I installed the haos_ova qcow2 image in a virtual machine under Ubuntu 24.04. In the process of debugging a different issue, I logged into the instance console and was surprised to see IP forwarding is apparently enabled on the host:
# cat /proc/sys/net/ipv4/ip_forward
1
I don’t believe this is the result of any sort of customization that I’ve done, which leaves me to wonder why this would be the default configuration for the OS? It strikes me as surprising that HAOS would be putting itself in a position to possibly route packets between networks.
This may be a non-issue for single network installations, but my network includes multiple VLANs for different types of devices as a security measure. I assumed it would be safe to allow HA to connect to more than one VLAN for the purposes of detecting and managing devices on the different networks. Now I’m questioning whether this is a good idea if the device might be open to forwarding unsolicited traffic. Is this intentional?
HA was never advertised as a router/firewall, so why use it as such?
The router and firewall is made for this job.
If HA can detect and manage devices on other networks than the primary, then it is because those devices use standard routable TCP/IP protocols, so they can be routed.
The non-routable protocols, like mDNS, SSDP and so on require a reflector installed, which can’t be installed on HA anyway and it is probably better installed on the router firewall on your network.
Using the router/firewall on your network opens up many more security options, like opening for certain port or devices and it can also limit the port between the other devices and HA, if that is desired.
I was thinking about that one too and with Nat64, then it does IPv4 routing too, but I was unsure of where that setting was found. Was it in the HAOS system, in the HA container, in the web & SSH container or somewhere else.