Discover IoT device from HASS on Main LAN to Guest Network

[mr_planet]

Hello all,
I have some problems with Home Assistant integrations and devices, seeking for help.
In the specific, I’m trying to get a TP-Link Tapo smart plug discovered by Home Assistant using the “TP-Link Smart Home” integration (goes via local network), but discovery doesn’t find it.

Some details about my setup:

• Home Assistant is on the main LAN, wired, with mode: All (default).
• Tapo smart plug is on the Guest Network, without access to the intranet.
• I have an Asus RT-AX86U Pro with latest Merlin firmware. YazFi is not supported.
• I haven’t added any custom firewall rules yet, just the default guest/IoT isolation.

Because IoT is on the guest network and HA is on the main LAN, the discovery and direct access is blocked between the two.

What’s the recommended way to make discovery and control work in this scenario, while still keeping the IoT/guest network isolated from the main LAN as much as possible? Do I need specific routing or firewall rules (e.g., one‑way from HA → IoT), and if so, what would that look like on Asus Merlin?
Unfortunately I can't install YazFi via AMTM because doesn't support latest firmware and I am reluctant to make routing changes directly from ssh; I would prefer something directly in the UI or that assists me in making these changes.

I was able to overcome this problem with the cloud integrations, but TP-Link doesn't provide it and, honestly, would be really nice to move out from the cloud based integrations to actually direct access.

Thanks in advance!

 

[Seth Harman]

Just to clarify, are you running the old version of Guest Network, or are you running Guest Network Pro under the 3.0.0.6.x branch of firmware?

 

[bennor]

Please use the forum search feature if you haven't done so already. There are numerous past discussions on the problems with Home Assistant on the main LAN not being able to access devices on Guest Networks/Guest Network Pro profiles (Asus-Merlin 3006.102.x firmware) and various methods including custom firewall-start / IPTables scripting (some successful some not) that people have used to try and solve the issue. For example:

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...

www.snbforums.com

 

[bbunge]

Is the HA running on an RPI?

 

[mr_planet]

Just to clarify, are you running the old version of Guest Network, or are you running Guest Network Pro under the 3.0.0.6.x branch of firmware?

I am running Guest Network Pro under 3006.102.6, never used the older version.

Is the HA running on an RPI?

No, is running in a Proxmox container on Intel hardware. I found HASS on RPI unstable.

Please use the forum search feature if you haven't done so already. There are numerous past discussions on the problems with Home Assistant on the main LAN not being able to access devices on Guest Networks/Guest Network Pro profiles (Asus-Merlin 3006.102.x firmware) and various methods including custom firewall-start / IPTables scripting (some successful some not) that people have used to try and solve the issue. For example:

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...

www.snbforums.com

Thank you for pointing out these threads. I used the search function but didn't find anything fitting my case, however I will take a look at the ones you mentioned.

 

[bennor]

No, is running in a Proxmox container on Intel hardware.

Does the Intel hardware (device running the HA) have more than one network adapter (Ethernet and or WiFi)?

One possible way to deal with the issue is to use two network adapters on the HA device, that way one network adapter can be connected to the main LAN, the second to the Guest Network Pro profile (VLAN). The Proxmax container (running HA) would need to support being able to, or be configured to, access both network adapters.

 

[bbunge]

Does the Intel hardware (device running the HA) have more than one network adapter (Ethernet and or WiFi)?

One possible way to deal with the issue is to use two network adapters on the HA device, that way one network adapter can be connected to the main LAN, the second to the Guest Network Pro profile (VLAN). The Proxmax container (running HA) would need to support being able to, or be configured to, access both network adapters.

Or add a virtual network adapter to the Promax that connects to the guest network VLAN. I have done this with a Raspberry Pi. It is simple to do and works very well. Does not have to have a static IP address as long as you set the HA to scan the wired LAN and VLAN.

 

[Seth Harman]

Another simple option is what several people around here (including myself) have done which is add a rule in the router firewall-start file giving one-way access from the main network to the IoT VLAN and you can do this on a per client/subnet basis depending on how you want to restrict it. Here's what I use to give everything on the main network one-way access to everything on the IoT VLAN (line added to /jffs/scripts/firewall-start):

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -d 192.168.53.0/24 -j ACCEPT # Added for access to IoT network from main network

 

[jksmurf]

Another simple option is what several people around here (including myself) have done which is add a rule in the router firewall-start file

Plus one on this approach. My settings are laid out in a couple of the threads referenced by @bennor.