GT AX6000 - Home Assistant can't access IoT VLAN devices

[deviceunifier]

I've upgraded to an Asus GT AX6000, running stock firmware 3.0.0.6.102_34810. I have set up an IoT network in the Guest Network Pro feature to segregate my IoT devices. My Home Assistant is a docker container on my home server which is on my main network. It is having trouble integrating some smart bulbs and plugs. I can find them by manually adding the their ip from the IoT VLAN but it prompts me to authenticate. When I try this it fails with "Connection error: try_connect_all failed".

After some googling I found some posts that say the native asus router firmware lacks inter-vlan communication. When I try to ping the devices from my HA machine I get 100% packet loss, and when I try to ping my HA machine from the IoT network I also get 100% packet loss which seems to confirm this. However, a few posts say you can get around this by using ssh to access the router and add some iptables rules to allow this traffic.

I have accessed the router with ssh and used iptables -S to see what rules have been added and noticed these:
-A SDN_FI -d 192.168.50.1/32 -i br52 -j DROP
-A SDN_IA -i br+ -o br+ -j DROP

If I use iptables -L -v | grep br52 to list the rules of the IoT network it returns with:
94 5944 ACCEPT all -- br52 eth0 anywhere anywhere
76 6539 ACCEPT udp -- br52 any anywhere anywhere multiport dports domain,bootps,bootpc
0 0 DROP all -- br52 any anywhere network.lan
13 3776 ACCEPT all -- br52 any anywhere anywhere state NEW

If I use iptables -L -v | grep br0 to list the rules of the main network it returns with:
2336 963K PTCSRVWAN all -- !br0 any anywhere anywhere
1355 114K PTCSRVLAN all -- br0 any anywhere anywhere
1355 114K ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 ACCEPT all -- br0 any anywhere anywhere
371 32414 ACCEPT all -- br0 eth0 anywhere anywhere

After referencing the iptables manual and If I am understanding all this correctly it is saying the 2 rules appear to be stopping the traffic between the IoT network and the default gateway and between any network interfaces, but the main network allows all connections everywhere, thus it appears changing some rules should allow me to achieve communications between the VLANs.

I think the better option to take here is to move HA to it's own dedicated machine and have it on the IoT network. Ideally I would like keep these rules, as they act like a deny all filter, and just create new ones to selectivity allow inbound and outbound traffic of the devices on my main network that need to communicate with HA on the IoT network and vice versa. This way HA should work with everything and all the IoT devices are restricted.

However, I'm not familiar with iptables, I don't know how to achieve this or if it is even possible?

 

[bennor]

There was another recent discussion where a user had the exact same problem. The Home Automation program on the main LAN couldn't contact clients on the IoT network.

RT-AX86U Pro Static Route

Hello all, I have two networks, one main 192.168.0.0 and one IoT Network 192.168.52.0 I have HA at 192.168.0.115 and want communication between HA and those devices at 192.168.52.0 network. I tried to configure static routes but not sure if was done correctly. Checked the routing table but...

www.snbforums.com

There are several suggestions in that discussion that may apply to your issue. First is, if the NAS that is running the Home Automation program has a second Networking port. Configure the Home Automation to use the second networking port then connect that port to the router then add that port to the VLAN the IoT is using. The second less desirable option is enable the option Use same subnet as main network on the IoT Guest Network. The downside or tradeoff of enabling that option is the IoT network would no longer be isolated from the main LAN. Blame Asus for having full main LAN access to IoT clients when that option is enabled.

 

[deviceunifier]

There was another recent discussion where a user had the exact same problem. The Home Automation program on the main LAN couldn't contact clients on the IoT network.

RT-AX86U Pro Static Route

Hello all, I have two networks, one main 192.168.0.0 and one IoT Network 192.168.52.0 I have HA at 192.168.0.115 and want communication between HA and those devices at 192.168.52.0 network. I tried to configure static routes but not sure if was done correctly. Checked the routing table but...

www.snbforums.com

There are several suggestions in that discussion that may apply to your issue. First is, if the NAS that is running the Home Automation program has a second Networking port. Configure the Home Automation to use the second networking port then connect that port to the router then add that port to the VLAN the IoT is using. The second less desirable option is enable the option Use same subnet as main network on the IoT Guest Network. The downside or tradeoff of enabling that option is the IoT network would no longer be isolated from the main LAN. Blame Asus for having full main LAN access to IoT clients when that option is enabled.

