TL;DR Version: Your iOS devices should be able to connect to the HomeKit Devices on port 80 and 443, and mDNS should work between VLANs.
In previous posts, I discussed why and how to set up multiple VLANs and now all those Internet-connected devices are away from the LAN where your laptops and NAS sit. Then you realize, my iOS devices on the secure VLAN can no longer connect to my HomeKit-enabled devices on the Device VLAN. This post discusses how to add selective Firewall rules to allow HomeKit functionality.
HomeKit uses the HAP Protocol, which actually uses peer-to-peer connectivity for really fast action when you try to perform actions. If your device is unable to reach the HomeKit device, it will, through iCloud, try to perform the HomeKit action through your hub (such as Apple TV). If your hub is unable to reach the HomeKit device, the request will fail. If your hub is in the right VLAN and does reach it, it will work, however, it will be slower than if it had worked directly from your device. And believe me, 500ms of lag when trying to turn on the lights can be a significant pain.
The following settings are added to make it work. Note: This is not the most restrictive configuration possible. I am sure you can lock it down more, especially if everything you have has known hostnames or assigned IPs that do not change.
- Allow your secure VLAN to connect to port 80 and 443 of Device VLAN. You can do this via IP to IP + port rules, or, if you do not mind your secure VLAN reaching the Device VLAN, simply add allow rule to in direction of your secure VLAN for port 80 and 443 with destination Device VLAN. You can make this more restrictive by only allowing the static or reserved IPs of devices you use with HomeKit. Be sure to include your hub so your schedules work when you’re away.
- Allow established/related packets from Device VLAN (direction: in).
- ensure mDNS can traverse through VLANs. An mDNS message is a multicast UDP packet to/from IPv4 address of 224.0.0.251 and UDP port 5353. This means the combination of:
- mDNS reflector or multicast repeater is enabled. I prefer enabling mDNS repeater between the device VLAN and secure VLAN’s interfaces, i.e.,
switch0.10 and switch0.20. Note that mDNS reflector enables mDNS on ALL interfaces, including the WAN interface, thus it is bad. - If the default action for
DEVICE_LOCAL (traffic from the device VLAN to the router) is drop, create a rule that allows mDNS traffic.
To add devices to HomeKit, you need to:
- Disable Guest Isolation on your Device wireless netowrk while you pair the devices (the pairing process seems to require p2p connectivity for some devices, and in any case, some apps will force you to send WiFi settings from your phone, preventing you from being on the main SSID while you do this).
- Join your IoT SSID with your phone.
- Add the device to HomeKit.
- Turn the lights on and off and on and off and on and off. And on and off and on and off.
- Re-enable guest isolation on your IoT SSID.
Credit: This post is a combination of Guillaume Ross’s solution of installing Avahi on the router and John Reed’s solution to allow Bonjour/mDNS on EdgeOS. The solution is improved by using mDNS repeater instead of mDNS reflector.
This is the post series. Other posts can be found under HomeNetwork tag.
FAQs
While many HomeKit devices work using standalone apps, you'll need one of the following hubs in your home for remote access controls through the Apple Home app: HomePod, Apple TV, and iPad. Without a hub, the Apple Home app works only with devices in Bluetooth range or on the same Wi-Fi network.
Are VLANs useful in a home network? ›
VLAN Uses on A Home Network
On Home networks the main use is for security where you want to isolate certain devices from each other.
What ports are required for HomeKit? ›
If you have a firewall configured on your Home Assistant system, make sure you open the following ports:
- UDP: 5353.
- TCP: 21063 (or the configured/used port in the integration settings).
Essentially, HomeKit Secure Routers create custom firewalls and device-specific hardware keys for each of your HomeKit accessories, allowing you to control what services and devices they can connect to—just with an added emphasis on simplicity.
Should I put my smart home devices on a separate network? ›
By putting all your IoT devices on a separate network you improve security. You cut that bridge that hackers use to go from an IoT device to another device on the same network. Such as those that hold sensitive information (computers and mobile devices).
How do I make sure both devices are on the same Wi-Fi network? ›
Step 1. Check the Wi-Fi network of your phone or tablet
- Open your device's Settings app.
- Tap Network & internet. Internet.
- The Wi-Fi network labeled "Connected" is the network your phone or tablet is connected to.
- If your Wi-Fi network doesn't match, or if you need to change the network: Tap a new network. enter password.
Disadvantages of VLAN
- A packet can leak from one VLAN to other.
- An injected packet may lead to a cyber-attack.
- Threat in a single system may spread a virus through a whole logical network.
- You require an additional router to control the workload in large networks.
- You can face problems in interoperability.
VLANs provide a number of advantages including ease of administration, confinement of broadcast domains, reduced network traffic, and enforcement of security policies.
Do you need to use VLANs in all networks? ›
Do I have to have VLANs? In short – no. If you are running a relatively small network infrastructure with a small amount of devices which are not creating a large amount of broadcast traffic then there probably is not the requirement for a fully blown VLAN architecture.
Do you need an Ethernet cable for HomeKit? ›
Also, not very many HomeKit devices provide Ethernet connections. Wi-Fi devices connect directly to your home's Wi-Fi system, so no other equipment is needed. Speeds and distances will be based on your Wi-Fi system. Most HomeKit devices can only connect to your 2.4GHz band.
The best HomeKit routers you can buy
- Amazon eero 6 dual-band mesh Wi-Fi 6 system. ...
- Linksys MX4200 Velop Mesh Wi-Fi 6 System: AX4200. ...
- Amazon eero Pro 6 - tri-band mesh Wi-Fi 6 system. ...
- Linksys MX12600 Velop Intelligent Mesh Wi-Fi 6 System. ...
- Amazon eero 6 - dual-band mesh Wi-Fi 6 router by Amazon.
You can have as many HomeKit hubs as you want, and they will all work together. For example, I have Bluetooth temperature sensors throughout my home. Normally, Bluetooth only works within about 30ft, and doesn't penetrate walls very well.
Do you need a HomeKit router to use HomeKit? ›
You need a HomeKit Secure Router to use the additional security features that they bring to HomeKit. Currently, there are just three listed routers available: Eero, Eero Pro and the Linksys Velop Mesh Wi-Fi System – Tri-Band.
Is there a security system that works with HomeKit? ›
Abode Iota All-in-One Security Kit with Integrated Camera, Alarm, Key Fob, Motion & Door/Window Sensors - DIY Installation - Optional Professional Monitoring - Works with HomeKit, Alexa & Google Home.
Why connect router to HomeKit? ›
Add more protection to your HomeKit accessories by controlling which services and devices they communicate with on your home Wi-Fi network and over the internet.
Can I use HomeKit when away from Home? ›
In the Home app , you can control your accessories even when you're away from home. To do so, you need a home hub—a device such as Apple TV (4th generation or later) or HomePod.
How do I change Wi-Fi on HomeKit? ›
Tap the More button , then select Home Settings. If you have multiple homes, choose the home where you put your router. Scroll down and tap Wi-Fi Network & Routers. Then tap an accessory to change the level of connection security.
