Context

Setting up Home Assistant to control brand new Velux roof windows through the Velux Active with Netatmo gateway (through HomeKit integration).

Host setup

Discovery testing

Manually make an mDNS query to discover HomeKit devices on an interface:

dig -b <interface-address> @224.0.0.251 -p 5353 -t ptr _hap._tcp.local

Container networking mode

HomeKit discovery relies on mDNS to discover devices, so Home Assistant needs to be able to send out multicast queries, which is currently not supported with non-host networking. So, not choice but to use host networking. (That’s clearly written in the doc, but I still tried to get it working with ipvlan, to no avail).

Interface selection

By default, HomeAssistant will use only the network interface of the default route (next hop for the link-local multicast address 224.0.0.251). To enable additional interfaces, one needs to adjust network settings, which requires setting the user profile to advanced mode.

Traefik setup

When using host networking, Traefik will connect to the container on the host’s bridge IP (here 172.17.0.1). In order for HA to bind only to that address (and not be exposed to the LAN), I therefore set server_address to host.docker.internal.

Mikrotik setup

I am assigning a separate IoT VLAN to the gateway through a Mikrotik wireless access list. By default, the device will only see multicast frames sent to the default VLAN of the interface (not to the overridden VLAN from the access list). In order for it to get the multicast frames of its ACL-assigned VLAN, the multicast-helper=full option must be enabled on the wifi interface (doc).

(Actually I ended up creating a separate virtual SSID for all things IoT instead, so that I do not need to manually maintain the access list).