I did come across this thread whilst trying searching for a solution. My server is a repurposed workstation and only has one networking port. I also think I would run into the same issues doing that as I would running HA on a dedicated machine on the IoT network.

That however will likely mean the HA is now isolated from the main LAN since it is on the IoT VLAN

Was I wrong in my iptables assumptions? I have seen some posts with people claiming it works they just don't elaborate further on how they got it working.

 

[bennor]

I did come across this thread whilst trying searching for a solution. My server is a repurposed workstation and only has one networking port. I also think I would run into the same issues doing that as I would running HA on a dedicated machine on the IoT network.

Add a second network port or wifi adapter to the workstation either by USB adapter or internal network card. Then add that the new network port to the same VLAN as the IoT. The workstation should, I would think with likely some additional configuration, be able to access both the main LAN and the IoT VLAN at the same time.

While it is likely one can use scripting to add IP tables entries on Asus stock firmware to allow the communication between IoT and a main LAN client. It might not survive a reboot and may require some trial and error to get working properly.

 

[deviceunifier]

Add a second network port or wifi adapter to the workstation either by USB adapter or internal network card. Then add that the new network port to the same VLAN as the IoT. The workstation should, I would think with likely some additional configuration, be able to access both the main LAN and the IoT VLAN at the same time.

While it is likely one can use scripting to add IP tables entries on Asus stock firmware to allow the communication between IoT and a main LAN client. It might not survive a reboot and may require some trial and error to get working properly.

Add a second network port or wifi adapter to the workstation either by USB adapter or internal network card. Then add that the new network port to the same VLAN as the IoT. The workstation should, I would think with likely some additional configuration, be able to access both the main LAN and the IoT VLAN at the same time.

While it is likely one can use scripting to add IP tables entries on Asus stock firmware to allow the communication between IoT and a main LAN client. It might not survive a reboot and may require some trial and error to get working properly.

That's a good suggestion and one I will fall back on. I happen to have a spare Pi so I will attempt some trial and error first.
Do you know if creating a back up config of the router will store the new iptables entries?

 

[bennor]

Do you know if creating a back up config of the router will store the new iptables entries?

On stock Asus firmware? No idea. Search the subforums here there is talk of ways to get scripts to run at Asus router stock firmware boot using a USB drive.

A wild guess would be the IPTables commands might be something like the following if you want IoT VLAN clients to have traffic to a specific IP address (192.168.1.50 in the example below) on the main LAN:

iptables -I FORWARD -i br52 -o br0 -d 192.168.1.50 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.50 -j ACCEPT

This example was cobbled together from some scripting examples I did on the Asus-Merlin firmware and YazFi. No idea if it would work on Asus stock though, haven't tested it.

 

[deviceunifier]

On stock Asus firmware? No idea. Search the subforums here there is talk of ways to get scripts to run at Asus router stock firmware boot using a USB drive.

Interesting, I will see what I can find.

A wild guess would be the IPTables commands might be something like the following if you want IoT VLAN clients to have traffic to a specific IP address (192.168.1.50 in the example below) on the main LAN:

iptables -I FORWARD -i br52 -o br0 -d 192.168.1.50 -j ACCEPT
iptables -I FORWARD -i br0 -o br52 -s 192.168.1.50 -j ACCEPT
This example was cobbled together from some scripting examples I did on the Asus-Merlin firmware and YazFi. No idea if it would work on Asus stock though, haven't tested it.

I only want certain clients to have traffic to specific IP addresses, so perhaps something like:
iptables -I FORWARD -i br52 -s 192.168.2.50 -o br0 -d 192.168.1.50 -j ACCEPT
I'm not sure if that is the correct format though, I'll give it a go and report back tomorrow. Thank you for your advice, I really appreciate it.

 

[bbunge]

I did come across this thread whilst trying searching for a solution. My server is a repurposed workstation and only has one networking port. I also think I would run into the same issues doing that as I would running HA on a dedicated machine on the IoT network.


Was I wrong in my iptables assumptions? I have seen some posts with people claiming it works they just don't elaborate further on how they got it working.

Sounds as if your server is running Linux? If so, add a virtual network to the existing network adapter. I have done this with Webmin several times when we had cams running on a different subnet from the main LAN subnet.