Hoobs and Homekit using VLans

[tivo65]

I am using Hoobs with Apple Homekit and a mixture of different plugins (shelly, tp-link, nest, eyezon). I am segmenting my network moving the IOT devices to an IOT VLan. I was going to leave the Raspberry Pi Hoobs server on my primary LAN. (or if suggested I could move Hoobs to the IOT VLan). In my testing I have moved a couple IOT devices to the new IOT VLan but cannot get them to communicate to Hoobs. I opened up MDNS between the networks. What ports/traffic do I need to allow between the IOT VLan and LAN to allow Hoobs to reach the IOT devices and to continue controlling the IOT devices via Homekit and Hoobs. And where should the AppleTV be located? Other suggestions?

[mkellsy]

The HOOBS hub uses port 80. The bridges you configure the ports.

Typically, when setting up a segmented network with VLANs, you want to set the VLAN on the port of a switch and set a VLAN on the Wi-Fi AP. Setting a VLAN on the clients is not a scalable way to do this.

Configuring VLANs on Linux is no easy feat. Here is a how to on how to setup a VLAN on Debian. https://techviewleo.com/how-to-configure-vlan-interface-on-debian/

Also remember, to pair with HomeKit, you will need a Wi-Fi AP on the same VLAN as HOOBS or Homebridge. And to control your accessories from a different VLAN, you will need an Apple branded bridge like an Apple TV or Home Pod to communicate outside the VLAN.

[tivo65]

Michael

Thanks for the response.

I should have been clearer. I am creating the VLans via my network gear (ubiquiti Wifi AP, PHSense FW, and Netgear switch). I already have that setup on my WiFi APs and my switch. I have an IOT Vlan and then my default Lan for trusted devices (personal computers etc). I was planning to move all IOT devices to my IOT Vlan and limit traffic flow from the IOT Vlan to my default lan (for security reasons).

• I will have all IOT devices on the IOT Vlan

• Sounds like you suggest Hoobs also reside on that IOT Vlan, correct? My challenge with this is I have hoobs on a raspberry pi which also runs CUPS which I need for printing from my iphone.

• And are you also suggesting that my apple TV (I have two of them) reside on that same IOT Vlan? Here is my key question:

• I obviously want to lock down traffic as much as possible between the IOT Vlan and my default lan.

  • My key question is what kind of traffic or TCP ports need to be opened on my firewall to flow between default LAN and the IOT Vlan? If it is locked down completely every time I turn on a light from my phone when I am home (which will be on the default lan) the traffic will have to go out to the internet. Not sure how much latency that will add.

Thanks for the feedback.

Mike

From: Michael Kellsy @.> Reply-To: hoobs-org/HOOBS @.> Date: Tuesday, February 1, 2022 at 12:28 PM To: hoobs-org/HOOBS @.> Cc: Mike Bettilyon @.>, Author @.***> Subject: Re: [hoobs-org/HOOBS] Hoobs and Homekit using VLans (Issue #1787)

Typically, when setting up a segmented network with VLANs, you want to set the VLAN on the port of a switch and set a VLAN on the Wi-Fi AP. Setting a VLAN on the clients is not a scalable wat to do it.

Configuring VLANs on Linux is no easy feat. Here is a how to on how to setup a VLAN on Debian. https://techviewleo.com/how-to-configure-vlan-interface-on-debian/

Also remember, to pair with HomeKit, you will need a Wi-Fi AP on the same VLAN as HOOBS or Homebridge. And to control your accessories from a different VLAN, you will need an Apple branded bridge like an Apple TV or Home Pod to communicate outside the VLAN.

— Reply to this email directly, view it on GitHubhttps://github.com/hoobs-org/HOOBS/issues/1787#issuecomment-1027207689, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASJSPSRNM6QEKKWIH63UJITUZAX6BANCNFSM5NJ3VIJQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you authored the thread.Message ID: @.***>

[mkellsy]

You don't need to map any port other than port 80 to access the UI.

