PF: Limit network access for IKEA dirigera hub
The IKEA Dirigera hub is pretty humble network wise, but should be segmented. The only annoying thing about it all is the app that they decided should only be able to find the hub by discovery, which means you need to run an mDNS reflector to mirror multicasts between your client VLAN and the dedicated IOT device VLAN.
This discovery is done every time you open the app, unlike some other internet of shits that only require it at the initial setup phase.
The hub is listening on port 8443/TCP.
The only reflector I managed to get working properly was the avahi-daemon. Install it, cry, write conf, enable and start it. Apparently you can’t bind avahi-daemon to specific interfaces, so it’ll listen on all…
Configs below are from OpenBSD 7.4 with PF logging enabled.
/etc/avahi/avahi-daemon.conf
[server]
use-ipv4=yes
use-ipv6=no
allow-interfaces=vlan418,vlan93
ratelimit-interval-usec=1000000
ratelimit-burst=1000
[wide-area]
enable-wide-area=yes
[publish]
publish-hinfo=no
publish-workstation=yes
[reflector]
enable-reflector=yes
/etc/pf.conf snippet
DEVICE_DIRIGERA="10.93.1.2" # IP of the Dirigera hub
VLAN_CLIENTS="vlan418" # Client network, where the app connects from.
VLAN_IKEA_IOT="vlan93" # Only neccessary connectivity allowed
# Start with a complete block in and out
block log on $VLAN_IKEA_IOT
# Allow clients to only talk to port 8443
pass out log on $VLAN_IKEA_IOT inet proto tcp from $VLAN_CLIENTS:network to $DEVICE_DIRIGERA port 8443
# Access to local DNS
pass in log on $VLAN_IKEA_IOT inet proto udp from $VLAN_IKEA_IOT:network to 10.93.1.1 port 53
# Synchronize watches
pass in log on $VLAN_IKEA_IOT inet proto udp from $VLAN_IKEA_IOT:network to any port 123
# Firmware and whatever internet communication.
pass in log on $VLAN_IKEA_IOT inet proto tcp from $VLAN_IKEA_IOT:network to any port https
# Allow mDNS multicast in and out to the VLAN
pass log on $VLAN_IKEA_IOT inet proto udp from $VLAN_IKEA_IOT:network to 224.0.0.251 port 5353
# Let it fetch update and allow you to connect over the internet to the hub if you have it enabled
pass out on egress inet from $VLAN_IKEA_IOT:network to any nat-to (egress)