What's new
By:

Discover IoT device from HASS on Main LAN to Guest Network

M

mr_planet

New Around Here
Hello all,
I have some problems with Home Assistant integrations and devices, seeking for help.
In the specific, I’m trying to get a TP-Link Tapo smart plug discovered by Home Assistant using the “TP-Link Smart Home” integration (goes via local network), but discovery doesn’t find it.

Some details about my setup:
  • Home Assistant is on the main LAN, wired, with mode: All (default).
  • Tapo smart plug is on the Guest Network, without access to the intranet.
  • I have an Asus RT-AX86U Pro with latest Merlin firmware. YazFi is not supported.
  • I haven’t added any custom firewall rules yet, just the default guest/IoT isolation.
Because IoT is on the guest network and HA is on the main LAN, the discovery and direct access is blocked between the two.

What’s the recommended way to make discovery and control work in this scenario, while still keeping the IoT/guest network isolated from the main LAN as much as possible? Do I need specific routing or firewall rules (e.g., one‑way from HA → IoT), and if so, what would that look like on Asus Merlin?
Unfortunately I can't install YazFi via AMTM because doesn't support latest firmware and I am reluctant to make routing changes directly from ssh; I would prefer something directly in the UI or that assists me in making these changes.

I was able to overcome this problem with the cloud integrations, but TP-Link doesn't provide it and, honestly, would be really nice to move out from the cloud based integrations to actually direct access.

Thanks in advance!
 
Just to clarify, are you running the old version of Guest Network, or are you running Guest Network Pro under the 3.0.0.6.x branch of firmware?
 
Please use the forum search feature if you haven't done so already. There are numerous past discussions on the problems with Home Assistant on the main LAN not being able to access devices on Guest Networks/Guest Network Pro profiles (Asus-Merlin 3006.102.x firmware) and various methods including custom firewall-start / IPTables scripting (some successful some not) that people have used to try and solve the issue. For example:
www.snbforums.com

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...
www.snbforums.com www.snbforums.com
www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...
www.snbforums.com www.snbforums.com
 
Is the HA running on an RPI?
 
Seth Harman said:
Just to clarify, are you running the old version of Guest Network, or are you running Guest Network Pro under the 3.0.0.6.x branch of firmware?
Click to expand...
I am running Guest Network Pro under 3006.102.6, never used the older version.

bbunge said:
Is the HA running on an RPI?
Click to expand...
No, is running in a Proxmox container on Intel hardware. I found HASS on RPI unstable.

bennor said:
Please use the forum search feature if you haven't done so already. There are numerous past discussions on the problems with Home Assistant on the main LAN not being able to access devices on Guest Networks/Guest Network Pro profiles (Asus-Merlin 3006.102.x firmware) and various methods including custom firewall-start / IPTables scripting (some successful some not) that people have used to try and solve the issue. For example:
www.snbforums.com

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...
www.snbforums.com www.snbforums.com
www.snbforums.com

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...
www.snbforums.com www.snbforums.com
Click to expand...
Thank you for pointing out these threads. I used the search function but didn't find anything fitting my case, however I will take a look at the ones you mentioned.
 
mr_planet said:
No, is running in a Proxmox container on Intel hardware.
Click to expand...
Does the Intel hardware (device running the HA) have more than one network adapter (Ethernet and or WiFi)?

One possible way to deal with the issue is to use two network adapters on the HA device, that way one network adapter can be connected to the main LAN, the second to the Guest Network Pro profile (VLAN). The Proxmax container (running HA) would need to support being able to, or be configured to, access both network adapters.
 
bennor said:
Does the Intel hardware (device running the HA) have more than one network adapter (Ethernet and or WiFi)?

One possible way to deal with the issue is to use two network adapters on the HA device, that way one network adapter can be connected to the main LAN, the second to the Guest Network Pro profile (VLAN). The Proxmax container (running HA) would need to support being able to, or be configured to, access both network adapters.
Click to expand...
Or add a virtual network adapter to the Promax that connects to the guest network VLAN. I have done this with a Raspberry Pi. It is simple to do and works very well. Does not have to have a static IP address as long as you set the HA to scan the wired LAN and VLAN.
 
Another simple option is what several people around here (including myself) have done which is add a rule in the router firewall-start file giving one-way access from the main network to the IoT VLAN and you can do this on a per client/subnet basis depending on how you want to restrict it. Here's what I use to give everything on the main network one-way access to everything on the IoT VLAN (line added to /jffs/scripts/firewall-start):

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -d 192.168.53.0/24 -j ACCEPT # Added for access to IoT network from main network
 
Seth Harman said:
Another simple option is what several people around here (including myself) have done which is add a rule in the router firewall-start file
Click to expand...
Plus one on this approach. My settings are laid out in a couple of the threads referenced by @bennor.
 
Thanks all for the useful replies!
bennor said:
Does the Intel hardware (device running the HA) have more than one network adapter (Ethernet and or WiFi)?

