Firewall question - outgoing traffic from Homebridge to HomeKit clients

[tomadimitrie]

Homebridge UniFi Protect Version

7.4.0

Homebridge Platform and OS

Ubuntu Noble

Homebridge Version

1.8.4

Node Version

20.17.0

UniFi OS Version

4.0.6

UniFi Protect Controller Version

4.1.53

Describe the problem

Hi! First of all, awesome plugin :)

So I have multiple VLANs in my network, the 4 relevant ones are

• A. Default (my devices, e.g. iPhone)
• B. Homebridge (just the homebridge running on it)
• C. Protect (Cameras - 2 G4 Instants)
• D. HomeKit Hubs (Apple TV and HomePods)

I have inter-VLAN routing disabled and have allow rules set up. I allowed Default to access the whole subnet, and the 3 other VLANs to access each other (allow rule from B to C + D, etc.). However, with this setup I am not able to stream the video feed locally. The request is logged in Homebridge, but on the iPhone app it times out. I can view it when not connected to the network, in which case the request comes from the home hub, which is expected.

I looked at the firewall logs in UniFi and saw traffic from Homebridge to my iPhone blocked by the inter-VLAN rule. So, after allowing Homebridge to access my Default network everything works as expected.

My question is: why does Homebridge need to initiate traffic to my devices? I have a firewall rule to allow established and related traffic, and that should be enough for most cases (that rule allows a VLAN to reply to a connection already established by another allowed VLAN). So, in this case, Homebridge is trying to initiate the connection to my iPhone, but I don't understand why. Is it not enough to reply to the connection initated by HomeKit with the video stream? Is there something else going on, like HomeKit opening a port on my iPhone and Homebridge connecting to it? In this case, is there a specific port I should allow? I don't really want to give Homebridge full access to my trusted VLANs.

Thank you!

Homebridge HBUP JSON configuration

-

Relevant log output

-

Acknowledgment that you are only running UniFi OS and UniFi Protect releases from the Ubiquiti Official release channel

• [X] I acknowledge that I am not running any early access / beta firmwares or operating systems from either Ubiquiti or Apple.

[hjdhjd]

Appreciate the request but I’m afraid this is outside of the scope of any support I provide. If you have Homebridge-specific questions, you can direct your questions to the Homebridge GitHub. In general, firewalling for video scenarios like this is unwise. If you’re that worried about Homebridge security in a home environment…you may want to reconsider. 😄

[tomadimitrie]

I also run other services on other VLANs, some exposed to the internet, some for security research, so even if it's a home environment I still need to take care of security. The question I asked is specific to your plugin, not Homebridge generic, as this issue only happens with HomeKit cameras, so you might know how it works behind the scenes since you implemented it. All I'm asking is that if the cameras initiate any connection to the HomeKit client and what ports does it use

[hjdhjd]

Serves me right for answering the question on the go instead of providing a bit more context. 😄

Let’s try this again and clarify:

• The question you are asking is not specific to HBUP. It’s specific to HomeKit cameras and how Homebridge handles them. It’s important to appreciate that because HBUP itself only ever speaks to the Protect controller, and that’s it. Everything else is directed by Homebridge but really, as you’ll see in the next point, by HomeKit.
• HomeKit gets to decide what IPs and ports camera connections go to. If you’d like to understand the detail, feel free to google up the HomeKit spec (you can still find it if you search out there on the interwebs), and look at the sections on camera streaming and RTP stream management.
• TL;DR: HomeKit itself decides IPs and ports to use. You cannot control it directly as an end user. If you want to effectively stream you’re going to need to allow two-way connectivity between your Homebridge machine and network, as you’ve discovered.

Your question:

If the cameras initiate any connection to the HomeKit client

The answer is no. Because no camera is initiating a connection here.

Protect cameras -> Protect controller -> HBUP -> Homebridge -> HomeKit -> end user client.

HBUP only speaks to the controller on one end, and only handles HomeKit requests that are served by Homebridge on the other.

HomeKit / Homebridge is not designed nor intended to operate well (or at all) across network segments. That it can do so in many instances is great, but it’s not a reliable panacea that I would bet my smart home on. If you want to firewall it off, you’re going to have to enable a significant range of ports, both UDP and TCP, that’s essentially “everything above 1024”.

Hopefully, this helps explain why I directed you to the Homebridge support areas rather than HBUP where I have no doubt other users have run into similar challenges and may have more creative or interesting ways to solve the same conundrum you find yourself in.

[tomadimitrie]

Thank you so much for the answer, really appreciate it! I researched a bit more and looks like the cameras do initiate UDP connections to the clients (not exactly the camera, but through Homebridge): https://www.reddit.com/r/homebridge/comments/p1z9xo/firewall_rules_to_allow_homekit_live_video/

[github-actions[bot]]

This issue is locked to prevent necroposting on closed issues. Please create a new issue for related support requests, bug reports, or feature suggestions.