All other ports actually run through Bonjour. HomeKit is not very VLAN friendly, and depending on your plugins, there may be an undetermined number of ports or internet API access. So, it may be critical to have the HOOBS box on the same VLAN as your IoT devices. And you Apple TV will need to be on the same VLAN as HOOBS too if you want to access HomeKit from outside your network.

Think of the VLANs as separate networks too.

If you are sure that your plugins only access devices via the internet, it is OK to have it on a separate VLAN that has internet access. But for HomeKit, HOOBS and your iPhone need to be on the same VLAN and subnet to pair and if you want to access HomeKit from a different network or VLAN your HOOBS setup and Apple TV or Home Pod need to be on the same VLAN.

One thing to note is, I know plugins like SmartThings and Hue communicate with their hubs via your local network.

As for which ports are used, that's really unknown, it changes per setup. Also, there are other protocols used that are not part of HTTP like Bonjour and Caio. You can thank Apple for this :) If you have cameras too, there is a plethora of protocols bouncing around on your network too like RSTP and SIP.

Also, it might be best to run your print server on a different Pi or VM. I run my CUPS, SMB, DNS and a web proxy from separate VMs on Hyper-V. I have used KVM for this too.

Basically HOOBS + Apple TV + IoT Hubs + Locally Controlled IoT need to be on the same VLAN.

Here's some further reading about this. https://en.wikipedia.org/wiki/Zero-configuration_networking https://en.wikipedia.org/wiki/Avahi_(software) https://en.wikipedia.org/wiki/Bonjour_(software) https://en.wikipedia.org/wiki/Multicast_DNS

---

Thanks for this issue. It's been a long time since I have thought about advanced networking.

[tivo65]

Thanks Michael

Gives me some things to think about as I make this move. I will let you know how it goes.

Mike

From: Michael Kellsy @.> Reply-To: hoobs-org/HOOBS @.> Date: Wednesday, February 2, 2022 at 4:48 PM To: hoobs-org/HOOBS @.> Cc: Mike Bettilyon @.>, Author @.***> Subject: Re: [hoobs-org/HOOBS] Hoobs and Homekit using VLans (Issue #1787)

You don't need to map any port other than port 80 to access the UI.

All other ports actually run through Bonjour. HomeKit is not very VLAN friendly, and depending on your plugins, there may be an undetermined number of ports or internet API access. So, it may be critical to have the HOOBS box on the same VLAN as your IoT devices. And you Apple TV will need to be on the same VLAN as HOOBS too if you want to access HomeKit from outside your network.

Think of the VLANs as separate networks too.

If you are sure that your plugins only access devices via the internet, it is OK to have it on a separate VLAN that has internet access. But for HomeKit, HOOBS and your iPhone need to be on the same VLAN and subnet to pair and if you want to access HomeKit from a different network or VLAN your HOOBS setup and Apple TV or Home Pod need to be on the same VLAN.

One thing to note is, I know plugins like SmartThings and Hue communicate with their hubs via your local network.

As for which ports are used, that's really unknown, it changes per setup. Also, there are other protocols used that are not part of HTTP like Bonjour and Caio. You can thank Apple for this :) If you have cameras too, there is a plethora of protocols bouncing around on your network too like RSTP and SIP.

Also, it might be best to run your print server on a different Pi or VM. I run my CUPS, SMB, DNS and a web proxy from separate VMs on Hyper-V. I have used KVM for this too.

Basically HOOBS + Apple TV + IoT Hubs + Locally Controlled IoT need to be on the same VLAN.

Here's some further reading about this. https://en.wikipedia.org/wiki/Zero-configuration_networking https://en.wikipedia.org/wiki/Avahi_(software) https://en.wikipedia.org/wiki/Bonjour_(software) https://en.wikipedia.org/wiki/Multicast_DNS

---

Thanks for this issue. It's been a long time since I have thought about advanced networking.

— Reply to this email directly, view it on GitHubhttps://github.com/hoobs-org/HOOBS/issues/1787#issuecomment-1028465706, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASJSPSXCY6XCQF4HS4VYO7TUZG7GNANCNFSM5NJ3VIJQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you authored the thread.Message ID: @.***>