Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I enable IPv6 traffic on VLAN for IoT Matter traffic?

    Scheduled Pinned Locked Moved General pfSense Questions
    iotmatteripv6vlan
    22 Posts 5 Posters 1.8k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Seeking Sense
      last edited by

      Hello

      How does one enable IPv6 traffic on a VLAN for IoT Matter traffic? (firewall rules, IPv6 settings, etc...)

      Attempting to install some low-cost TAPO Matter smart switches and could use some assistance configuring pfSense to allow for IPv6 communication over a VLAN between the devices and the Matter server.

      Have read that the TAPO Matter smart switches use link-local IPv6.

      Do not need or want IPv6 enabled on the WAN just the VLAN that the IoT devices are on.

      From what I have gathered as long as all of the IoT devices are on the same VLAN then there should be no issues with communication. Is this correct?

      For example:

      LAN 192.168.1.0/24

      pfsense 192.168.1.1
      computer 192.168.1.100
      laptop #1 192.168.1.101
      laptop #2 192.168.1.102
      cell phone 192.168.1.103
      cell phone 192.168.1.104

      IoT VLAN 192.168.2.0/24

      Access Point SSID "IoT" 192.186.2.2
      Echo Dot 192.168.2.100
      Home Assistant w/ Matter Server 192.168.2.101
      Tapo Matter Smart Switch #1
      Tapo Matter Smart Switch #2
      Tapo Matter Smart Switch #3
      Tapo Matter Smart Switch #4
      Tapo Matter Smart Switch #5

      Does this require setting up a full-blown IPv6 network with IPv6 DHCP server?

      Any assistance with this would be most appreciated.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @Seeking Sense
        last edited by

        @Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

        From what I have gathered as long as all of the IoT devices are on the same VLAN then there should be no issues with communication. Is this correct?

        Pfsense has nothing to do with communications between devices on the same network/vlan - if devices talk ipv4 or ipv6 pfsense has nothing to do with it.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 1
        • stephenw10S Online
          stephenw10 Netgate Administrator
          last edited by

          Indeed if they're using linklocal addresses nothing should be needed.

          1 Reply Last reply Reply Quote 1
          • JKnottJ Online
            JKnott
            last edited by

            Link local addresses are not normally used for user data. You want to set up Unique Local Addresses. If you don't have IPv6 from your ISP, you may have to modify the instructions slightly.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            dennypageD 1 Reply Last reply Reply Quote 0
            • dennypageD Offline
              dennypage @JKnott
              last edited by

              @JKnott said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

              Link local addresses are not normally used for user data.

              For IoT device control with protocols such as Matter, Link Local Addresses are always used between the controller and its devices. Link Local Addresses are optional for a user device (such as a phone) speaking to the controller, but may be used if available. Addresses are advertised via multicast DNS (mDNS).

              You do not need to do anything to set up IPv6 for Matter--it will just work out of the box.

              S 1 Reply Last reply Reply Quote 1
              • S Offline
                Seeking Sense @dennypage
                last edited by Seeking Sense

                @dennypage said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                You do not need to do anything to set up IPv6 for Matter--it will just work out of the box.

                Good Morning.

                Clearly I am experiencing NOOB user error(s) as things are not unfortunately working "out of the box".

                There are a few moving parts to this scenario I hope you, or someone here, will be able to get me going in the right direction.

                At this point I am unsure where the problem is and what I am doing. Taking stabs in the dark is getting me no where.

                Here is a rough overview of what I have:

                pfSense 2.7.2
                LAN 192.168.1.0/24
                VLAN 33 192.168.2.0/24

                Switch

                VLAN ID	     VLAN Name	Member Ports	Tagged Ports	Untagged Ports
                1	     Default	    1-16		                    1-16	
                33	     IoT-vm	    1-2,9	        1-2	            9
                

                Port 9 goes to a NIC on my VM host.
                Port 2 goes to a WRT1900ac running OpenWrt as "dumb ap"

                As of now I am able to connect a Tapo Matter smart switch to the AP SSID IoT. IoT is configured with a static IP of 192.168.2.2.

                When the Tapo Matter switches connects to the AP I see that it does so with a link-local IPv6 address. That seems correct.

                Unfortunately that is as far as I have been able to go.

                Not sure what additional configuration I need to do on the AP, the switch or pfSense.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @Seeking Sense
                  last edited by johnpoz

                  @Seeking-Sense I can tell you for sure this is borked.

                  problem.jpg

                  You are running multiple untagged vlans on the same port.. From that output port 9 has both the default vlan 1 untagged which is normal. But you also have your vlan 33 untagged on port 9.. So port 9 has both vlan 1 untagged and vlan 33 traffic on it untagged.. How is that traffic suppose to be distinguished from each other?

