How to Enable Cross-Subnet Communication for Xiaomi Miio Devices in Home Assistant

Xiaomi Miio devices, such as air purifiers, often fail to communicate across subnets or VLANs due to restrictions in their UDP packet handling. If your Home Assistant server resides in a different VLAN than your Xiaomi device, this guide will help you set up NAT and firewall rules on a PFSense firewall to enable communication securely.

Overview of the Problem

Xiaomi devices ignore UDP packets if the source IP is not from their own subnet. This can prevent communication when Home Assistant and the device are on separate VLANs. Here’s an example setup to make the guide clearer:

• LAN VLAN (VLAN_10):

  • Subnet: 192.168.10.0/24
  • Purpose: General devices, including the Home Assistant server (192.168.10.10).

• IoT VLAN (VLAN_20):

  • Subnet: 192.168.20.0/24
  • Purpose: IoT devices, including the Xiaomi air purifier (192.168.20.50).
  • Gateway: 192.168.20.1

The solution involves:

1. Configuring Outbound NAT to rewrite the source IP of packets from Home Assistant so they appear to originate from the IoT VLAN.
2. Creating Firewall rules to allow and secure communication.

Solution: Step-by-Step Guide

Step 1: Configure Outbound NAT

1. Log into PFSense and go to Firewall > NAT > Outbound.

2. Select Hybrid Outbound NAT rule generation and click Save.

3. Click Add to create a new NAT rule and configure it as follows:

   • Interface: IoT VLAN (VLAN_20), where the Xiaomi device resides.
   • Address Family: IPv4.
   • Protocol: UDP (recommended for Xiaomi devices).

   Source:

   • Type: Network or Alias.
   • Address: Select either the Home Assistant server IP (192.168.10.10/32) for greater security or the LAN subnet (192.168.10.0/24) if multiple devices need access.

   Destination:

   • Type: IoT Subnets.

   Translation:

   • Address Type: IoT Address (e.g., the gateway address of the IoT VLAN, 192.168.20.1).

   Description:

   • Add a meaningful description such as: NAT for Home Assistant to Xiaomi IoT VLAN.

4. Save the rule and click Apply Changes.

Step 2: Add Firewall Rules

Note: This step is only necessary if you don’t already have an Allow All LAN → IoT VLAN rule or a specific Home Assistant → IoT VLAN rule in place. Most setups with separate VLANs for IoT devices would already have such rules configured.

1. Go to Firewall > Rules > IoT VLAN (VLAN_20).

2. Create an Allow Rule for Home Assistant traffic:

   • Action: Pass.
   • Interface: IoT VLAN (VLAN_20).
   • Protocol: UDP.
   • Source: Single Host or Alias → 192.168.10.10/32 (Home Assistant server).
   • Destination: IoT Subnets.

   Description: Add something like Allow Home Assistant to communicate with Xiaomi device.

3. Add a Block Rule for other traffic:

   • Action: Block.
   • Interface: IoT VLAN (VLAN_20).
   • Protocol: Any.
   • Source: Any.
   • Destination: IoT Subnets.

   Description: Add something like Block all other devices from accessing Xiaomi IoT devices.

4. Ensure the Allow Rule is above the Block Rule in the rule list.

5. Save and click Apply Changes.

Step 3: Test and Verify

1. Restart Home Assistant to reload the Xiaomi Miio integration.
2. Verify that the Xiaomi device is now discoverable and operational in Home Assistant.
3. Use Diagnostics > Packet Capture in PFSense to confirm:
   • Traffic from 192.168.10.10 is NATed to the IoT VLAN gateway (192.168.20.1).

Key Takeaways

• Outbound NAT: Ensures Xiaomi devices see requests as originating from their own subnet, enabling proper communication.
• Firewall Rules: Restrict access to just the Home Assistant server for improved security.
• Flexible Configuration: You can widen the source scope to include all devices in your LAN VLAN if needed.

This setup maintains network segmentation for security while enabling seamless integration of Xiaomi Miio devices in Home Assistant.