Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rules to allow Homekit across vlan

    Scheduled Pinned Locked Moved Firewalling
    42 Posts 5 Posters 16.5k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RobbieTTR Offline
      RobbieTT @tknospdr
      last edited by

      @tknospdr
      Outside of the Thread / Matter stuff the devices can be regular network clients and the examples I used are comms directly over the VLAN IPv6 network. They will still work without it but the services provided will be more limited.

      For example, without the normal IPv6 connectivity an Apple HomePod will happily play Apple Music streamed via the WAN but it will not play a self-hosted (iTunes Home Sharing, port 3689) playlist hosted on a macOS client.

      ☕️

      1 Reply Last reply Reply Quote 0
      • M Offline
        moosport @RobbieTT
        last edited by

        @RobbieTT said in Rules to allow Homekit across vlan:

        @moosport

        Did you add a port 5353 allow rule from your IoT VLAN to your main LAN?

        ☕️

        No, I have not. Currently IoT vlan only has access to internet.
        Is UDP 5353 only rule required? how to capture traffic to figure out what other rules are needed?

        M 1 Reply Last reply Reply Quote 0
        • T Offline
          tknospdr @RobbieTT
          last edited by

          @RobbieTT

          I have an unrelated question.
          How do you host images directly on this forum for inline posting?

          R 1 Reply Last reply Reply Quote 0
          • R Offline
            rcoleman-netgate Netgate @tknospdr
            last edited by

            @tknospdr Copy/pasta

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            1 Reply Last reply Reply Quote 0
            • T Offline
              tknospdr
              last edited by

              Testing image embed...

              So these rules should be okay then?
              Screenshot 2023-07-30 at 4.07.31 PM.png

              Copy/pasta was too easy! I overlooked it.

              1 Reply Last reply Reply Quote 0
              • M Offline
                moosport @moosport
                last edited by

                @moosport said in Rules to allow Homekit across vlan:

                @RobbieTT said in Rules to allow Homekit across vlan:

                @moosport

                Did you add a port 5353 allow rule from your IoT VLAN to your main LAN?

                ☕️

                No, I have not. Currently IoT vlan only has access to internet.
                Is UDP 5353 only rule required? how to capture traffic to figure out what other rules are needed?

                8fe6c889-5989-4f12-9392-8a9498043fcf-image.png

                Added this rule to IoT VLAN but devices cannot be discovered from Main VLAN to be added to Homekit.

                R 1 Reply Last reply Reply Quote 0
                • R Offline
                  rcoleman-netgate Netgate @moosport
                  last edited by rcoleman-netgate

                  @moosport Do you have avahi installed? mDNS is not an internet protocol -- it's multicast.

                  Ryan
                  Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                  Requesting firmware for your Netgate device? https://go.netgate.com
                  Switching: Mikrotik, Netgear, Extreme
                  Wireless: Aruba, Ubiquiti

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    moosport @rcoleman-netgate
                    last edited by

                    @rcoleman-netgate said in Rules to allow Homekit across vlan:

                    @moosport Do you have avahi installed? mDNS is not an internet protocol -- it's multicast.

                    yes, its installed and configured.

                    53223a9f-a6d7-42d9-a1db-3370ee176b5f-image.png
                    file:///home/netuser/Pictures/Screenshots/Screenshot%20from%202023-07-29%2021-19-13.png
                    471e3332-e573-4523-b14d-46008dd64777-image.png
                    file:///home/netuser/Pictures/Screenshots/Screenshot%20from%202023-07-29%2021-19-40.png
                    344313d9-c66a-4ccb-a32c-9cb29dde6023-image.png

                    file:///home/netuser/Pictures/Screenshots/Screenshot%20from%202023-07-29%2021-20-00.png

                    RobbieTTR 1 Reply Last reply Reply Quote 0
                    • RobbieTTR Offline
                      RobbieTT @moosport
                      last edited by

                      @moosport I would enable IPv6 support for mDNS / Avahi. It has become more of a 'presumed' capability for HomeKit, rather than merely an option with no drawbacks.

                      ☕️

                      M 1 Reply Last reply Reply Quote 0
                      • M Offline
                        moosport @RobbieTT
                        last edited by

                        @RobbieTT said in Rules to allow Homekit across vlan:

                        @moosport I would enable IPv6 support for mDNS / Avahi. It has become more of a 'presumed' capability for HomeKit, rather than merely an option with no drawbacks.

                        ☕️

                        Will that be just IoT VLAN or for both main and IoT VLAN?

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          tknospdr
                          last edited by

                          I had to power cycle my pfS box and WAP today (was doing cable management...)
                          When everything came back up all my HomeKit devices were on wifi, but the Home app reported them as all offline.

                          I had to reenable my ANY rules and move them to the top of my ruleset in order to get everything back. When I had them enabled but at the bottom of the list a few devices kept randomly dropping.

                          This is pretty obvious evidence that there are some other ports/protocols that need to be allowed for a happy HomeKit experience.

                          Here's a pic of my full set of rules, can anyone tell me what might be missing?

                          Screenshot 2023-08-05 at 11.36.00 PM.png

                          R 1 Reply Last reply Reply Quote 0
                          • R Offline
                            rcoleman-netgate Netgate @tknospdr
                            last edited by

                            @tknospdr said in Rules to allow Homekit across vlan:

                            I had to reenable my ANY rules and move them to the top of my ruleset in order to get everything back.

