What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Solved GT AX6000 - Home Assistant can't access IoT VLAN devices

deviceunifier

New Around Here
UPDATE:
Inter-VLAN connectivity is possible by introducing new iptables rules.

This was quite simple and has been working well. However, the new rules aren't persistent, they get wiped and have to be added again every time the router reboots or is turned off. Including the refresh it does after changing some settings.

I had the best results keeping HA on my main network and setting rules so the IoT devices could connect to it. All of the things on my main network and the devices on the IoT network I wanted to integrate worked perfectly. I tried it with HA on the IoT network but ran into issues with Homekit Bridge.

These are the rules I used in case anyone else wants to try it. Change them to suit your needs, specifically the IP and network interface. Be aware it really does depend on your existing iptables set up. YMMV.

- To allow a client on the main network to sent traffic to all clients on IoT network:
iptables -I FORWARD -i br0 -s 192.168.01.02 -o br1 -d 192.168.02.0/24 -j ACCEPT

- To allow all IoT clients to send traffic to a client on the main network:
iptables -I FORWARD -i br1 -s 192.168.02.0/24 -o br0 -d 192.168.01.02 -j ACCEPT

- Alternatively, allow specific IoT clients to send traffic to a client on the main network (adjust and repeat for each device):
iptables -I FORWARD -i br1 -s 192.168.02.111 -o br0 -d 192.168.01.02 -j ACCEPT

Original Post:
I've upgraded to an Asus GT AX6000, running stock firmware 3.0.0.6.102_34810. I have set up an IoT network in the Guest Network Pro feature to segregate my IoT devices. My Home Assistant is a docker container on my home server which is on my main network. It is having trouble integrating some smart bulbs and plugs. I can find them by manually adding the their ip from the IoT VLAN but it prompts me to authenticate. When I try this it fails with "Connection error: try_connect_all failed".

After some googling I found some posts that say the native asus router firmware lacks inter-vlan communication. When I try to ping the devices from my HA machine I get 100% packet loss, and when I try to ping my HA machine from the IoT network I also get 100% packet loss which seems to confirm this. However, a few posts say you can get around this by using ssh to access the router and add some iptables rules to allow this traffic.

I have accessed the router with ssh and used iptables -S to see what rules have been added and noticed these:
-A SDN_FI -d 192.168.50.1/32 -i br52 -j DROP
-A SDN_IA -i br+ -o br+ -j DROP

If I use iptables -L -v | grep br52 to list the rules of the IoT network it returns with:
94 5944 ACCEPT all -- br52 eth0 anywhere anywhere
76 6539 ACCEPT udp -- br52 any anywhere anywhere multiport dports domain,bootps,bootpc
0 0 DROP all -- br52 any anywhere network.lan
13 3776 ACCEPT all -- br52 any anywhere anywhere state NEW

If I use iptables -L -v | grep br0 to list the rules of the main network it returns with:
2336 963K PTCSRVWAN all -- !br0 any anywhere anywhere
1355 114K PTCSRVLAN all -- br0 any anywhere anywhere
1355 114K ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 ACCEPT all -- br0 any anywhere anywhere
371 32414 ACCEPT all -- br0 eth0 anywhere anywhere

After referencing the iptables manual and If I am understanding all this correctly it is saying the 2 rules appear to be stopping the traffic between the IoT network and the default gateway and between any network interfaces, but the main network allows all connections everywhere, thus it appears changing some rules should allow me to achieve communications between the VLANs.

I think the better option to take here is to move HA to it's own dedicated machine and have it on the IoT network. Ideally I would like keep these rules, as they act like a deny all filter, and just create new ones to selectivity allow inbound and outbound traffic of the devices on my main network that need to communicate with HA on the IoT network and vice versa. This way HA should work with everything and all the IoT devices are restricted.

However, I'm not familiar with iptables, I don't know how to achieve this or if it is even possible?
 
Last edited:
There was another recent discussion where a user had the exact same problem. The Home Automation program on the main LAN couldn't contact clients on the IoT network.

There are several suggestions in that discussion that may apply to your issue. First is, if the NAS that is running the Home Automation program has a second Networking port. Configure the Home Automation to use the second networking port then connect that port to the router then add that port to the VLAN the IoT is using. The second less desirable option is enable the option Use same subnet as main network on the IoT Guest Network. The downside or tradeoff of enabling that option is the IoT network would no longer be isolated from the main LAN. Blame Asus for having full main LAN access to IoT clients when that option is enabled.
 
There was another recent discussion where a user had the exact same problem. The Home Automation program on the main LAN couldn't contact clients on the IoT network.

There are several suggestions in that discussion that may apply to your issue. First is, if the NAS that is running the Home Automation program has a second Networking port. Configure the Home Automation to use the second networking port then connect that port to the router then add that port to the VLAN the IoT is using. The second less desirable option is enable the option Use same subnet as main network on the IoT Guest Network. The downside or tradeoff of enabling that option is the IoT network would no longer be isolated from the main LAN. Blame Asus for having full main LAN access to IoT clients when that option is enabled.
I did come across this thread whilst trying searching for a solution. My server is a repurposed workstation and only has one networking port. I also think I would run into the same issues doing that as I would running HA on a dedicated machine on the IoT network.
That however will likely mean the HA is now isolated from the main LAN since it is on the IoT VLAN

Was I wrong in my iptables assumptions? I have seen some posts with people claiming it works they just don't elaborate further on how they got it working.
 
