Home Assistant, Matter, Aquara Hub, and HomeKit Woes on different VLANs

[kintaroju]

Hi,

I've been trying to get matter to work on Home Assistant for my Aqara Hub.

The setup I have for my Opnsense is below:

Aqara Hub E1 - VLAN for IoT
Home Assistant - VLAN Main (for all other non IoT devices)

Below are my devices and setup in their relative VLAN

Apple TV - (VLAN Main)
iPhone - (VLAN Main)
Home Assistant Server - (VLAN Main)
Aqara Hub E1 - (VLAN IoT)

What rules/configuration I have for my Opnsense is below:

- mDNS repeater - On
- mDNS FW Rules to allow UDP 5353 traffic as a floating rule - On

So at the moment I am kinda running out of ideas how to troubleshoot this. Any guidance on this would be greatly appreciated.

[FullyBorked]

I'd love to know how to make this work, I've tried to make this work soooo many times and have never succeeded.

https://docs.opnsense.org/manual/how-tos/multicast-dns.html  the documentation makes it sounds a simple as adding the plugin and enabling the two networks.  But that's never worked for me.  I've seen all kinds of posts about different rules etc. to add but none of those ever worked either.   

[iMx]

I have no experience with the Aquara Hub.

... but, something I had to do for a Xiaomi Air Filter, was to add a NAT rule so that HomeAssistant (in another VLAN/subnet) appeared to be on the same local network as the Xiaomi (as it will only talk to/respond to devices in its local subnet).  Was a bit of a head-scratcher for a while.

Basically an egress NAT rule, so that Home Assistant appears to be the IoT firewall IP (on the IoT VLAN), when it tries to reach the Xiaomi (which has its own IP, on the IoT VLAN/subnet).  In my case, anyway.

It should be possible to work out if it's an mDNS problem, however:

- Connect a computer to the same VLAN as the device that needs to 'see' the announcement
- Run a mDNS debug tool on that VLAN
- See what it sees..

mDNS is just the announcement of where to find the announcing device, on what port, sometimes things like supported encryption, etc, however.  I'm not clear from your post, if you've allowed the actual communication ports between the device(s)?

On macOS, I've used the below (Discovery) a number of times for helping to troubleshoot (or, just to rule out mDNS as being at fault) similar problems:

https://apps.apple.com/gb/app/discovery-dns-sd-browser/id1381004916?mt=12

[meyergru]

I wonder why you try it that way. Even if you allow Multicast DNS, some manufacturers have even stranger ways of finding their kin, which may not work with routed networks.

I have decided to have an IoT VLAN primarily because I do not trust any device that I do not have control over. I am thinking especially of devices "phoning home", like Tuya or other cloud-based devices.

A friend of mine now has an OpnSense which I found a strange outgoing connection to the Alibaba cloud. Turned out to be a german company's webcam that was "developed and operated in Europe". Yeah, sure.
If at all possible, I also convert such devices to open-source software like Tasmota, BTW.

However, all of these - including most devices that do multimedia, like Smart TVs and even Plex Media Server plus Android and Apple devices and of course the Home Assistant Server - are confined to my IoT VLAN. Should they need access to shares, they will get it as a readonly share specific to the device in need.

Using this approach, you will have no problems with devices auto-detection or any of that, simply because all these devices live in the IoT network.

With infrastructure devices, this can become tricky, especially because they can see a lot of traffic. If I could not trust my access points, I would confine them to the IoT network as well, but if you have any trusted clients on your LAN that need WiFi, this would obviously be a problem.

I do not use Aqara, but with Unifi, you can completely stop the Unifi controller and the devices from phoning home: https://forums.lawrencesystems.com/t/you-spoke-we-didnt-listen-ubiquiti-says-unifi-routers-will-beam-performance-data-back-to-mothership-automatically/3539/5

[kintaroju]

I have no experience with the Aquara Hub.

... but, something I had to do for a Xiaomi Air Filter, was to add a NAT rule so that HomeAssistant (in another VLAN/subnet) appeared to be on the same local network as the Xiaomi (as it will only talk to/respond to devices in its local subnet).  Was a bit of a head-scratcher for a while.

Basically an egress NAT rule, so that Home Assistant appears to be the IoT firewall IP (on the IoT VLAN), when it tries to reach the Xiaomi (which has its own IP, on the IoT VLAN/subnet).  In my case, anyway.

It should be possible to work out if it's an mDNS problem, however:

- Connect a computer to the same VLAN as the device that needs to 'see' the announcement
- Run a mDNS debug tool on that VLAN
- See what it sees..

mDNS is just the announcement of where to find the announcing device, on what port, sometimes things like supported encryption, etc, however.  I'm not clear from your post, if you've allowed the actual communication ports between the device(s)?

On macOS, I've used the below (Discovery) a number of times for helping to troubleshoot (or, just to rule out mDNS as being at fault) similar problems:

https://apps.apple.com/gb/app/discovery-dns-sd-browser/id1381004916?mt=12

I've tried to put a floating rule to allow ALL traffic between both IoT and main network traffic to flow, but that still didn't work, so at the moment I'm kinda scratching my head.

For the NAT rule, any sample or suggestions how I'd do that?