                            I would check your firewall logs for the things that are blocking them from communicating. I have no issues here but I also have limited HomeKit items and don't mind them being able to talk to many things.

                            Don't ask my other IoT devices what I think of them, though, they will hear you, reply, but they can't seek you out 😏

                            Ryan
                            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                            Requesting firmware for your Netgate device? https://go.netgate.com
                            Switching: Mikrotik, Netgear, Extreme
                            Wireless: Aruba, Ubiquiti

                            T 1 Reply Last reply Reply Quote 0
                            • T Offline
                              tknospdr @rcoleman-netgate
                              last edited by

                              @rcoleman-netgate
                              I've never parsed the logs in pfSense before.
                              What would I be looking for?

                              I checked out the logs and they're quite full of deny statements (obviously), how do I narrow down the scope of what I'm looking at?

                              R 1 Reply Last reply Reply Quote 0
                              • R Offline
                                rcoleman-netgate Netgate @tknospdr
                                last edited by

                                @tknospdr Check for the IP of your device(s). Click the funnel (sieve) icon on the top to filter the logs.
                                https://docs.netgate.com/pfsense/en/latest/monitoring/logs/index.html

                                Ryan
                                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                                Requesting firmware for your Netgate device? https://go.netgate.com
                                Switching: Mikrotik, Netgear, Extreme
                                Wireless: Aruba, Ubiquiti

                                T 1 Reply Last reply Reply Quote 0
                                • T Offline
                                  tknospdr @rcoleman-netgate
                                  last edited by

                                  @rcoleman-netgate

                                  Looks like the FW logs only keep the last 500 transactions.
                                  I guess all the relevant entries fell off the bottom.
                                  I got zero results for multiple IP addresses connected to IoT/HK devices that I know weren't responding.
                                  Looks like I'll have to disable my any rules again and wait till things break once more.

                                  The odd thing is I think they continue to work unless the wifi or power goes out, THEN they have issues reconnecting. So it might be some sort of initial handshake that's being rejected.

                                  Shouldn't take too long, the power company is moving my whole city's lines from overhead to underground so our power has been doing weird crap for the past few weeks.

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ Online
                                    johnpoz LAYER 8 Global Moderator @tknospdr
                                    last edited by

                                    @tknospdr said in Rules to allow Homekit across vlan:

                                    Looks like the FW logs only keep the last 500 transactions.

                                    You can edit that

                                    edit.jpg

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    T 1 Reply Last reply Reply Quote 0
                                    • T Offline
                                      tknospdr @johnpoz
                                      last edited by

                                      @johnpoz

                                      Odd, I upped it to 3000 entries and searched for the IP address of my garage door opener which I specifically remember was not connecting to the home app.

                                      There were no hits on it...

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ Online
                                        johnpoz LAYER 8 Global Moderator @tknospdr
                                        last edited by johnpoz

                                        @tknospdr did you enable logging on pass rules? By default pfsense doesn't log allow rule traffic, only default deny.

                                        Do you see the 5353 mdns traffic? That would be multicast destination.. I have a couple of threads around here about troubleshooting avahi.. And what rules you have to have to allow it to work.. and via sniffing validate that your traffic is being sent on, etc.

                                        here is one of my troubleshooting avahi posts

                                        https://forum.netgate.com/topic/166642/mdns-struggles/11?_=1691526954616

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        T 1 Reply Last reply Reply Quote 0
                                        • T Offline
                                          tknospdr @johnpoz
                                          last edited by

                                          @johnpoz said in Rules to allow Homekit across vlan:

                                          @tknospdr did you enable logging on pass rules? By default pfsense doesn't log allow rule traffic, only default deny.

                                          No, but I thought I was looking for deny rules as I'm trying to TS broken connections.

                                          Do you see the 5353 mdns traffic? That would be multicast destination.. I have a couple of threads around here about troubleshooting avahi.. And what rules you have to have to allow it to work.. and via sniffing validate that your traffic is being sent on, etc.

                                          I see hundreds of these and I don't recognize either of the IP addresses, but I'm thinking they may be multicast addresses?

                                          Aug 8 14:07:13 ETH3 Block IPv4 link-local (1000000101) 169.254.1.1:5353
                                          Cannot resolve 224.0.0.251:5353
                                          Cannot resolve UDP

                                          here is one of my troubleshooting avahi posts

                                          https://forum.netgate.com/topic/166642/mdns-struggles/11?_=1691526954616

                                          I will read over this thread and see what I can grok.

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • johnpozJ Online
                                            johnpoz LAYER 8 Global Moderator @tknospdr
                                            last edited by

                                            @tknospdr said in Rules to allow Homekit across vlan:

                                            169.254.1.1:5353

                                            Not sure how that would do anything - that is a APIPA address, ie link local for single network.. It wouldn't route across pfsense anyway. Even if it got back an answer from its discovery of something that was on 192.168.x.x etc..

                                            A 169.254 is something normally gives itself when dhcp doesn't work.. It could for something discovery something on the local network - I think one of my directv bridge device things use to send out SSDP from that IP range, etc.. But its pretty much just noise..

                                            I think there is a way to get 169.254 to be routed - I think there is check box in pfsense somewhere to allow that.. But that would not really be a solution to be honest.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            T 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.