Help peering networks

dcardin · February 8, 2022, 8:26pm

I have set up an iot network and everything works on it until I tried putting a hub that uses mdns (homekit). So I thought that opening up udp 5353 would be enough but it didn't work. So I dug up a little more and tried opening up a simple tcp port to my home assistant server running on 8123. I checked that it was listening on 0.0.0.0 but I cannot reach it from my iot lan.
There must be something I'm not understanding about firewall rules, so please assist a newbie here. Thanks!


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'iot'
	option dest 'wan'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'mDNS for iot'
	list proto 'udp'
	option dest 'lan'
	option dest_port '5353'
	option target 'ACCEPT'
	option src 'iot'
	option family 'ipv4'

config rule
	list proto 'tcp'
	list dest_ip '192.168.31.2'
	option target 'ACCEPT'
	option src 'iot'
	option family 'ipv4'
	option name 'home assistant'
	option dest_port '8123'
	option dest 'lan'

psherman · February 8, 2022, 9:32pm

port 5353 is used by mdns. Although your firewall is completely permissive, the problem is that mdns does not route across subnets. It was designed for use only on a single network. Therefore, you need a repeater/reflector in order to get this to work. Install the avahi or other mdns reflector/repeater packages and then try again.

dcardin · February 8, 2022, 9:34pm

I have installed avahi and configured it to repeat between lan and iot.
So that should work when it's configured properly...
But why can't I telnet 192.168.31.2 8123 from iot when I can do it from lan ?

psherman · February 8, 2022, 9:36pm

What host OS's are involved? Windows typically doesn't allow connections from other subnets unless you make changes to the firewall to allow it (the local Windows firewall).

eduperez · February 9, 2022, 4:22pm

I have my Home Assistant on the IoT network, with all the other IoT devices. Then, I only allow connections from LAN to IOT on selected addresses and ports.

dcardin · February 9, 2022, 4:35pm

I am baffled. There were no pending changes, and now it works... at least the TCP 8123 to home assistant. Thanks for your help! (btw, it was Linux and the host was open to any connection).

dcardin · February 9, 2022, 4:37pm

Yeah, I am running my home assistant as part of a larger group of services. It's also connected by eth so br-lan. I suppose I could put it on a separate VLAN, but I am trying to figure out the needed firewall "holes" needed between an Aqara hub on my iot and my lan/home assistant machine.
All of my wifi devices are isolated properly, but that hub needs to be part of a homekit network setup I suppose, to work properly.