Xiaomi Miio lights not working after network setup change

I have finished moving all my IoT devices to a separate VLAN, but run into issues with my Miio Xiaomi Philips Downlights.

I have removed the old devices and readded them with their new IP addresses and respective tokens. Adding the devices went trough without problems, but afterwards the lights show up as unavailable in home assistant.

The logs show DeviceException during setup of xiaomi device with host

Devices on the VLAN have full access to my Home Assistant instance via firewall rule and also i have temporarily enabled internet access on the VLAN just in case.

Any idea what is wrong here?

EDIT: apparently there’s a problem already when adding the device. i have noticed HA accepts even random access and token (as long as their length is valid) and adds the device, which then appears as unavialable.

so it seems to be a known issue with MIIO devices on VLANs. more is described here on github:

solved it temporarily by implementing a 1:1 NAT rules, but i think it defies the reason for having VLANs

You mean the Philips Zhirui lights ?
I have some and I needed to add 2 rules between the 2 networks :
IOT → server : open all UDP, no NAT needed
Server → IOT : open UDP 54321, NAT enabled.

Firewall needed to have filtering + NAT.

this is my NAT rule:

IOT network has access to all ports on HA server (was too lazy so far to define specific ports used by all the different integrations).
Server has full access to IOT network due to being on the untagged LAN network

From the sniffer on my firewall, this is what happens every 10s or so :

2.710182 -> udp 32
4.740182 -> udp 32
9.910182 -> udp 128
9.960182 -> udp 80

First 2 lines are the light trying to phone home. This is blocked by my firewall.

2 latest lines are the HA dialog :

  • first see that the server is asking the light, on port 54321. And see that the server is source-NATed with the firewall’s address in the same VLAN. Light won’t answer if requested from another VLAN.
  • Then light answers, to what it guess is a local address.

You’ll need to have server and light in the same VLAN or trick the light to think so.
This is how the rule looks like in the fortigate :

Note that “destination : all” means all adresses in the destination VLAN. I could have listed all the lights but doesn’t matter as they both are DMZ with limited access;

i am not familiar with fortigate. however i realized that my NAT rule (posted above) forwards all requests normally sent to the VLAN gateway to my Home Assistant instance, including DNS requests, so hostname resolving is not working… any way around it?

I don’t know how to set up the rules, but I guess you should change the “any” destination to only the HA server ?
To get it clear : network is the HA network (external) ? is the IOT VLAN ?
What is the HA Server address ? What are the firewall addresses ?

Sorry to revive this old thread but I’ve just changed my network to have VLAN’s and have the same issue now.

Is you HA at and the light is ?

Hoping to get comms back to my Roborock vacuum, Xiaomi Gateway (this kinda works but I’ve lost the ability to play the ringtones…) and Xiaomi lights while keeping them on the non-internet connected VLAN.