Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using home assistant with Iot on different VLAN

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    5
    6
    6.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NasKar
      last edited by

      I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes.

      My HA is on 192.168.5.45:8123 and for example my Roku is on 192.168.20.27
      I have a firewall rule for VL20_TV to allow the roku to talk to my HA
      PFSENSE FW Rule.jpg
      My HA is unable to see the Roku it says failed setup, will re entry. I have similar rules that allow the Roku to see my Plex server and it works.

      Any thoughts on what I'm doing wrong?

      Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
      2 CPUs: 1 package(s) x 2 core(s)
      AES-NI CPU Crypto: No
      2 Gigs Ram
      SSD with ver 2.4.0
      IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

      D S P 3 Replies Last reply Reply Quote 0
      • D
        darcey @NasKar
        last edited by

        @NasKar It's not clear what if any rules on your LAN interface might be preventing HA from reaching the roku. However I'd be surprised if any rule is needed on the IOT interface allowing the roku to reach HA.
        I would focus on the LAN interface. Turn on default logging or create a rule specifically allowing/logging traffic from/to HA/roku. Then determine which ports you do need to open. IIRC roku api listens on port 8060, perhaps others, and I imagine HA's roku integration uses that to control the device.

        1 Reply Last reply Reply Quote 0
        • S
          sic0048 @NasKar
          last edited by sic0048

          @NasKar You need to realize there are two ways a device communicates over the network. First, devices will initiate communication with other devices. This connection needs to be allowed by the Firewall (ie not blocked) for it to happen. Second, devices will reply to communication that is initiated by another device. This type of traffic does not need a Firewall rule to occur. It's why devices on the "internet" will reply/communicate with our local devices when we "browse the internet", but devices outside our local network cannot initiate communication with our local devices (assuming everything is set up correctly). IE we can access the internet, but the internet cannot access our local network.

          Therefore creating a rule to allow the Roku to talk to the HA is not the same as creating a rule on the HA interface that allows traffic to pass to the Roku. You need to add a rule on the HA side that allows traffic to pass to the Roku. (If you have a "pass all" rule, that should be sufficient, but probably not the best way to handle it)

          You rules likely works with the Plex server because the Plex server doesn't need to communicate with the Roku on it's own. It is simply replying to traffic initiated by the Roku (like streaming the requested show to the Roku). The HA system clearly needs to initiate traffic with the Roku to complete it's "setup" process and your Firewall seems to be blocking that traffic currently.

          N 1 Reply Last reply Reply Quote 0
          • N
            NasKar @sic0048
            last edited by

            @sic0048 thanks for you detailed reply. I have it working but maybe able to eliminate some rules or make them more restrictive.
            LAN
            Lan.jpg

            VLAN20 (TVs)
            Vlan20.jpg

            IOT
            iot.jpg

            Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
            2 CPUs: 1 package(s) x 2 core(s)
            AES-NI CPU Crypto: No
            2 Gigs Ram
            SSD with ver 2.4.0
            IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320)

            1 Reply Last reply Reply Quote 0
            • M
              manu13
              last edited by manu13

              Ensure that your firewall rules not only allow traffic from the IoT VLAN to your main network but also from your main network to the IoT VLAN if needed.

              Double-check that there’s no additional rule blocking communication between these VLANs. Sometimes, it helps to verify that both devices are on the correct VLAN and that routing between VLANs is properly configured.

              If you’re interested in integrating more devices with Home Assistant, you might find this guide useful: https://www.mklibrary.com/sonos-home-assistant/.

              1 Reply Last reply Reply Quote 0
              • P
                Patch @NasKar
                last edited by Patch

                @NasKar said in Using home assistant with Iot on different VLAN:

                I have home assistant on my main network 192.168.5.x and want to put all the wifi IoT devices on a separate VLan (IoT) 192.168.20.x for security purposes.

                I'm not sure that is the best approach.

                What is the logic behind not putting Home assistant on the IOT network so it can scan for and communicate with all your IOT devices. Then

                • Enable Main network access to home assistant via the defined Home assistant interface.
                • Home assistant access to the internet & port forwarding from the internet to Home assistant as required.
                • Block any other IOT connections to other local networks (including Main) and the internet as you desire.

                Doing so avoids having to reverse engineer the communication protocols used between each of your IOT devices and Home assistant.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post