How do IPv6 Router Advertisements get across VLANs?

[barney]

If the Dirigera has no internet access, how can devices behind it have internet?

Neither the Dirigera nor any of the devices behind have internet access (see note below) - all of my monitoring / automation is local using openHAB. If I want to access stuff remotely I can VPN in to my openHAB server and control it via that.

Note: I did need to allow the Dirigera internet access when first commissioning it as it wanted to check / download the latest firmware before letting me do anything. I'll also open that up again if later firmware is released. If specific device firmware updates are release I may need to allow the devices internet access at that time.

I have no real problem with connecting stuff to the cloud if they need it, but as a general approach I just don't let anything out unless I want it to - not because the manufacturer wants it! If I do ever get a device that really does require cloud access then I'll create a rule to let that out.

I shouldn't have assumed how your environment is.

No problem - I appreciate you taking the time help.

[mooh]

I think I must be using the latter... all of the matter devices in the thread network have a ULA IPv6 address that is routeable across the network (Dirigera supports Matter 1.4 if that makes a difference) - this is the address that is published in the mDNS message.

Very interesting. Looks like I have some reading to do, especially why there are multiple ULAs per device. Anyway, ULAs are not globally routable, just like link-local addresses. So my basic point is still true. These devices cannot reach the internet without some sort of proxy and none of your local networks without routing support.

Do you happen to have multiple thread networks in your home?

[mooh]

I just performed a little experiment setting up a new Matter over Thread border router and added 2 devices to it. The router was connected to a WiFi network, too. The border router created a unique local prefix for the Thread network and another one for WiFi. It did route between the two. It also got a GUA and an IPv4 address on the WiFi interface.

So, my statement that Thread uses link-local addresses is wrong. It uses ULAs.

I may have another look into this later.

[barney]

ULAs are not globally routable, just like link-local addresses. So my basic point is still true. These devices cannot reach the internet without some sort of proxy and none of your local networks without routing support.

Yep, exactly - that was the point of my initial post. The RA the Dirigera publishes makes these devices routable within the VLAN but I needed to reach them from a server on a separate VLAN. My initial thought was to reuse the same RA, but adding a manual gateway / route seems a much better option.

Do you happen to have multiple thread networks in your home?

Nope, not yet. I've only just started with Thread so only have a few devices. If I expand on those I'm most likely going to put a Thread-enabled GPO or two in each room, which should establish a pretty solid mesh but it's still just extending the same network not creating a new one.

Cheers,

[mooh]

The RA the Dirigera publishes makes these devices routable within the VLAN but I needed to reach them from a server on a separate VLAN.

This is where I don't understand what you're looking for. Devices not on one of the IPv6 networks that the border router announces can still use Matter as long as they can communicate with the border router via other means.

At my home, I have an IPv4 only network for IoT stuff which is blocked from all other local networks. That's where my border routers live. Everyone in my home has their own dedicated network. mDNS is used to announce the border router to other networks. My Mac uses IPv4 over Ethernet to communicate with the border router. Actually, I can use all my Matter over Thread devices from anywhere in the world as long as I can connect to the border router.

If you want to use IPv6 in networks where you don't see the RA messages, you may try NDP proxy. There's a section in the OPNsense manual on its usage but it only shows how to use IPv6 on a local network if you don't have prefix delegation.

[barney]

This is where I don't understand what you're looking for.

I'm not looking for anything any more - my stuff is all working. I'm continuing the discussion trying to answer questions and maybe explain my setup in case it helps anyone else in the future, and happy to keep doing that if it is useful.

As I understand the situation I have 3 separate networks involved:

• VLAN 20 - fdb4:66c9:5838:20::/64 - containing the OpenHab server.
• VLAN 40 - fdb4:66c9:5838:40::/64 - containing the Dirigera TBR and other direct ethernet / WiFi IoT Devices.
• Thread - fd2c:d79a:65f9:1::/64 - Thread Mesh-Local network containing the Matter devices.

 
These are all separate networks and require L3 routing for traffic to move between them.

The communications I need to happen are:

• Discovery (3 -> 1): devices on the Thread network need to be discoverable from the OpenHab server.
• Control (1 -> 3): The OpenHab server needs to send messages to the devices on the Thread network.

For the Discovery stage:

• The Thread device registers itself with the Dirigera TBR.
• The Dirigera broadcasts an mDNS message, which includes the Mesh-Local IPv6 address of the device.
• The mdns-bridge running on OPNsense reflects that message from VLAN 40 to VLAN 20.
• The OpenHab server gets the mDNS message and registers a device with its Mesh-Local IPv6 address.

For the Control stage:

• The OpenHab server sends a message to the device's Mesh-Local IPv6 address.
• The OPNsense gateway / static route sends this to the Dirigera TBR.
• The Dirigera TBR routes this to the end device.

So the two highlighted steps (Discovery 3, Control 2) are the ones I needed to add.

If my OpenHab server itself was in VLAN 40 then I would not need anything extra - the Router Advertisement the Dirigera publishes would suffice (Note: this is an assumption - I've not tried putting OpenHab on the IoT VLAN so don't know for sure).

When I initially asked this question my thinking was that I needed to get the RA published on VLAN 40 across to VLAN 20 somehow and that would complete the route for the control messages. However, creating the gateway / static route was the actual solution, and it is all working exactly how I want it now.

Final note is that the IKEA Dirigera operates both as a Matter Bridge and as a Thread Border Router. I am only using it as a TBR. If you are using it as a Matter Bridge then the OpenHab server only ever needs to talk to the Dirigera - never directly to the devices on the Thread network.