I did come across this thread whilst trying searching for a solution. My server is a repurposed workstation and only has one networking port. I also think I would run into the same issues doing that as I would running HA on a dedicated machine on the IoT network.
Add a second network port or wifi adapter to the workstation either by USB adapter or internal network card. Then add that the new network port to the same VLAN as the IoT. The workstation should, I would think with likely some additional configuration, be able to access both the main LAN and the IoT VLAN at the same time.

While it is likely one can use scripting to add IP tables entries on Asus stock firmware to allow the communication between IoT and a main LAN client. It might not survive a reboot and may require some trial and error to get working properly.
 
Add a second network port or wifi adapter to the workstation either by USB adapter or internal network card. Then add that the new network port to the same VLAN as the IoT. The workstation should, I would think with likely some additional configuration, be able to access both the main LAN and the IoT VLAN at the same time.

While it is likely one can use scripting to add IP tables entries on Asus stock firmware to allow the communication between IoT and a main LAN client. It might not survive a reboot and may require some trial and error to get working properly.
Add a second network port or wifi adapter to the workstation either by USB adapter or internal network card. Then add that the new network port to the same VLAN as the IoT. The workstation should, I would think with likely some additional configuration, be able to access both the main LAN and the IoT VLAN at the same time.

While it is likely one can use scripting to add IP tables entries on Asus stock firmware to allow the communication between IoT and a main LAN client. It might not survive a reboot and may require some trial and error to get working properly.
That's a good suggestion and one I will fall back on. I happen to have a spare Pi so I will attempt some trial and error first.
Do you know if creating a back up config of the router will store the new iptables entries?
 
Do you know if creating a back up config of the router will store the new iptables entries?
On stock Asus firmware? No idea. Search the subforums here there is talk of ways to get scripts to run at Asus router stock firmware boot using a USB drive.

A wild guess would be the IPTables commands might be something like the following if you want IoT VLAN clients to have traffic to a specific IP address (192.168.1.50 in the example below) on the main LAN:

Code:
iptables -I FORWARD -i br52 -o br0 -d 192.168.1.50 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.50 -j ACCEPT
This example was cobbled together from some scripting examples I did on the Asus-Merlin firmware and YazFi. No idea if it would work on Asus stock though, haven't tested it.
 
On stock Asus firmware? No idea. Search the subforums here there is talk of ways to get scripts to run at Asus router stock firmware boot using a USB drive.
Interesting, I will see what I can find.

A wild guess would be the IPTables commands might be something like the following if you want IoT VLAN clients to have traffic to a specific IP address (192.168.1.50 in the example below) on the main LAN:

iptables -I FORWARD -i br52 -o br0 -d 192.168.1.50 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.50 -j ACCEPT
This example was cobbled together from some scripting examples I did on the Asus-Merlin firmware and YazFi. No idea if it would work on Asus stock though, haven't tested it.
I only want certain clients to have traffic to specific IP addresses, so perhaps something like:
iptables -I FORWARD -i br52 -s 192.168.2.50 -o br0 -d 192.168.1.50 -j ACCEPT
I'm not sure if that is the correct format though, I'll give it a go and report back tomorrow. Thank you for your advice, I really appreciate it.
 
I did come across this thread whilst trying searching for a solution. My server is a repurposed workstation and only has one networking port. I also think I would run into the same issues doing that as I would running HA on a dedicated machine on the IoT network.


Was I wrong in my iptables assumptions? I have seen some posts with people claiming it works they just don't elaborate further on how they got it working.
Sounds as if your server is running Linux? If so, add a virtual network to the existing network adapter. I have done this with Webmin several times when we had cams running on a different subnet from the main LAN subnet.
 
Sounds as if your server is running Linux? If so, add a virtual network to the existing network adapter. I have done this with Webmin several times when we had cams running on a different subnet from the main LAN subnet.
It is, I'd prefer to isolate the IoT devices as much a possible, adding the iptables rules has been the solution for me. This may help others though.
 
Thank you for posting this.
I was in the same situation and it took me a while to understand how to get it done.
I am hosting my HA on a Proxmox pve and the way I've done it(I think bbunge suggested this on a thread i opened) was to create a virtual VLAN where I tagged the traffic from my IoT network through the Virtual Vlan created. It works well so far: My HA can access the devices on my Guest Network Pro but not the other way around.
Happy to see there is another way to achieve this if something goes wrong :)
 
Thank you for posting this.
I was in the same situation and it took me a while to understand how to get it done.
I am hosting my HA on a Proxmox pve and the way I've done it(I think bbunge suggested this on a thread i opened) was to create a virtual VLAN where I tagged the traffic from my IoT network through the Virtual Vlan created. It works well so far: My HA can access the devices on my Guest Network Pro but not the other way around.
Happy to see there is another way to achieve this if something goes wrong :)
Glad it worked for you!
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top