How do I enable IPv6 traffic on VLAN for IoT Matter traffic?
-
@stephenw10 said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:
I've never played with any Matter devices, do they only use IPv6?
The devices themselves, yes. The controllers, no. Like this:
User device <-- IPv4 / IPv6 --> Matter Controller <-- IPv6 LL --> Matter device -
That should work then.
Do you have any VLAN configuration in the VM host? You could be passing VLAN 33 tagged into it for example. Though since you can reach the Matter server from LAN it must be at least mostly correct!
You should remove port 9 from VLAN1 as @johnpoz pointed out though.
You are using a flat network for the devices and server. None of that traffic is being routed whether or not it's in a VLAN. It's all on the same layer 2 segment. So I'd expect it to work.
I would try to run packet captures to see what traffic is actually making it to where. I'd probably start at the Matter server but I expect to see the traffic not making that far. Then at the VM host. Then on the AP.
-
@dennypage said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:
The devices themselves, yes. The controllers, no. Like this:
User device <-- IPv4 / IPv6 --> Matter Controller <-- IPv6 LL --> Matter device
Correct.
Now can you help this NOOB out with getting things working?
I'm not sure where the configuration issue is; pfSense, OpenWrt, 16 port switch....
For what is worth I have been able to connect a Tapo Matter switch to the IoT SSID (192.168.2.6) of the AP.
Using the iOS Tapo app via Bluetooth I was able to communicate with the Tapo Switch and give it the IoT SSID and password. The Tapo switch connects to the AP but does not communicate with the network.
-
So the switches connect to the AP but do not pull an IP address because they use IPv6 LL only?
You can see in OpenWRT that they are connected?
You have the IoT SSID correctly bridged with the VLAN33 interface in OpenWRT?
Normally that would be obvious because devices connecting pull a lease in the correct subnet but these apparently don't do that.You could try connecting something else to that SSID and make sure it can ping the Matter server.
-
@Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:
For what is worth I have been able to connect a Tapo Matter switch to the IoT SSID (192.168.2.6) of the AP.
Using the iOS Tapo app via Bluetooth I was able to communicate with the Tapo Switch and give it the IoT SSID and password. The Tapo switch connects to the AP but does not communicate with the network.
Understand you have successfully the Matter device (switch) connected to the wifi network... but have you paired it with the Matter Controller?
-
@Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:
I'm not sure where the configuration issue is; pfSense, OpenWrt, 16 port switch....
Not sure how many times this has to be said - it has ZERO to do with pfsense.. Pfsense has zero to do with things on the same vlan/network talking to each other..
Maybe your AP is filtering multicast? Maybe your ssid is set as a guest network - this prevents devices on that wifi network from talking to wired ports..
Maybe its handing out some other IPv6 address to the wifi devices.. And that is causing problems? All I can tell you is pfsense has nothing to do with devices on the same network/vlan from talking to each other.
Maybe your AP is not setup correctly for ssid on vlan 33.. If you connect your phone or laptop to this ssid from the AP can you ping your matter box on 192.168.2.101? This phone/laptop gets an IP in your 192.168.2 network?
-
@johnpoz OKAY so beat me over the head with the stupid stick.
Thanks again for the prodding.
After some reconfiguration of the AP and enabling IPv6 UFW rules for my VM I was able to get traffic flowing between the Tapo switch and Home Assistant and Matter Server.
IPv6 was not enabled in /etc/default/ufw
Set IPV6=yes
UFW was blocking the ports that the Matter server uses so I opened those ports for the range of addresses for my IoT devices.
Any recommendations for blocking Internet access to and from my IoT devices?
I have setup an IoT Aliases list with the devices IPv4 addresses.
-
@dennypage After some head banging and prodding from people wiser then me I have been able to connect to communicate with the Tapo switch via the Tapo app.
I have been able to connect the Tapo switch to the Matter server integration of Home Assistant. Furthermore Home Assistant is able to control the Tapo switch.
However I am currently trying to figure out how to control the Tapo switch locally without requiring the cloud account.
When adding the Tapo switch to Home Assistant I was asked for my TP-Link Cloud account and password. I do not know if that is a one time only requirement or if Home Assistant periodically present TP-Link Cloud with my credentials to keep the Tapo switch functioning. Findings are mixed on wether they can function without the TP-Link cloud account.
Do you have any experience with the Tapo switches?
-
@stephenw10 Thanks for the input.
@stephenw10 said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:
You have the IoT SSID correctly bridged with the VLAN33 interface in OpenWRT?
I did not have the bridge correctly configured.
-
If they are only using IPv6 LL addresses then no connections outside the subnet could ever be made. Out or in.
For other devices in the subnet that are using IPv4 or routable IPv6 addresses then you just need an appropriate firewall ruleset on IoT to limit outgoing connections. Incoming connections would be filtered on the other interfaces involved.
-
@Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:
@dennypage
…
Do you have any experience with the Tapo switches?I don’t have direct experience with Tapo. However I do have experience with Kasa, and I can attest that TP-Link goes out of its way to push / force you onto cloud services.
