I am playing around with my network set up at the moment and have an IoT network which I have started to move my devices onto.
My HASS is on my main network 192.168.254.x and my IoT are on a separate vLAN 192.168.72.x and with most things I can do port forwarding through my Firewall and it works fine. It is only when you are trying to do an integration that searches for devices automatically they are not found. In my case TP-Link HS power plugs.
In my firewall I can see my HASS is doing a broadcast to 255.255.255.255 port 9999 UDP but this is not getting across the vLAN and find the device.
My question is do I keep my HASS in the main network and open the requisite ports, or how do I get my device on my IoT network get discovered by my installation?
Multicast not traversing from your main LAN to your IoT VLAN is so by design. You can’t actually forward that traffic easily via a router, so the easiest solution would be to add the VLAN on your HASS and configure your router to send the IoT VLAN over the same link to your HASS machine.
With multicast I am using Avahi on my Firewall/Router to rebroadcast mDNS and it is working fine.
@kirichkov to clarify are simply saying to put HASS on the same subnet as my IoT network?
I did go looking for a network design guide or something like that as I have been blasted here before for not reading the documentation, but in my search I have not found anything that gives guidance on how to lay out up your network. If anyone can point me in the right direction I would be very appreciative.
Unfortunately @jackw.27 this didn’t work for me.
I delete the integration, add the code to my configuration.yaml and reload, but discovery automatically runs and discovers the TP-Link device I still have on my main LAN (still playing).
Thanks @craigcurtin, I have Avahi running already on my pfsense box as a mdns reflector and it is working for other devices as I have chromecasts on a separate vLAN and they work fine.
Is your pfSense box also acting as your DNS server ?
Are you sure you are allowing the correct ports through the firewall ?
I would definitely NOT put my HA onto the IOT network - the whole point is to limit what can be done to your Home Systems if an IOT device is hacked - you want to put in place the very minimum firewall holes to allow communication out of the IOT segment
What rules do you have in place to allow packets back from the IOT network to HA ?
I remember when i first did this - i had to mess around for a while until i got it tightened down enough to make me happy but also to allow it to work.
Thanks @craigcurtin I have added that rule in to allow traffic from my IoT network to my HA box and I will see how I go.
I did find that when HA goes looking for devices it broadcasts using SSDP packets, which I am not sure are being repeated across the vLAN. I am using pfSense with Avahi to do mdns repeater but from what I have read that doesn’t seem to repeat SSDP packets.
You’ve done the heavy-lifting if you have avahi reflector running on your main router/firewall. This should allow you to broadcast the mDNS and things should work. I personally have never run the reflector but as far as I ready up it’s the way to go.
My working topology is to have IoT devices on a dedicated WiFi (no cabled IoT). Then my HASS i wired with my router/wi-fi AP. I run both a regular LAN (vlan without any tags), and a VLAN over the same cable from my router to my hass. On my router the IoT Wi-Fi is bridged with my IoT vlan that goes only to hass, and nowhere else.
With the firewall I’ve blocked access outside of the IoT network to IoT devices. If one of them goes rogue it’s separated by my “regular” traffic. With that said your laptop/desktop is probably bigger target anyways