iOS Home not seeing Hassio Homekit on seperate VLANS with firewall rules allowing access in place

Tags: #<Tag:0x00007f739a63e100>

I am trying to setup homekit on Hassio via ‘Alternative: install on a generic Linux host’ which has been running great with other main-stay integrations, but they are on the same VLAN. My iOS app never see’s the Hassio install.

I have the computer hosting hassio on a VLAN separate from all the apple devices but I have firewall rules allowing access on all ports to and from the vlans (after failing when having only the IPs of all devices allowed to/from.)

Has anyone else ran into this and figured it out?

my config for homekit right now is:

homekit:
  auto_start: false
  filter:
    exclude_domains:
      - automation

I had this setup a long time ago and working but I was using a simple end-user router vs the unifi gear I have now. HA is on its own VLAN as I am thinking about opening up to internet with ssl etc. so I can use remotely.

I enabled logging as suggested in the homekit docs and here is the output with a few things changed.

2019-09-14 18:21:11 DEBUG (MainThread) [homeassistant.components.homekit] Begin setup HomeKit
2019-09-14 18:21:11 DEBUG (SyncWorker_3) [pyhap.characteristic] set_value: Name to Home Assistant Bridge
2019-09-14 18:21:11 DEBUG (SyncWorker_3) [pyhap.characteristic] set_value: SerialNumber to default
2019-09-14 18:21:11 DEBUG (SyncWorker_3) [pyhap.characteristic] set_value: FirmwareRevision to 0.98.5
2019-09-14 18:21:11 DEBUG (SyncWorker_3) [pyhap.characteristic] set_value: Manufacturer to Home Assistant
2019-09-14 18:21:11 DEBUG (SyncWorker_3) [pyhap.characteristic] set_value: Model to Bridge
2019-09-14 18:21:11 DEBUG (SyncWorker_3) [pyhap.characteristic] set_value: SerialNumber to homekit.bridge
2019-09-14 18:21:58 INFO (SyncWorker_17) [pyhap.accessory_driver] Storing Accessory state in `/config/.homekit.state`
2019-09-14 18:21:58 INFO (SyncWorker_17) [homeassistant.components.homekit.util] Pincode: 000-00-000 (changed)
2019-09-14 18:21:58 DEBUG (SyncWorker_17) [homeassistant.components.homekit] Driver start
2019-09-14 18:21:58 INFO (SyncWorker_13) [pyhap.accessory_driver] Starting the event loop
2019-09-14 18:21:58 DEBUG (SyncWorker_13) [pyhap.accessory_driver] Not setting a child watcher. Set one if subprocesses will be started outside the main thread.
2019-09-14 18:21:58 INFO (SyncWorker_0) [pyhap.accessory_driver] Starting accessory Home Assistant Bridge on address 10.10.10.59, port 51827.
2019-09-14 18:21:58 DEBUG (SyncWorker_0) [pyhap.accessory_driver] Starting event thread.
2019-09-14 18:21:58 DEBUG (SyncWorker_0) [pyhap.accessory_driver] Starting server.
2019-09-14 18:21:58 DEBUG (SyncWorker_0) [pyhap.accessory_driver] Starting mDNS.
2019-09-14 18:21:58 DEBUG (MainThread) [homeassistant.components.homekit_controller.config_flow] Discovered device Home Assistant Bridge (Home Assistant Bridge - XX:XX:XX:XX:XX:XX-removed)
2019-09-14 18:21:59 DEBUG (SyncWorker_0) [pyhap.accessory_driver] Starting accessory.
2019-09-14 18:21:59 DEBUG (SyncWorker_0) [pyhap.accessory_driver] AccessoryDriver started successfully

I have a similar setup with my Apple devices (iPads, iPhones, and Macs) on my main LAN with my IoT (including Home Assistant) on a separate VLAN. While you have firewall rules open, there is no way for the Apple devices to discover your HomeKit bridge.

The solution is fairly straightforward. You have to basically do a Bonjour Broadcast for the HomeKit port and forward it across your VLAN. You’ll want to grab and compile this app: https://github.com/agg23/BonjourBroadcaster and run it on a Mac that is on all the time and on the same VLAN as your Apple devices.

Then you setup Bonjour Broadcaster with something like this:

10.0.3.100 is my Home Assistant install.

We use the Home app all the time on our devices and this makes it work.

I hope this helps!

There is also a setting on the USG (UniFi Security Gateway) to reflect mDNS (Bonjour) across subnets. I haven’t used it, but it may be easier.

Using @scgruby comment about USG having a setting I looked at my firewall (pfsense) and found an avahi add-on app. I have that up and running with my two vlans selected and viloa.

Thanks all.

If anyone has any trouble after enabling Avahi’s repeater/reflector (whether on a networking appliance or a Raspberry Pi) I recommend disabling the ipv6 option in Avahi’s config file…this applies to Homebridge too

@scgruby Are you referring to “Enable Multicast DNS” under ‘Services’ -> ‘mDNS’?

If so, I can say that I have that enabled and it still seems that the Apple TV has a hard time talking to home assistant when they are on different vlans.

Yes, this is the setting. I haven’t had any problems with my AppleTV talking to Home Assistant across VLANs. If the firewall rules are correct and the mDNS is set, it should work.

It seems to largely only affect the communication between my iphone (when off wifi) and the apple TV as a hub - e.g. I cannot control/see devices when I’m outside my house.

I moved the AppleTV onto the same VLAN as Home assistant and the problem has gone away. Makes me think something else is going on.

The point is moot probably. Generally speaking I think I’m OK having my AppleTV on the same network (my main) as HA, my phones, laptops etc. If I’m going to trust Apple with my iphone/laptop, I might as well trust them with the Apple TV.