HomeKit HomeKit TCP/UDP ports

[DominikHoffmann]

I am wondering about ports used by the HomeKit ecosystem. If I want to have a firewall between my HomeKit-enabled devices and my iPhone, iPad and MacBook Pro, what ports have to be open in what direction for things to work properly?

The purpose of this is to make sure that rogue devices turned rogue cannot mess with my personal devices but still connect to the internet. Also, my Apple TV 4K is supposed to be able to act as a Home Hub and possibly as a Matter border router.

 

[DominikHoffmann]

The reason I am asking is that with my new Nest Learning Thermostat (4th Gen.), which is Matter-enabled, I am trying to add it to my Home app. I can pull up the QR code on the thermostat itself, tap on the Plus sign in the Home app to add a new accessory, point my iPhone's camera at the thermostat's screen and begin the process. But it stalls out.

I am gathering that Matter over IP communicates over TCP/UDP Port 5540 (really, both?). I will try again by opening that port in my Firewall for one-way access from my Wi-Fi network for personal devices to my Wi-Fi network for IoT devices. Putting my phone on the same Wi-Fi network as the thermostat did not work yesterday, possibly because my access points have device isolation turned on for that network.

I will try adding that Firewall rule and then, if additional troubleshooting is necessary, will turn off device isolation for the IOT network. I will report back about what I find.

 

[Itinj24]

If you’re using UniFi, here is a really good tutorial on all of that. I used it to set up my firewalls and permissions and it works flawlessly.

 

[DominikHoffmann]

If you’re using UniFi, here is a really good tutorial on all of that. I used it to set up my firewalls and permissions and it works flawlessly.

I don’t have UniFi at home but will try to glean from that what I would have to my Netgate appliance to achieve the same thing.

I wish, Apple would publish official network segregation specs for proper IoT isolation.

 

[DominikHoffmann]

I will try adding that Firewall rule and then, if additional troubleshooting is necessary, will turn off device isolation for the IOT network. I will report back about what I find.

Haven’t had success with a Firewall rule that allows unidirectional flow of packets on Port 5540 from my VLAN for personal devices to my IoT VLAN. However, when I had my iPhone join the IoT VLAN and turned off client isolation on my APs, I was able to add the Nest thermostat. When I went back to my main VLAN, though, the thermostat became unresponsive in the Home app. I am obviously missing something. It will require further research. Maybe the video @Itinj24 posted has the answer. We shall see.

 

[Itinj24]

Haven’t had success with a Firewall rule that allows unidirectional flow of packets on Port 5540 from my VLAN for personal devices to my IoT VLAN. However, when I had my iPhone join the IoT VLAN and turned off client isolation on my APs, I was able to add the Nest thermostat. When I went back to my main VLAN, though, the thermostat became unresponsive in the Home app. I am obviously missing something. It will require further research. Maybe the video @Itinj24 posted has the answer. We shall see.

Hopefully it can provide some help. Good luck bud.

Also, try asking ChatGPT. I learned a lot from it.