HomeKit VLAN Guest WiFi setup for IOT Security on Peplink Balance One

How to set up Apple HomeKit and Hue Bridge with various IOT devices on an isolated Guest VLAN / Guest WiFi

This is a companion post to HomeKit WeMo Hue VLAN AP One Mini AC Mystery Solved

Although Apple HomeKit has high standards for security, it’s still a good idea to keep your IOT (internet of things) devices isolated. This post gives step-by-step instrucitons for setting this up.

Products used:

High level overview:
The goal is to have two different LANs - one “private” LAN and one “guest” VLAN. All un-trusted devices go on the guest VLAN. The guest VLAN can not talk to the LAN, but the LAN can talk to the guest VLAN without restriction. Instead of using Layer 2 isolation or blocking inter-VLAN routing, we instead set up Firewall rules to manage this. We also enable Bonjour fowarding so devices can see each other across the VLANs.

Step by Step:

  1. Set up your VLAN. I like using 10.x.x.x networks simply because they are easier to type, but any Private network - Wikipedia private network will do. In my examples, I use 10.0.A.x and 10.0.B.x where A and B are different numbers.

  • If you are using an Airport Extreme, use VLAN ID 1003 (see below).
  • Make sure Inter-VLAN routing is enabled and you have set a DHCP server:

  1. Set up your Guest WiFi SSID.

Create the Guest SSID

  • Set the VLAN to your guest VLAN
  • IMPORTANT Click the “?” icon and then show the advanced settings.
  • Make sure Layer 2 isolation is OFF

  1. On the Network / LAN / Network Settings page, set up Bonjour Forwarding from the Guest LAN to the LAN:

  1. If you have any ethenet devices (such as a Philips Hue Bridge) that should be on the guest network, configure them by setting one of the Peplink ports to Access / GuestVLAN as shown here. Go to Network / LAN / Port Settings:

  1. (Optional) Assign DHCP reservations for your devices.
    Personally, I like my IOT devices to have predictable IP addresses. An easy way to do this is to use DHCP reservations. Go to Peplink / System / Client List and for each device you want, click the Import button and set a reserved IP address. I like to use numbers such as .100, .101, .102 etc.

  • These can be edited later from within Network / LAN / Network Settings / DHCP server.
  1. Add a firewall rule - this will block all traffic from the Guest VLAN to the LAN for security. Go to Network / Firewall / Access Rules and create a new Internal Firewall Rule:

  1. Apply changes, reboot everything, configure, and test.
    At this point you should be good to go. You should probably power cycle all devices, and then do your normal HomeKit configuration.

Thanks for the tutorial!

A security note: in this setup all devices on the Guest VLAN can see and talk to each other because I disabled layer 2 WiFi isolation - in my case this is a feature (so the AppleTV can be a HomeKit hub and see the WeMo switches, etc.)

It’s possible that you want layer 2 isolation for guest devices. If so, you may want to set up a 3 VLAN system:

  • untagged LAN (trusted devices)
  • IOT VLAN / WiFi - for homeKit / WeMo / Hue / Printers etc.
  • Guest WiFi - layer 2 isolation ON - for guests on WiFi

With 3 networks the firewall decisions get a little more complicated: do you want guests on WiFi to be able to play to your AppleTV? To Print? etc.

1 Like

Thanks @soylentgreen

Im still trying to get AirPlay working from my “Airplay” vlan on my B20x. Did pretty much what you have here already.

One thing I noticed I couldn’t ping a device on my Airplay vlan from Untagged Lan until I also checked off inter vlan routing on my Untagged Lan.

Thanks for the setup @soylentgreen - I’ve mimicked the setup and cant get guestwifi to connect to the internet. I suspect the reason is I have my AP one X connected to a PoE switch which then connects to the Balance One. I will find out today when i get my poe injector from amazon. EDIT : I tagged my Managed switch ports 1 and 5 with the VLAN ID and now all is well.

The firewall rule defined in step 6 is IMHO too strict.
HomeKit hubs (like HomePod, AppleTV) need to be able to talk back to your untagged network.
Alternative suggestions are discussed here, too:

I thought I’d seen a reference in @soylentgreen posts about having an allow rule for the HomeKit hub from IoT vlan back to untagged LAN but can’t seem to find it.

This works as I have tested it. The HomeKit hub is your gateway into the HomeKit connected devices in the vlan. The second rule to deny any from vlan to untagged isolates everything else from your untagged.

If the HomeKit hub is compromised then I guess this would put you at risk. But I trust Apple security a little but more than I do other third party IoT devices. At the very least, Apple will maintain its firmware for some time.

Im waiting on a patch for Bonjour forwarding on my B20x and will then get everything setup properly.

1 Like

In fact, looking at my setup, I do have an additional rule which called AllowAppleTV which lets the AppleTV device connect to anyting on the untagged LAN:

Agree - this is a somewhat increased security risk, so you may not want or need this rule.

Another thing to consider is that many apple devices support AWDL (Apple Wireless Direct Link) which enables two apple devices to communicate via an ad-hoc WiFi channel. I believe this allows two apple devices (say an AppleTV and a iPhone) to communicate over bluetooth, and then send data over WiFi without involving your router at all.

1 Like

Adding to thread for the benefit of the topic and community…

I could never get Bonjour forwarding to work until I got the latest firmeware (8.1.1) for my B20x AND enabled interVLAN routing. I secured access to my untagged lan by adding an internal fw rule to block access from vlan to untagged as covered above in thread.

Surprisingly, I wasn’t expecting my Hue bridge to work when moved to my homekit vlan (.26 subnet) The Hue app on iOS device on untagged LAN was able to discover the Hue bridge even though nothing (execpt for AppleTV acting as homekit hub) can access my untagged LAN.

The Hue bridge broadcasts to enable discovery, but seems the Bonjour forwarding service is helping out here and forwarding that traffic to my untagged LAN.

I ran a tcpdump from my untagged LAN and filtered on the Hue bridge specifically to show the broadcast traffic:

15:56:56.037334 IP 10.xx.26.xx.5353 > 0*- [0q] 1/0/7 PTR Philips hue - 41D7EF._hap._tcp.local. (284)

Could this be due to fact that Hue and Airplay devices are using same broadcast domain ? Here is my Airport express broadcast:

16:13:02.092433 IP 10.xx.26.xx.5353 > 0*- [0q] 2/0/10 PTR Living Room._airplay._tcp.local., PTR 0C5101EA675C@Living Room._raop._tcp.local. (843)

So I am finally able to completely isolate my IoT while maintaining its useful features.