VLAN + HomeKit/IoT Migration and Set up questions
Hi all, im looking for a bit of guidance and understanding how the VLAN set up will work. I have reviewed the network segmentation article on the knowledge base. (for a Gold plus)
Currently I am using a single SSID (carry over from previous non-VLAN aware network set up), and a single LAN network on firewalla.
I have recently changed APs to Unifi, with the intention of segmenting my network, IoT VLANS (was previously using homekit secure router) and making sure the main network can run on WPA3 (not WPA 2/3 to cater for older devices)
Moving HomeKit devices over to a new VLAN/SSID will be a bit of a task, so my plan is to approach this gradually (not a 7 hour chunk of work), maybe do switches, then cameras etc.
I eventually plan to have the VLANS:
All Access standard laptops/iPad/phones/homekit hub/homepod/tv connected.
IoT Trusted, where firmware updates are allow to the internet/cloud based automations, but not able to see internally into other VLANs.
IoT Locked, strict VLAN access to not allow any comms out or in, will occasionally be opened to do firmware updates then back to closed.
Cameras, same rules as IoT Locked but I feel like it might a good idea to seperate them since the cameras are definitely more sensitive than say an off-branded outlet.
Guest, similar rules to IoT trusted.
A few questions,
1. can I introduce new VLANs now, without turning off or impacting the existing default LAN. Can I possibly just use what I have now as my All Access? one of the devices is a hardwired TV, I will need to get a managed switch for that area since the smart tv, home bridge server, camera base and tv all hang off that. if I segment the other devies, but leave the tv as default, how would that look?
2. I have seen posts that say "other ports" need to be allowed in the firewall between VLANs to make homekit work, but haven't found any specifics, would this come down to device-by-device config?
3. If I create 2-5 VLANs, should I just tag all 3 Gold ports to each VLAN since most will be setting the VLAN at the SSID level, but others will be coming via managed switches?
-
Hello
I think my home network has some similarities, so giving my 2 cent, mainly on your q #2 and #3
I have a TP-Link AP which handles SSID VLAN tags.
I have a primary LAN, then IoT/Cameras/VoIP/Guest VLANs.
I also have 2 managed switches to handle hardwired devices in this setup from 2 different locations, connected to 2 different ports of my Gold SE. They handle devices from different VLANs with tagging.Primary LAN is allowed to communicate with any VLAN, but VLANs can only go to internet.
My homekit hub/bridge (AppleTV+Homeassistant Green box) are on the primary, and there are homekit devices on IoT and Cameras.All I did for homekit to work was activating mDNS and SSDP relays on any network with homekit devices and Primary, no additional ports opened for me (although AirPlay doesn't work from primary to IoT in my case, but I'm not too bothered by this).
On the Gold, I'm only tagging the ports to VLAN that can be received on that port, but if in your case you can have any VLAN on any port, then you will need to tag them all indeed. -
Not all devices need "All Access". For me, some of my personal devices get that, but the rest of the family doesn't need access to to all devices. Here's how I look at it:
- Many devies don't need local network access. They are always accessed over the internet. Those don't get local network access and I limit there internet access as much as possible.
- Many devcies only need local network access. These devies are always accessed locally. These don't get any intneret access that they don't need.
can I introduce new VLANs now, without turning off or impacting the existing default LAN.
Yes.
Can I possibly just use what I have now as my All Access?
Yes.
one of the devices is a hardwired TV, I will need to get a managed switch for that area since the smart tv, home bridge server, camera base and tv all hang off that. if I segment the other devies, but leave the tv as default, how would that look?
I'm not sure I follow the questoin. I ended up leaving my Apple TVs on the main network. I don't think it is impossible to put them on a separate network, but if I recall it seemed like I would need to open up quite a bit of access and I decided it just wasn't worth it.
I have seen posts that say "other ports" need to be allowed in the firewall between VLANs to make homekit work, but haven't found any specifics, would this come down to device-by-device config?
- TCP Port 80: Used for HTTP communication.
- TCP Port 443: Used for HTTPS communication.
- UDP Port 5353: Used for Multicast DNS (mDNS) for service discovery.
- TCP Port 51827: Used for end-to-end encryption and control of HomeKit accessories.
I think there may be some others for some odd products, but I don't recall. Maybe I'm thinking of my homebridge server needing to talk to both the Hub (Apple TV) and various devices.
If I create 2-5 VLANs, should I just tag all 3 Gold ports to each VLAN since most will be setting the VLAN at the SSID level, but others will be coming via managed switches?
So I'm not sure what you have in mind for your topology... Here's some possibilities:
- Firewalla port > Wi-Fi AP This will be a trunk port for any VLANs you want to assign to each SSID.
- Fireawlla port > Managed switch. This will usually be a trunk port for any VLANs you want to be able to assign to any switch port. E.g switch port 1 might be a trunk, switch port 2 could be IoT, swich port 3 could be for different VLAN...
Hope that makes sense.
Please sign in to leave a comment.
Comments
4 comments