HomeKit VLAN Guest WiFi setup for IOT Security on Peplink Balance One

How to set up Apple HomeKit and Hue Bridge with various IOT devices on an isolated Guest VLAN / Guest WiFi

This is a companion post to HomeKit WeMo Hue VLAN AP One Mini AC Mystery Solved

Although Apple HomeKit has high standards for security, it’s still a good idea to keep your IOT (internet of things) devices isolated. This post gives step-by-step instrucitons for setting this up.

Products used:

High level overview:
The goal is to have two different LANs - one “private” LAN and one “guest” VLAN. All un-trusted devices go on the guest VLAN. The guest VLAN can not talk to the LAN, but the LAN can talk to the guest VLAN without restriction. Instead of using Layer 2 isolation or blocking inter-VLAN routing, we instead set up Firewall rules to manage this. We also enable Bonjour fowarding so devices can see each other across the VLANs.

Step by Step:

  1. Set up your VLAN. I like using 10.x.x.x networks simply because they are easier to type, but any https://en.wikipedia.org/wiki/Private_network private network will do. In my examples, I use 10.0.A.x and 10.0.B.x where A and B are different numbers.

  • If you are using an Airport Extreme, use VLAN ID 1003 (see below).
  • Make sure Inter-VLAN routing is enabled and you have set a DHCP server:

  1. Set up your Guest WiFi SSID.

Create the Guest SSID

  • Set the VLAN to your guest VLAN
  • IMPORTANT Click the “?” icon and then show the advanced settings.
  • Make sure Layer 2 isolation is OFF

  1. On the Network / LAN / Network Settings page, set up Bonjour Forwarding from the Guest LAN to the LAN:

  1. If you have any ethenet devices (such as a Philips Hue Bridge) that should be on the guest network, configure them by setting one of the Peplink ports to Access / GuestVLAN as shown here. Go to Network / LAN / Port Settings:

  1. (Optional) Assign DHCP reservations for your devices.
    Personally, I like my IOT devices to have predictable IP addresses. An easy way to do this is to use DHCP reservations. Go to Peplink / System / Client List and for each device you want, click the Import button and set a reserved IP address. I like to use numbers such as .100, .101, .102 etc.

  • These can be edited later from within Network / LAN / Network Settings / DHCP server.
  1. Add a firewall rule - this will block all traffic from the Guest VLAN to the LAN for security. Go to Network / Firewall / Access Rules and create a new Internal Firewall Rule:

  1. Apply changes, reboot everything, configure, and test.
    At this point you should be good to go. You should probably power cycle all devices, and then do your normal HomeKit configuration.

Thanks for the tutorial!

A security note: in this setup all devices on the Guest VLAN can see and talk to each other because I disabled layer 2 WiFi isolation - in my case this is a feature (so the AppleTV can be a HomeKit hub and see the WeMo switches, etc.)

It’s possible that you want layer 2 isolation for guest devices. If so, you may want to set up a 3 VLAN system:

  • untagged LAN (trusted devices)
  • IOT VLAN / WiFi - for homeKit / WeMo / Hue / Printers etc.
  • Guest WiFi - layer 2 isolation ON - for guests on WiFi

With 3 networks the firewall decisions get a little more complicated: do you want guests on WiFi to be able to play to your AppleTV? To Print? etc.