Hello
I want to reconfigure my network at home. So far, I used a standard router from my provider.
Now I want to switch to a more complex setup with proxmox and opensense 25.7.3 as router.
I want to isolate specific parts, e.g. home automation. For this I use VLANs.
Some clients are members in several VLANs. It's easier for me to setup when it's about discovery and permissions.
The basic setup is working. I was able to configure everything, the nets are up and running.
I have some issues with dnsmasq hosts configuration.
Some clients use the same MAC in all VLANs. Technical that is no problem because the are isolated.
The clients get an IP in very VLAN.
In hosts configuration, there is only the MAC as identifier. There is no VLAN option meaning I can only define an individual configuration for one VLAN of the client.
How can I configure every interface of the client when the same MAC is used in different VLANs?
Thank you very much.
When you put some clients into multiple vlans you kinda defeat the purpose of vlans.
You want to isolate hosts from each other in dedicated layer 2 networks.
For intra-vlan communication you would want the firewall to handle routing so you can restrict allowed traffic via firewall rules.
This is more of a network design issue at its core.
I can do that.
But when I have one hosts that should provide services in both VLANs, it's just extra complicated.
I have to define a lot of firewall rules.
It is slower.
Functions based on broadcasts are not working anymore.
In my case, just give home assistant 2 interfaces is much easier and I don't see any disadvante here.
/Edit: It looks like it is possible to use the sam MAC for severyl host entries. There is no way to define a VLAN in the hosts tab. Somehow, it is assigned the right way but I'm not sure of this is just luck or if dnsmasq gets the missing vlan information with the dhcp range which is defined indivudally for every VLAN.
Quote from: Katagia on September 28, 2025, 11:52:25 AMIn my case, just give home assistant 2 interfaces is much easier.
And much
less safe. Think about what @Monviech said:
By letting HomeAssistant have two unrestricted interfaces, it could be hijacked from the less secure network zone and then reach into the other zone. This defeats your whole construct. You cannot say: I am gonna do VLAN segmentation and then punch a hole in it. Security comes at a cost. If you are not willing to bear that, leave it be. Just sayin'.
By virtue of its "integrations" (many of which need cloud access), HomeAssistant is insecure by design and should have restricted access into otherwise trustworthy network zones, anyway. It should be in the less secure zone where broadcasts are needed and for the other zones, firewalled access. If need be, you can always use an mDNS or UDP broadcast relay for discovery protocols, if neccessary.
P.S.: Uh-oh. From what you just wrote about VLANs, I think you are not getting this quite correct:
1. Two interfaces = two MACs, not one.
2. VLANs are physically separate networks with different netmasks, not multiple subnets on the same interface.