                  What is the pvid set on port 9 - the pvid determines which vlan untagged traffic entering the port is put on.. So its either putting all untagged traffic entering the switch on port 9 on vlan 1 or vlan 33.. It can't do both.

                  If you want vlan 33 on port 9, remove vlan 1 from port 9.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  S 1 Reply Last reply Reply Quote 2
                  • stephenw10S Online
                    stephenw10 Netgate Administrator
                    last edited by

                    Yup, that^.

                    Also where is the Matter server in this setup? How is it attached?

                    I assume you can reach that from a client on the LAN OK?

                    I've never played with any Matter devices, do they only use IPv6?

                    johnpozJ S dennypageD 3 Replies Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator @stephenw10
                      last edited by johnpoz

                      @stephenw10 said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                      I've never played with any Matter devices, do they only use IPv6?

                      Either have I - but quick google seems like yes IPv6 is required.. Whatever your hub is for your matter stuff will use its own random ULA, and send out RAs for this.

                      Seems odd if you ask me - does it also route traffic between if the hub has more than one interface in different networks?

                      But again if all the devices are on the same L2 pfsense has zero to do with those conversations be it using IPv4, IPv6 gua, IPv6 ula or just some link-local IPv6 address space.

                      If he is having issues with whatever is connected to port 9 the multiple untagged is more than likely the problem - that is never going to be a good idea and would be nothing but problematic even if the pvid was set correctly for the vlan you want the device on.. Because the device would also be seeing all vlan 1 traffic that is multicast or broadcast, even when not sent to its mac. etc..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 1
                      • S Offline
                        Seeking Sense @johnpoz
                        last edited by

                        Hi @johnpoz

                        Port 9 of the switch is attached to a NIC on my VM Host and is where the VM for Home Assistant w/ Matter Server 192.168.2.101 resides.

                        Port 2 of the switch is attached to LAN1 of my dumb AP.

                        The dump AP (OpenWrt) has been offering WiFi access for my LAN 192.168.1.0/24 and now would like to create a new SSID "IoT" for 192.168.2.0/24

                        Was hoping that I could run 192.168.1.0/24 and 192.168.2.0/24 over the same physical cable from Port 2 of the switch to the AP.

                        IoT VLAN is configured on pfSense and has been working for sometime. However now that I am adding Matter device I need to place all "smart" home devices on the same VLAN as Home Assistant.

                        Matter uses IPv6 link-local and from what I have read works on a flat network, not communicating across VLANS.

                        @johnpoz said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                        What is the pvid set on port 9

                        33

                        I assume that I have something configured wrong somewhere I just don't know what or where.

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          Seeking Sense @stephenw10
                          last edited by

                          @stephenw10 said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                          Yup, that^.

                          Also where is the Matter server in this setup? How is it attached?

                          Home Assistant w/ Matter Server 192.168.2.101
                          VLAN 33
                          Port 9 of the switch connected to dedicated NIC port on VM Host.

                          I assume you can reach that from a client on the LAN OK?

                          Yes. I can access Home Assistant w/ Matter Server 192.168.2.101 from computer 192.168.1.100

                          I've never played with any Matter devices, do they only use IPv6?

                          Yes. link-local IPv6.

                          FWIW The AP is running OpenWrt.

                          1 Reply Last reply Reply Quote 0
                          • dennypageD Offline
                            dennypage @stephenw10
                            last edited by

                            @stephenw10 said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                            I've never played with any Matter devices, do they only use IPv6?

                            The devices themselves, yes. The controllers, no. Like this:

                            User device <-- IPv4 / IPv6 --> Matter Controller <-- IPv6 LL --> Matter device
                            
                            S 1 Reply Last reply Reply Quote 1
                            • stephenw10S Online
                              stephenw10 Netgate Administrator
                              last edited by

                              That should work then.

                              Do you have any VLAN configuration in the VM host? You could be passing VLAN 33 tagged into it for example. Though since you can reach the Matter server from LAN it must be at least mostly correct!

                              You should remove port 9 from VLAN1 as @johnpoz pointed out though.

                              You are using a flat network for the devices and server. None of that traffic is being routed whether or not it's in a VLAN. It's all on the same layer 2 segment. So I'd expect it to work.

                              I would try to run packet captures to see what traffic is actually making it to where. I'd probably start at the Matter server but I expect to see the traffic not making that far. Then at the VM host. Then on the AP.

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Seeking Sense @dennypage
                                last edited by

                                @dennypage said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                                The devices themselves, yes. The controllers, no. Like this:

                                User device <-- IPv4 / IPv6 --> Matter Controller <-- IPv6 LL --> Matter device

                                Correct.

