Roborock vacuum on IoT (VLAN 5) — connectivity¶
Use when the vacuum is on WiFi / IoT (192.168.7.x) but the app shows offline,
jobs won’t start, or the device never finishes cloud registration after a network
change.
This lab’s inventory row: 192.168.7.212, Roborock Vacuum, VLAN 5 (IoT),
MAC 24:9e:7d:7c:51:ea — see device-vlan-mapping.
1. Fix DNS first (most common after ZBF + AdGuard)¶
Zone firewall policy blocks IoT → Servers by default. If the IoT network
DHCP hands out AdGuard on 192.168.6.17 as DNS, the vacuum cannot reach
that resolver unless you add an explicit allow.
Check (UDM): Settings → Networks → IoT (VLAN 5) → DHCP → DNS server.
| If DNS is… | What happens | Fix |
|---|---|---|
192.168.6.17 (AdGuard) only |
IoT cannot query it → no DNS → cloud offline | Either set IoT DHCP DNS to gateway/auto (192.168.7.1) or a public resolver or add ZBF: Allow IoT → Internal, destination 192.168.6.17, ports 53 TCP + 53 UDP (see firewall-policy.md note after Step 5). |
| Gateway or public DNS | Resolver reachable | Go to step 2. |
After any DHCP change, renew the vacuum’s lease (reboot robot or disconnect/reconnect WiFi).
2. AdGuard / filtering¶
If IoT DNS goes through AdGuard, check Query log for this client IP
(192.168.7.212) or disable blocking temporarily. Roborock / Xiaomi apps use
many cloud hostnames; aggressive blocklists often break them.
3. Internet egress¶
IoT → WAN should be allowed. In UniFi, confirm the client still shows traffic when the app tries to reach the vacuum. If bytes are zero, check WLAN captivity / wrong VLAN / PPPoE issues.
4. Time (NTP)¶
Rare, but if the device’s clock is wrong, TLS to cloud can fail. Ensure IoT can reach the internet (NTP is usually via pool servers on UDP 123).
5. Local control vs cloud¶
The official app is cloud-centric: your phone talks to Xiaomi/Roborock
servers; the vacuum talks outbound to the same. You do not need the phone
to open a TCP session to 192.168.7.212 for basic “start cleaning” unless you
use a mode that relies on LAN discovery.
If you run Home Assistant (or similar) on Servers and it opens inbound connections to the vacuum on IoT, ZBF may block Servers → IoT unless you add an explicit allow for that host/port. That is separate from “app says offline” via cloud.
6. WiFi / pairing¶
If DNS and filtering look fine: power-cycle the vacuum, confirm it is on the intended SSID for IoT / VLAN 5, and re-run setup in Mi Home / Roborock if the device was stuck mid-migration.