Using home assistant with Iot on different VLAN

NasKar

I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes.

My HA is on 192.168.5.45:8123 and for example my Roku is on 192.168.20.27
I have a firewall rule for VL20_TV to allow the roku to talk to my HA

My HA is unable to see the Roku it says failed setup, will re entry. I have similar rules that allow the Roku to see my Plex server and it works.

Any thoughts on what I'm doing wrong?

darcey

@NasKar It's not clear what if any rules on your LAN interface might be preventing HA from reaching the roku. However I'd be surprised if any rule is needed on the IOT interface allowing the roku to reach HA.
I would focus on the LAN interface. Turn on default logging or create a rule specifically allowing/logging traffic from/to HA/roku. Then determine which ports you do need to open. IIRC roku api listens on port 8060, perhaps others, and I imagine HA's roku integration uses that to control the device.

sic0048

@NasKar You need to realize there are two ways a device communicates over the network. First, devices will initiate communication with other devices. This connection needs to be allowed by the Firewall (ie not blocked) for it to happen. Second, devices will reply to communication that is initiated by another device. This type of traffic does not need a Firewall rule to occur. It's why devices on the "internet" will reply/communicate with our local devices when we "browse the internet", but devices outside our local network cannot initiate communication with our local devices (assuming everything is set up correctly). IE we can access the internet, but the internet cannot access our local network.

Therefore creating a rule to allow the Roku to talk to the HA is not the same as creating a rule on the HA interface that allows traffic to pass to the Roku. You need to add a rule on the HA side that allows traffic to pass to the Roku. (If you have a "pass all" rule, that should be sufficient, but probably not the best way to handle it)

You rules likely works with the Plex server because the Plex server doesn't need to communicate with the Roku on it's own. It is simply replying to traffic initiated by the Roku (like streaming the requested show to the Roku). The HA system clearly needs to initiate traffic with the Roku to complete it's "setup" process and your Firewall seems to be blocking that traffic currently.

NasKar

@sic0048 thanks for you detailed reply. I have it working but maybe able to eliminate some rules or make them more restrictive.
LAN

VLAN20 (TVs)

IOT

manu13

Ensure that your firewall rules not only allow traffic from the IoT VLAN to your main network but also from your main network to the IoT VLAN if needed.

Double-check that there’s no additional rule blocking communication between these VLANs. Sometimes, it helps to verify that both devices are on the correct VLAN and that routing between VLANs is properly configured.

If you’re interested in integrating more devices with Home Assistant, you might find this guide useful: https://www.mklibrary.com/sonos-home-assistant/.

Patch

@NasKar said in Using home assistant with Iot on different VLAN:

I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes.

I'm not sure that is the best approach.

What is the logic behind not putting Home assistant on the IOT network so it can scan for and communicate with all your IOT devices. Then

• Enable Main network access to home assistant via the defined Home assistant interface.
• Home assistant access to the internet & port forwarding from the internet to Home assistant as required.
• Block any other IOT connections to other local networks (including Main) and the internet as you desire.

Doing so avoids having to reverse engineer the communication protocols used between each of your IOT devices and Home assistant.