One possible way to deal with the issue is to use two network adapters on the HA device, that way one network adapter can be connected to the main LAN, the second to the Guest Network Pro profile (VLAN). The Proxmax container (running HA) would need to support being able to, or be configured to, access both network adapters.
Click to expand...
Yes, the hardware has two network adapter: I guess what I could do is to connect another cable to the router, then assign it to the same VLAN as guest.

bbunge said:
Or add a virtual network adapter to the Promax that connects to the guest network VLAN. I have done this with a Raspberry Pi. It is simple to do and works very well. Does not have to have a static IP address as long as you set the HA to scan the wired LAN and VLAN.
Click to expand...
The problem is that the intel hardware running proxmox, hosting the HA container, is physically connected to the main network. So, I think we falls to the above approach. What am I missing?

Seth Harman said:
Another simple option is what several people around here (including myself) have done which is add a rule in the router firewall-start file giving one-way access from the main network to the IoT VLAN and you can do this on a per client/subnet basis depending on how you want to restrict it. Here's what I use to give everything on the main network one-way access to everything on the IoT VLAN (line added to /jffs/scripts/firewall-start):

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -d 192.168.53.0/24 -j ACCEPT # Added for access to IoT network from main network
Click to expand...
Interesting, this seems hacky but not too much. Do you see any security concern with this? Do you have your IoT devices working well?
I would personally restrict the forward rule only to the HA IP.

However some of the devices uses, probably, mDNS. This solution will probably solve the issue for direct connection but not for discovery. Is it something that you have handled too?
 
mr_planet said:
However some of the devices uses, probably, mDNS. This solution will probably solve the issue for direct connection but not for discovery.
Click to expand...
Perhaps try enabling the Avahi reflector (there’s actually a couple of ways to do it*) using the approach in the link posted by @bennor above to facilitate mDNS and see if it helps?

*The easy way is included here in a specific post from the above thread. Read on in that thread first the (separate to mDNS) iptables configurations referred to above. The first link posted by @bennor above contains quite a few posts concerning both mDNS and interVLAN communication using iptables.

Have a play around with each, do one thing at a time, record what you have done and what the outcome is, then let us know what works or doesn’t work for you. You can’t really break anything here if you follow the examples and you can revert what you don’t need.
 
mr_planet said:
Interesting, this seems hacky but not too much. Do you see any security concern with this? Do you have your IoT devices working well?
I would personally restrict the forward rule only to the HA IP.

However some of the devices uses, probably, mDNS. This solution will probably solve the issue for direct connection but not for discovery. Is it something that you have handled too?
Click to expand...

It's a one-way hole in the firewall internally so I can't imagine any security concerns. As I noted you can restrict it to a specific device on the main network side and as long as that device has a fixed IP it should be no problem. I've got over 40 IoT devices all operating perfectly under this exact scenario, but note my setup is different than yours so I can only attest to my own. Also, I don't use Home Assistant and am not familiar with how device discovery works in that context but if there's any issues there I'd suggest just using fixed IP addresses for the IoT devices.
 
You must log in or register to reply here.

Similar threads

N
IoT Guest network issue (anyway script to create guest network?)
Replies
14
Views
1K
CaptnDanLKW
CaptnDanLKW
R
Help needed on assigning a device connected to media bridge to a guest network pro
Replies
8
Views
723
ColinTaylor
C
D
Guest Network for 2.4 MHz IoT Stuff?
Replies
4
Views
331
bennor
B
M
Allowing intranet traffic for single host to guest wifi network
Replies
3
Views
1K
mikalcarbine
M
R
Can Guest Network Pro (guest network #1) use a DNS server which is located in the main LAN?
Replies
7
Views
784
bennor
B
Similar threads
Thread starter Title Forum Replies Date
J IoT Devices falling off nodes (only) always requires reboot to fix Asuswrt-Merlin 41
N IoT Guest network issue (anyway script to create guest network?) Asuswrt-Merlin 14
B Solved Guest Network Pro (IoT network) Asuswrt-Merlin 15
John DeLuca Any way to make devices join the IOT network Asuswrt-Merlin 5
J Shelly IoT Devices (Switches) Drop off Network with kernel 'not mesh client, can't delete it' messages Asuswrt-Merlin 11
U Need Help Setting Up 3 VLANs (Home, Guest, IoT) on ASUSWRT-Merlin (RT-AC86U) Asuswrt-Merlin 17
David Cavalli IoT Network basics Asuswrt-Merlin 4
L Replacing RT-AC3100 with RT-BE88U for ESP based IOT Network Asuswrt-Merlin 4
XIII Setting up IoT networks using 3006 firmware? Asuswrt-Merlin 8
J Guest Network Pro on RT-AX88U Pro IoT VLAN Setup with TP-Link TL-SG1008 Unmanaged Switch Asuswrt-Merlin 8

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 3,491 (members: 19, guests: 3,472)
Back
Top