                                Now can you help this NOOB out with getting things working?

                                I'm not sure where the configuration issue is; pfSense, OpenWrt, 16 port switch....

                                For what is worth I have been able to connect a Tapo Matter switch to the IoT SSID (192.168.2.6) of the AP.

                                Using the iOS Tapo app via Bluetooth I was able to communicate with the Tapo Switch and give it the IoT SSID and password. The Tapo switch connects to the AP but does not communicate with the network.

                                dennypageD johnpozJ 2 Replies Last reply Reply Quote 0
                                • stephenw10S Online
                                  stephenw10 Netgate Administrator
                                  last edited by stephenw10

                                  So the switches connect to the AP but do not pull an IP address because they use IPv6 LL only?

                                  You can see in OpenWRT that they are connected?

                                  You have the IoT SSID correctly bridged with the VLAN33 interface in OpenWRT?
                                  Normally that would be obvious because devices connecting pull a lease in the correct subnet but these apparently don't do that.

                                  You could try connecting something else to that SSID and make sure it can ping the Matter server.

                                  S 1 Reply Last reply Reply Quote 0
                                  • dennypageD Offline
                                    dennypage @Seeking Sense
                                    last edited by

                                    @Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                                    For what is worth I have been able to connect a Tapo Matter switch to the IoT SSID (192.168.2.6) of the AP.

                                    Using the iOS Tapo app via Bluetooth I was able to communicate with the Tapo Switch and give it the IoT SSID and password. The Tapo switch connects to the AP but does not communicate with the network.

                                    Understand you have successfully the Matter device (switch) connected to the wifi network... but have you paired it with the Matter Controller?

                                    S 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Online
                                      johnpoz LAYER 8 Global Moderator @Seeking Sense
                                      last edited by

                                      @Seeking-Sense said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                                      I'm not sure where the configuration issue is; pfSense, OpenWrt, 16 port switch....

                                      Not sure how many times this has to be said - it has ZERO to do with pfsense.. Pfsense has zero to do with things on the same vlan/network talking to each other..

                                      Maybe your AP is filtering multicast? Maybe your ssid is set as a guest network - this prevents devices on that wifi network from talking to wired ports..

                                      Maybe its handing out some other IPv6 address to the wifi devices.. And that is causing problems? All I can tell you is pfsense has nothing to do with devices on the same network/vlan from talking to each other.

                                      Maybe your AP is not setup correctly for ssid on vlan 33.. If you connect your phone or laptop to this ssid from the AP can you ping your matter box on 192.168.2.101? This phone/laptop gets an IP in your 192.168.2 network?

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      S 1 Reply Last reply Reply Quote 0
                                      • S Offline
                                        Seeking Sense @johnpoz
                                        last edited by

                                        @johnpoz OKAY so beat me over the head with the stupid stick. 😁

                                        Thanks again for the prodding.

                                        After some reconfiguration of the AP and enabling IPv6 UFW rules for my VM I was able to get traffic flowing between the Tapo switch and Home Assistant and Matter Server.

                                        IPv6 was not enabled in /etc/default/ufw

                                        Set IPV6=yes

                                        UFW was blocking the ports that the Matter server uses so I opened those ports for the range of addresses for my IoT devices.

                                        Any recommendations for blocking Internet access to and from my IoT devices?

                                        I have setup an IoT Aliases list with the devices IPv4 addresses.

                                        1 Reply Last reply Reply Quote 0
                                        • S Offline
                                          Seeking Sense @dennypage
                                          last edited by

                                          @dennypage After some head banging and prodding from people wiser then me I have been able to connect to communicate with the Tapo switch via the Tapo app.

                                          I have been able to connect the Tapo switch to the Matter server integration of Home Assistant. Furthermore Home Assistant is able to control the Tapo switch.

                                          However I am currently trying to figure out how to control the Tapo switch locally without requiring the cloud account.

                                          When adding the Tapo switch to Home Assistant I was asked for my TP-Link Cloud account and password. I do not know if that is a one time only requirement or if Home Assistant periodically present TP-Link Cloud with my credentials to keep the Tapo switch functioning. Findings are mixed on wether they can function without the TP-Link cloud account.

                                          Do you have any experience with the Tapo switches?

                                          dennypageD 1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            Seeking Sense @stephenw10
                                            last edited by

                                            @stephenw10 Thanks for the input.

                                            @stephenw10 said in How do I enable IPv6 traffic on VLAN for IoT Matter traffic?:

                                            You have the IoT SSID correctly bridged with the VLAN33 interface in OpenWRT?

                                            I did not have the bridge correctly configured.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.