Rules to allow Homekit across vlan

moosport · Jul 30, 2023, 5:14 AM

I have moved all IoT devices to a separate vlan. Re-adopt all devices in IoT vlan using iphone connect to IoT wifi.

Homekit can't access the devices from main vlan. For now I have control through Homebridge. But I like to have Homekit have direct control.

Avahi/mdns is configure to broadcast across subnets. There is no restriction from main to IoT vlan.

How to determine what is being blocked? Or capture traffic not being passed to IoT vlan?

RobbieTT · Jul 30, 2023, 8:30 AM

@moosport

Did you add a port 5353 allow rule from your IoT VLAN to your main LAN?

️

tknospdr · Jul 30, 2023, 1:54 PM

@RobbieTT said in Rules to allow Homekit across vlan:

@moosport

Did you add a port 5353 allow rule from your IoT VLAN to your main LAN?

️

Working out a similar set of rules for my own network.
What's the proper protocol for that rule? UDP only or TCP/UDP?
Also, does it need to go to the network, or can you restrict it to just the IPs of the HomeKit hubs?

Right now my rules are TCP/UDP from IoT net on any port, to IPs of hubs on any port and gateway.
I wouldn't mind being more restrictive as long as I don't break anything.

Do HomeKit devices ever need to initiate a conversation with a random device besides their hubs?

RobbieTT · Jul 30, 2023, 3:29 PM

@tknospdr
I use this 5353 UDP rule on my (IoT) VLAN and include IPv6:

login-to-view

I also have the somewhat odd-looking block rule below it just to stop the logs being spammed.

(My IoT / Untrusted network is called 'VLAN" and my main trusted LAN is called "LAN", with dedicated management on "MAN" - radical, I am not...)

Yes, HomeKit devices need to communicate directly with each other for some services (hand-off, iTunes server access, macOS etc) and for some device coordination, as well as direct comms to the hub.

️

tknospdr · Jul 30, 2023, 3:47 PM

@RobbieTT said in Rules to allow Homekit across vlan:

Yes, HomeKit devices need to communicate directly with each other for some services (hand-off, iTunes server access, macOS etc) and for some device coordination, as well as direct comms to the hub.

Sorry, I should have been more clear. I meant talk to other devices outside their own subnet that they initiate. I understand they'll reply to requests from outside per the way stateful works.

RobbieTT · Jul 30, 2023, 3:59 PM

@tknospdr
Outside of the Thread / Matter stuff the devices can be regular network clients and the examples I used are comms directly over the VLAN IPv6 network. They will still work without it but the services provided will be more limited.

For example, without the normal IPv6 connectivity an Apple HomePod will happily play Apple Music streamed via the WAN but it will not play a self-hosted (iTunes Home Sharing, port 3689) playlist hosted on a macOS client.

️

moosport · Jul 30, 2023, 5:16 PM

@RobbieTT said in Rules to allow Homekit across vlan:

@moosport

Did you add a port 5353 allow rule from your IoT VLAN to your main LAN?

️

No, I have not. Currently IoT vlan only has access to internet.
Is UDP 5353 only rule required? how to capture traffic to figure out what other rules are needed?

tknospdr · Jul 30, 2023, 6:43 PM

@RobbieTT

I have an unrelated question.
How do you host images directly on this forum for inline posting?

rcoleman-netgate · Jul 30, 2023, 6:53 PM

@tknospdr Copy/pasta

tknospdr · Jul 30, 2023, 8:08 PM

Testing image embed...

So these rules should be okay then?
login-to-view

Copy/pasta was too easy! I overlooked it.

moosport · Jul 30, 2023, 9:11 PM

@moosport said in Rules to allow Homekit across vlan:

@RobbieTT said in Rules to allow Homekit across vlan:

@moosport

Did you add a port 5353 allow rule from your IoT VLAN to your main LAN?

️

No, I have not. Currently IoT vlan only has access to internet.
Is UDP 5353 only rule required? how to capture traffic to figure out what other rules are needed?

login-to-view

Added this rule to IoT VLAN but devices cannot be discovered from Main VLAN to be added to Homekit.

rcoleman-netgate · Jul 30, 2023, 9:12 PM

@moosport Do you have avahi installed? mDNS is not an internet protocol -- it's multicast.

moosport · Jul 30, 2023, 10:14 PM

@rcoleman-netgate said in Rules to allow Homekit across vlan:

@moosport Do you have avahi installed? mDNS is not an internet protocol -- it's multicast.

yes, its installed and configured.

login-to-view
file:///home/netuser/Pictures/Screenshots/Screenshot%20from%202023-07-29%2021-19-13.png
login-to-view
file:///home/netuser/Pictures/Screenshots/Screenshot%20from%202023-07-29%2021-19-40.png
login-to-view

file:///home/netuser/Pictures/Screenshots/Screenshot%20from%202023-07-29%2021-20-00.png

RobbieTT · Jul 31, 2023, 5:27 PM

@moosport I would enable IPv6 support for mDNS / Avahi. It has become more of a 'presumed' capability for HomeKit, rather than merely an option with no drawbacks.

️

moosport · Jul 31, 2023, 5:27 PM

@RobbieTT said in Rules to allow Homekit across vlan:

@moosport I would enable IPv6 support for mDNS / Avahi. It has become more of a 'presumed' capability for HomeKit, rather than merely an option with no drawbacks.

️

Will that be just IoT VLAN or for both main and IoT VLAN?

tknospdr · Aug 6, 2023, 3:36 AM

I had to power cycle my pfS box and WAP today (was doing cable management...)
When everything came back up all my HomeKit devices were on wifi, but the Home app reported them as all offline.

I had to reenable my ANY rules and move them to the top of my ruleset in order to get everything back. When I had them enabled but at the bottom of the list a few devices kept randomly dropping.

This is pretty obvious evidence that there are some other ports/protocols that need to be allowed for a happy HomeKit experience.

Here's a pic of my full set of rules, can anyone tell me what might be missing?

login-to-view

rcoleman-netgate · Aug 6, 2023, 3:04 PM

@tknospdr said in Rules to allow Homekit across vlan:

I had to reenable my ANY rules and move them to the top of my ruleset in order to get everything back.

I would check your firewall logs for the things that are blocking them from communicating. I have no issues here but I also have limited HomeKit items and don't mind them being able to talk to many things.

Don't ask my other IoT devices what I think of them, though, they will hear you, reply, but they can't seek you out

tknospdr · Aug 7, 2023, 2:53 PM

@rcoleman-netgate
I've never parsed the logs in pfSense before.
What would I be looking for?

I checked out the logs and they're quite full of deny statements (obviously), how do I narrow down the scope of what I'm looking at?

rcoleman-netgate · Aug 7, 2023, 2:54 PM

@tknospdr Check for the IP of your device(s). Click the funnel (sieve) icon on the top to filter the logs.
https://docs.netgate.com/pfsense/en/latest/monitoring/logs/index.html

tknospdr · Aug 8, 2023, 3:41 PM

@rcoleman-netgate

Looks like the FW logs only keep the last 500 transactions.
I guess all the relevant entries fell off the bottom.
I got zero results for multiple IP addresses connected to IoT/HK devices that I know weren't responding.
Looks like I'll have to disable my any rules again and wait till things break once more.

The odd thing is I think they continue to work unless the wifi or power goes out, THEN they have issues reconnecting. So it might be some sort of initial handshake that's being rejected.

Shouldn't take too long, the power company is moving my whole city's lines from overhead to underground so our power has been doing weird crap for the past few weeks.