Issue with Apple Home + Hue bridge / IOT in separate VLANS



  • EDIT/workaround:
    I just removed any VLAN related to HueBridge and Draytek AP SSID and iPhones and et voila, Bridge could be connected with Home App.
    With the Bridge registered in Home App and reverting the changes back to the one shown above (Number 2) I can "operate" anything from Hue App and Home App.

    So the issue I am facing here is just the way Home App tries to discover the bridge. any1 could think about what the problem can be ? Where to tweak ?

    So the issue I am facing here is just the way Home App tries to discover the bridge. any1 could think about what the problem can be ? Where to tweak ?

    Hey there,

    to make a long story short, I have 2 issues.
    First one is more like a "best practice advise" I am looking for, second is searching for the wisdom of the network gurus on how to achieve getting Hue Bridge / IoT running with Apple Home app.

    1. My actual setup is the following:
    WAN <--> pfSense --> LAN --> VLAN capable Netgear Switch --> all home devices (untagged VLAN 1)
                    |                                       |--> Hue Bridge (untagged with PVID to force VLAN 74)
                    |--> OPT1 --> Draytek AP902 --> SSID1 (phones, tablets) tagged VLAN 73
                                               |--> SSID2 (IoT) tagged VLAN 74
    

    The switch can handle tagged and untagged ports.

    This creates he following devices:

    • WAN
    • LAN (10.10.0.64/27)
    • OPT1 (10.10.1.64/27)
    • VLAN73 on OPT1 (10.10.73.64/27)
    • VLAN74 on OPT1 (10.10.74.64/27)
    • VLAN74 on LAN (10.10.77.64/27)

    Each of them has DHCP running with fixed mappings which puts my Hue Bridge into 10.10.77.64/27 network, away from all other IoT.
    I decided to go this way for.. more or less unknown reason, just thought I can utilize 3rd port on ALIX board before "wasting" one more for Draytek AP on Switch.
    Guess for seldom "setup" of devices when putting iPhone into SSID2 VLAN74 for a while it would avoid me some pain when I move Draytek towards Switch.

    This would lead to:

    WAN <--> pfSense --> LAN --> VLAN capable Netgear Switch --> all home devices (untagged VLAN 1)
                                                            |--> Hue Bridge (untagged with PVID to force VLAN 74)
                                                            |--> Draytek AP902 --> SSID1 (phones, tablets) tagged VLAN 73
                                                                              |--> SSID2 (IoT) tagged VLAN 74
    
    • WAN
    • LAN (10.10.0.64/27)
    • VLAN73 on LAN (10.10.73.64/27)
    • VLAN74 on LAN (10.10.74.64/27)

    Less interfaces, less administration, less possible failures. Would you consider this as well more practicable ?

    1. Regardless of whatever setup, while I would consider to have the latter setup soon as long as there are not any concerns I might forgot to think about, what is needed (protocols? ports? pfSense packages? anything else?) to get Hue Bridge on VLAN74 beeing able to talk to Home App on iPhone/Pad on VLAN73 ?

    After a lot of trial and error, scrolling up and down the internet, I got it temp working with Avahi. iPhone and iPad loose connectivity to the bridge every few minutes. I fired up a bonjour browser and could see HueBridge spawning several entities there, so some kind of a reset and broadcast new service available. It counts like HueBridge-1, HueBridge-2, HueBridge-3 ... HueBridge-xx.

    As far as I know its sufficient to "search" and "connect" the bridge and the devices once to Home App while you can operate them later also off same VLAN. This is what I want to achieve. For setup I could temp move iPhone and iPad to IoT VLAN 74 but then have them back in normal use VLAN 73.

    Thanks in advance for the heads up.
    Rgds
    Hoschi


  • Galactic Empire

    @hoschi78 said in Issue with Apple Home + Hue bridge / IOT in separate VLANS:

    Hue Bridge

    Your Hue bridge needs to be in the IOT VLAN along with all the other Homekit devices.

    FWIW I struggled to get Homekit to work with AVAHI enabled and you don't need it if all the IOT device are in a single VLAN.

    If your iDevices are in a different VLAN to the Homekit devices, it just works as expected when your away from home.

    https://forum.netgate.com/assets/uploads/files/1530536387414-drawing1.png



  • Thanks for the reply and detailed picture.
    Maybe I didn't made it clear enough. I had no issues connecting with Hue App on iPhone to Hue Bridge, but Home App didn't find the bridge or even with Avahi it found it but then only works like "once in a while".

    For me it's not important to remote control IoT for now while I am away (at least not right now), would just come handy to have the lights switch on when I return from work after sunset w/o activating Philips cloud stuff, the easy things in life :)

    So a simple firewall rule "allow iphone in vlan73 to access bridge in vlan74" is all I need ? Somehow sounds too easy :)


  • Galactic Empire

    Do you have a Homehub?

    https://support.apple.com/en-gb/HT207057

    The -1, -2 -3 is caused by AVAHI, you don’t need AVAHI if all the IOT devices are on the same subnet.



