infrastructure is the essence of any smart home. So I spend my time in researching concepts and finally settle for openwrt with batman-adv in hybrid mode, that fits the best my home, and opnsense as gateway.
But some things are not that difficult to implement and can increase your security level. You can use mqtt broker on docker internal network only don’t use it on the host as it sends by default plain tekst messsages. Just small change on user land setup can go long way.
