deviceunifier
New Around Here
UPDATE:
Inter-VLAN connectivity is possible by introducing new iptables rules.
This was quite simple and has been working well. However, the new rules aren't persistent, they get wiped and have to be added again every time the router reboots or is turned off. Including the refresh it does after changing some settings.
I had the best results keeping HA on my main network and setting rules so the IoT devices could connect to it. All of the things on my main network and the devices on the IoT network I wanted to integrate worked perfectly. I tried it with HA on the IoT network but ran into issues with Homekit Bridge.
These are the rules I used in case anyone else wants to try it. Change them to suit your needs, specifically the IP and network interface. Be aware it really does depend on your existing iptables set up. YMMV.
- To allow a client on the main network to sent traffic to all clients on IoT network:
- To allow all IoT clients to send traffic to a client on the main network:
- Alternatively, allow specific IoT clients to send traffic to a client on the main network (adjust and repeat for each device):
Original Post:
I've upgraded to an Asus GT AX6000, running stock firmware 3.0.0.6.102_34810. I have set up an IoT network in the Guest Network Pro feature to segregate my IoT devices. My Home Assistant is a docker container on my home server which is on my main network. It is having trouble integrating some smart bulbs and plugs. I can find them by manually adding the their ip from the IoT VLAN but it prompts me to authenticate. When I try this it fails with "Connection error: try_connect_all failed".
After some googling I found some posts that say the native asus router firmware lacks inter-vlan communication. When I try to ping the devices from my HA machine I get 100% packet loss, and when I try to ping my HA machine from the IoT network I also get 100% packet loss which seems to confirm this. However, a few posts say you can get around this by using ssh to access the router and add some iptables rules to allow this traffic.
I have accessed the router with ssh and used
If I use
If I use
After referencing the iptables manual and If I am understanding all this correctly it is saying the 2 rules appear to be stopping the traffic between the IoT network and the default gateway and between any network interfaces, but the main network allows all connections everywhere, thus it appears changing some rules should allow me to achieve communications between the VLANs.
I think the better option to take here is to move HA to it's own dedicated machine and have it on the IoT network. Ideally I would like keep these rules, as they act like a deny all filter, and just create new ones to selectivity allow inbound and outbound traffic of the devices on my main network that need to communicate with HA on the IoT network and vice versa. This way HA should work with everything and all the IoT devices are restricted.
However, I'm not familiar with iptables, I don't know how to achieve this or if it is even possible?
Inter-VLAN connectivity is possible by introducing new iptables rules.
This was quite simple and has been working well. However, the new rules aren't persistent, they get wiped and have to be added again every time the router reboots or is turned off. Including the refresh it does after changing some settings.
I had the best results keeping HA on my main network and setting rules so the IoT devices could connect to it. All of the things on my main network and the devices on the IoT network I wanted to integrate worked perfectly. I tried it with HA on the IoT network but ran into issues with Homekit Bridge.
These are the rules I used in case anyone else wants to try it. Change them to suit your needs, specifically the IP and network interface. Be aware it really does depend on your existing iptables set up. YMMV.
- To allow a client on the main network to sent traffic to all clients on IoT network:
iptables -I FORWARD -i br0 -s 192.168.01.02 -o br1 -d 192.168.02.0/24 -j ACCEPT
- To allow all IoT clients to send traffic to a client on the main network:
iptables -I FORWARD -i br1 -s 192.168.02.0/24 -o br0 -d 192.168.01.02 -j ACCEPT
- Alternatively, allow specific IoT clients to send traffic to a client on the main network (adjust and repeat for each device):
iptables -I FORWARD -i br1 -s 192.168.02.111 -o br0 -d 192.168.01.02 -j ACCEPT
Original Post:
I've upgraded to an Asus GT AX6000, running stock firmware 3.0.0.6.102_34810. I have set up an IoT network in the Guest Network Pro feature to segregate my IoT devices. My Home Assistant is a docker container on my home server which is on my main network. It is having trouble integrating some smart bulbs and plugs. I can find them by manually adding the their ip from the IoT VLAN but it prompts me to authenticate. When I try this it fails with "Connection error: try_connect_all failed".
After some googling I found some posts that say the native asus router firmware lacks inter-vlan communication. When I try to ping the devices from my HA machine I get 100% packet loss, and when I try to ping my HA machine from the IoT network I also get 100% packet loss which seems to confirm this. However, a few posts say you can get around this by using ssh to access the router and add some iptables rules to allow this traffic.
I have accessed the router with ssh and used
iptables -S
to see what rules have been added and noticed these:-A SDN_FI -d 192.168.50.1/32 -i br52 -j DROP
-A SDN_IA -i br+ -o br+ -j DROP
If I use
iptables -L -v | grep br52
to list the rules of the IoT network it returns with:94 5944 ACCEPT all -- br52 eth0 anywhere anywhere
76 6539 ACCEPT udp -- br52 any anywhere anywhere multiport dports domain,bootps,bootpc
0 0 DROP all -- br52 any anywhere network.lan
13 3776 ACCEPT all -- br52 any anywhere anywhere state NEW
If I use
iptables -L -v | grep br0
to list the rules of the main network it returns with:2336 963K PTCSRVWAN all -- !br0 any anywhere anywhere
1355 114K PTCSRVLAN all -- br0 any anywhere anywhere
1355 114K ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 ACCEPT all -- br0 any anywhere anywhere
371 32414 ACCEPT all -- br0 eth0 anywhere anywhere
After referencing the iptables manual and If I am understanding all this correctly it is saying the 2 rules appear to be stopping the traffic between the IoT network and the default gateway and between any network interfaces, but the main network allows all connections everywhere, thus it appears changing some rules should allow me to achieve communications between the VLANs.
I think the better option to take here is to move HA to it's own dedicated machine and have it on the IoT network. Ideally I would like keep these rules, as they act like a deny all filter, and just create new ones to selectivity allow inbound and outbound traffic of the devices on my main network that need to communicate with HA on the IoT network and vice versa. This way HA should work with everything and all the IoT devices are restricted.
However, I'm not familiar with iptables, I don't know how to achieve this or if it is even possible?
Last edited: