HA-Orbiter (Communication Broker for IOT VLANs)

[orehmann]

Describe your core improvement

Create a HA Broker which brokers communication between HA and devices living in an IOT-VLAN..

Current limitations

A lot of people try to enhance security in their networks by separating IOT devices int a separate IOT-VLAN. This because most of the IOT devices have a very poorly integrated IP and security stack. By doing so the biggest problem is that mDNS requests are not coming through to the VLAN where HA is living on (your internal network) and that you have to implement (complex) firewall rules (for each device) to get the job done.

Other people tried the approach the problem by spending HA a second network interface in the IOT-VLAN. Not good from a security perspective neither and it comes with a lot of down side effects such as routing metrics, default gateway configuration etc.
Other approaches are the use of mDNS repeaters (dedicated in a VM or supported by your firewall e.g. PFSense, etc) or Multicast configuration. This still leaves you with firewall rules.

Technical benefits

Why not providing a dedicated daemon/broker sitting in the IOT-VLAN and connected to HA in the main network by one connection (e.g. 443).
Let's call it an Orbiter (Satellite is already used in the HA universe) as it kind of surrounds HA.

The Orbiter would be installed inside a raspberry PI or a VM (ProxMox, VMWare, etc.) running a stripped down Linux OS. The Orbiter would have its network interface directly in the IOT-VLAN. There would be one simply firewall rule from HA to Oribter (e.g. TCP/443 or QUIC protocol)

In HA you would configure the Orbiter with its IP-Address/FQDN, Port and kind of authentication principal (maybe an access token). HA would do an outgoing connection to the Orbiter in the IOT-VLAN (No backwards connection from IOT-VLAN to HA-VLAN !)

The Orbiter acts as a broker and would listen for mDNS requests in the IOT-VLAN and forward them to HA.
Any connectivity from HA to devices in the IOT-VLAN would go through Orbiter and from there to the IOT device.
The same would be the case for devices in the IOT-VLAN needing to connect to HA. They would target the Orbiter who brokers the connection to the real HA.

Such a construct would extremely simplify separating IOT devices into a separate VLAN with maximum security.
But such a construct needs integration into HA CORE to work seamlessly

Additional context

No response

[orehmann]

Wow... I'm overwhelmed by the huge number of replies to my post :-(
I mean, the whole internet (Reddit etc.) is full of discussions about HA and mDNS forwarding in LANs/IoT networks.
Everyone is trying to tackle the problem with tools like avahi/mdns-bridge and custom firewall rules. With varying degrees of success. Wouldn’t a clean solution like the one I suggested be more appropriate?