  • I don't have a HomeHub yet, no. For now I would use my iPad as control instance (once the main issues are resolved)

    I connected my iPhone to VLAN74-SSID on Draytek AP, the switch port where it is connected is set to tagged vor VLAN74.
    The HueBridge is connected to another port on that switch set U/P VLAN74.
    edit: The port on pfSense where the switch connects to has also a VLAN74 attached

    Philips Hue App connects to bridge like a charm, Apple Home App does not see anything.

    All interfaces (except WAN) firewall rules are set to "allow ipv4 any protocol to all" for testing purposes.
    Nothing active - no Avahi, no igmp proxy, no nat, no upnp.

    I can even ping from my PC, let it be pc1.home, which is on another LAN segment and no VLAN to huebridge.iot. My browser on PC and iPhone can http to huebridge.iot. So "ipv4" seems to be fine.

    I can simply not register the bridge on the Home App on the iPhone, so it seems I miss something. Afaik Apple uses Bonjour, but there is no rule which would avoid that. This is the point where I am lost bc of just no better knowledge.


  • Galactic Empire

    You need a home hub to see the Hue controller & bulbs in the home app, they need to be on the same subnet.

    Try it using your iPad as a home hub.



  • AFAIK you only need a HomeHub for stuff like "switch light off when my iPhone leaves the house". But now, regardless of Avahi beeing enabled or not, I can't see the bridge anymore in Home App while it works like a charme with Hue App.
    Despite that, iPad is set already to be the Home Hub.

    Now, with setup 2 from initial post and avahi enabled I can't see the bridge showing up in the Home app on iPhone and iPad when I search for a bridge, regardless of iPad beeing home hub or not, regardless if I am in the same or other subnet. Drives me crazy.

    Connection is now as follows:
    HueBridge (192.168.74.79) <--> untagged VLAN74 / PVID 74 <--> Port 13 Netgear Switch
    iPhone (192.168.74.80) <--> Draytek AP with IOT SSID VLAN74 tagged <--> Port 14 Netgear Switch VLAN74 tagged
    PFSense with VLAN74 on LAN (192.168.74.78) <--> Port 16 Netgear Switch VLAN74 tagged

    From my limited network understanding as everything is in same subnet, same vlan, this should create a single broadcast domain and as long as there are no special rules set like "isolate SSID members" on the AP or firewall ruleset forbid traffic of any kind, it should jsut simply work right ? Whatever broad- or multicast is sent, it stays in the same network/domain/whatever.

    Is there anything else I could provide to better investigate this issue ? Something I might have missed to explain ? Something I can check (and how?).

    One thing which came to my mind right now, when I used Avahi I needed to configure the domain names I used. DHCP is set to domain name "iot" for IoT devices like Huebridge.iot. Standard setting for Avahi was .local" so I changed my IoT devices as well to ".local" but also no success. It simply does not show up anymore.

    EDIT:
    I just removed any VLAN related to HueBridge and Draytek AP SSID and iPhones and et voila, Bridge could be connected with Home App.
    With the Bridge registered in Home App and reverting the changes back to the one shown above (Number 2) I can "operate" anything from Hue App and Home App.

    So the issue I am facing here is just the way Home App tries to discover the bridge. any1 could think about what the problem can be ? Where to tweak ?


  • Netgate Administrator

    Unless I'm missing something here it looks like you could just connect to SSID2 in order to 'discover' new devices and then switch back to SSID1 if the home app is then able connect via IP dircetly.

    Steve



  • This was my thought too, but due to obviously an error I made "all in IoT VLAN" does not work, the bridge is simply not discovered. I might set it up from scratch and give it a new try.

    As long as the iPad stays in IoT VLAN it's working when iPhone leaves IoT VLAN using control over the internet. This is what NogBadTheBad was talking about. Not quite what I expected or wanted, but understandable if there is nothing what could take care about those requests locally, so I might go for an Home Pod or check if I can switch to FHEM.


  • Galactic Empire

    @hoschi78

    Try googling homebridge you could run it on a raspberry pi, its a bit of a PITA to configure.

    I have one set up to control my non HomeKit devices ( Dyson Fan & Nest Proctect devices) from the home app.

    There is a Hue plugin.



  • Thanks for the hint. I don't think that after what I figured out today, Apple Home will be "my thing". Of course I could setup "something" in IoT VLAN which connects to Home and I can connect from iPhone in another VLAN, but if I didnt do it wrong, it always uses the internet to execute commands, means:
    Iphone Home App --> Internet --> control server --> back home --> iPad --> IoT devices

    I can clearly see a delay from pushing the button in Home App and when I sniff on the interfaces I can see outoing and incoming connections.

    What I'm curious about, except some avahi/mdns/zeroconf stuff there is nothing I could do to keep it local when iPhone is on user WLAN/VLAN while hue bridge is still in IoT VLAN ? Thats where my network skills leave me alone.

    You might also check FHEM if you didnt already.