Although Apple HomeKit has high standards for security, it’s still a good idea to keep your IOT (internet of things) devices isolated. This post gives step-by-step instrucitons for setting this up.
High level overview:
The goal is to have two different LANs - one “private” LAN and one “guest” VLAN. All un-trusted devices go on the guest VLAN. The guest VLAN can not talk to the LAN, but the LAN can talk to the guest VLAN without restriction. Instead of using Layer 2 isolation or blocking inter-VLAN routing, we instead set up Firewall rules to manage this. We also enable Bonjour fowarding so devices can see each other across the VLANs.
Step by Step:
Set up your VLAN. I like using 10.x.x.x networks simply because they are easier to type, but any Private network - Wikipedia private network will do. In my examples, I use 10.0.A.x and 10.0.B.x where A and B are different numbers.
If you have any ethenet devices (such as a Philips Hue Bridge) that should be on the guest network, configure them by setting one of the Peplink ports to Access / GuestVLAN as shown here. Go to Network / LAN / Port Settings:
(Optional) Assign DHCP reservations for your devices.
Personally, I like my IOT devices to have predictable IP addresses. An easy way to do this is to use DHCP reservations. Go to Peplink / System / Client List and for each device you want, click the Import button and set a reserved IP address. I like to use numbers such as .100, .101, .102 etc.
These can be edited later from within Network / LAN / Network Settings / DHCP server.
Add a firewall rule - this will block all traffic from the Guest VLAN to the LAN for security. Go to Network / Firewall / Access Rules and create a new Internal Firewall Rule:
Apply changes, reboot everything, configure, and test.
At this point you should be good to go. You should probably power cycle all devices, and then do your normal HomeKit configuration.
A security note: in this setup all devices on the Guest VLAN can see and talk to each other because I disabled layer 2 WiFi isolation - in my case this is a feature (so the AppleTV can be a HomeKit hub and see the WeMo switches, etc.)
It’s possible that you want layer 2 isolation for guest devices. If so, you may want to set up a 3 VLAN system:
untagged LAN (trusted devices)
IOT VLAN / WiFi - for homeKit / WeMo / Hue / Printers etc.
Guest WiFi - layer 2 isolation ON - for guests on WiFi
With 3 networks the firewall decisions get a little more complicated: do you want guests on WiFi to be able to play to your AppleTV? To Print? etc.
Thanks for the setup @soylentgreen - I’ve mimicked the setup and cant get guestwifi to connect to the internet. I suspect the reason is I have my AP one X connected to a PoE switch which then connects to the Balance One. I will find out today when i get my poe injector from amazon. EDIT : I tagged my Managed switch ports 1 and 5 with the VLAN ID and now all is well.
The firewall rule defined in step 6 is IMHO too strict.
HomeKit hubs (like HomePod, AppleTV) need to be able to talk back to your untagged network.
Alternative suggestions are discussed here, too:
I thought I’d seen a reference in @soylentgreen posts about having an allow rule for the HomeKit hub from IoT vlan back to untagged LAN but can’t seem to find it.
This works as I have tested it. The HomeKit hub is your gateway into the HomeKit connected devices in the vlan. The second rule to deny any from vlan to untagged isolates everything else from your untagged.
If the HomeKit hub is compromised then I guess this would put you at risk. But I trust Apple security a little but more than I do other third party IoT devices. At the very least, Apple will maintain its firmware for some time.
Im waiting on a patch for Bonjour forwarding on my B20x and will then get everything setup properly.
In fact, looking at my setup, I do have an additional rule which called AllowAppleTV which lets the AppleTV device connect to anyting on the untagged LAN:
Agree - this is a somewhat increased security risk, so you may not want or need this rule.
Another thing to consider is that many apple devices support AWDL (Apple Wireless Direct Link) which enables two apple devices to communicate via an ad-hoc WiFi channel. I believe this allows two apple devices (say an AppleTV and a iPhone) to communicate over bluetooth, and then send data over WiFi without involving your router at all.
Adding to thread for the benefit of the topic and community…
I could never get Bonjour forwarding to work until I got the latest firmeware (8.1.1) for my B20x AND enabled interVLAN routing. I secured access to my untagged lan by adding an internal fw rule to block access from vlan to untagged as covered above in thread.
Surprisingly, I wasn’t expecting my Hue bridge to work when moved to my homekit vlan (.26 subnet) The Hue app on iOS device on untagged LAN was able to discover the Hue bridge even though nothing (execpt for AppleTV acting as homekit hub) can access my untagged LAN.
The Hue bridge broadcasts to enable discovery, but seems the Bonjour forwarding service is helping out here and forwarding that traffic to my untagged LAN.
I ran a tcpdump from my untagged LAN and filtered on the Hue bridge specifically to show the broadcast traffic: