I am wondering, how to properly emulate HomeKit router behavior with a router capable of setting up several network segments and firewall rules between them.
My router/firewall/internet gateway (a Netgate 1100) is set up with separated LAN, guest and IoT networks. These have corresponding SSIDs, and my access points (APs) are VLAN capable, so that I can have those APs provide separate Wi-Fi access to each of the networks.
Because I don’t want a home automation accessory (I am especially suspicious of those with Chinese chipsets) that’s gone rogue to wreak havoc on my home network, or even spy on me, I have all my HomeKit accessories connect to the IoT network. Firewall rules allow free access to the IoT network from the LAN and no access to the LAN from the IoT network, except for Port 3689 (Apple’s Digital Audio Access Protocol—DAAP—for iTunes library sharing and AirPlay). This is equivalent to the typical setup of a router situated between a LAN and the internet in that all output LAN traffic is allowed and most or all inbound traffic is blocked (unless initiated by a LAN → internet request).
For proper functionality, should I open additional IoT → LAN ports? If so, which and why?
P.S.: I have also since starting this post learned that I need to have mDNS (on Apple devices supplied by Bonjour) turned on. On my Netgate 1100 it is provided by the open-source Avahi package, which I have configured to bridge mDNS packets between my LAN and IoT networks.
My router/firewall/internet gateway (a Netgate 1100) is set up with separated LAN, guest and IoT networks. These have corresponding SSIDs, and my access points (APs) are VLAN capable, so that I can have those APs provide separate Wi-Fi access to each of the networks.
Because I don’t want a home automation accessory (I am especially suspicious of those with Chinese chipsets) that’s gone rogue to wreak havoc on my home network, or even spy on me, I have all my HomeKit accessories connect to the IoT network. Firewall rules allow free access to the IoT network from the LAN and no access to the LAN from the IoT network, except for Port 3689 (Apple’s Digital Audio Access Protocol—DAAP—for iTunes library sharing and AirPlay). This is equivalent to the typical setup of a router situated between a LAN and the internet in that all output LAN traffic is allowed and most or all inbound traffic is blocked (unless initiated by a LAN → internet request).
For proper functionality, should I open additional IoT → LAN ports? If so, which and why?
P.S.: I have also since starting this post learned that I need to have mDNS (on Apple devices supplied by Bonjour) turned on. On my Netgate 1100 it is provided by the open-source Avahi package, which I have configured to bridge mDNS packets between my LAN and IoT networks.