#Problems connecting smart bulb with Matter when using an isolated network

Hi! I'm new to home assistant but I have a strong network engineering background. I recently purchased a smart bulb (Tapo L535B) that has matter support, but I keep getting "Failed to generate device credentials" when attempting to pair the bulb.

I have a network called IoTNetwork on VLAN 20 with isolation from the internet. This network uses the address scheme 192.168.20.0/24. This network houses the bulb, plus temporarily my phone during on boarding. I am able to reach home assistant from this network.

Home assistant is a docker container on a server on my LAN network, which has no VLAN, and uses the address range 192.168.1.0/24. Specifically, home assistant is on 192.168.1.209.

I have firewall rules between the two networks, allowing the IoT network to reach the LAN network. I can not connect the IoT device directly to the LAN network as the LAN network has no wireless access point. Only the WLAN and IoT network has a wireless access point.

My current guess is home assistant doesn't recognise 192.168.20.0/24 as an internal network, so is denying the on boarding request from the bulb, but I haven't found any settings that would allow me to fix this behaviour.

forgive me if I am wrong here because I don't have any matter devices but... doesn't matter require ipv6?

also I believe it makes use of mDNS which doesn't work across VLANS...

I already have mDNS repeaters, but I was not aware it has to be IPv6, and thats gonna be a pain to set up, but I can still do it. I will implement IPv6 and report back

mDNS repaters/reflectors tend to be a bit flakey too

ok, I created an IPv6 network but still seeing the same behaviour

if you are using an android phone, the phone requires internet access during the provisioning step (i think in order to check device certification or something). given that it also needs to be on the same wifi network as the matter device when setting up a wifi matter device, you'll probably need to allow internet access from your iot network.

but yeah, sounds like you're suffering from https://frenck.dev/the-enterprise-smart-home-syndrome/ - if you simplify your network setup, matter should "just work".

you'll have a particularly hard time if you want to add thread stuff in the future :/

I am shifting from HA hosted as a docker container to using the OS on a pi 4, hopefully if its connected to the IoT network it will eliminate the issues I have been experiencing