Lutron Caseta and Apple home/Siri issues after installation of Sophos home

Hi,

you have to many rules with all services allowed. You do not rule 11, any of the applications you have with that rule will initiate the traffic so that will come in via the outgoing rule.

I need to study your rules in more detail to see what else I can assist with.

Ian

Thank you. i've disabled rule 11.

I appreciate any advice in configuring the services

'Enable routing on this bridge pair' >> If you have this enabled, it means that the bridge will in participate in routing else traffic will be forwarded based on MAC learning. Depending on how Siri's Home kit works; it may need your devices to be on the same broadcast domain (so no routing).  Try turning off the routing on the bridge and report back.

P.S - You can turn off the invalid traffic loggging in the System Services >> Log Settings.

AB5g said:

'Enable routing on this bridge pair' >> If you have this enabled, it means that the bridge will in participate in routing else traffic will be forwarded based on MAC learning. Depending on how Siri's Home kit works; it may need your devices to be on the same broadcast domain (so no routing).  Try turning off the routing on the bridge and report back.

P.S - You can turn off the invalid traffic loggging in the System Services >> Log Settings.

 

Hi AB, I disabled routing as suggested, but the problem still intermittently occurs.

I've found that HTTP scanning causes issues with some of my devices. Creating a rule which excludes the Apple Home and any other smart devices may help

kieran90 said:

I've found that HTTP scanning causes issues with some of my devices. Creating a rule which excludes the Apple Home and any other smart devices may help

 

Thanks, i'll try this now. I had disabled HTTP scanning for testing purposes but it didn't seem to help. I'll report back

I am sorry, I don't have an exact answer for you but here are some pointers. Apple Homekit relies on Bonjour for device discovery. Bonjour in turn replies on relies on mDNS which is a multicast service. Typically, if you have a bridge interface, multicast packets should flow without interruption.  I would suggest the following approach 

1. Use a bonjour browser to see if device discovery is working
2. Reboot the firewall after you disable the routing on this bridge pair. Reboot the devices too. 
3. Try using an external switch for bridging (if you have one) instead of the firewall ports.
4. Add a LAN to LAN firewall route enable everything. Place on top.

Under Routing>> Static routing >> Enable Multicast forwarding (you wouldn't need this in a bridge but well let's give it a try). I have a Synology NAS sitting on a different VLAN and I use this along with a static route to enable DLNA discovery across VLAN's. I know its not applicable for your scenario but try enabling the Multicast forwarding without a route and see if this works. 

This is my NAS (11.11 on VLAN 11) broadcasting DLNA to my main subnet.

I am sorry, I don't have an exact answer for you but here are some pointers. Apple Homekit relies on Bonjour for device discovery. Bonjour in turn replies on relies on mDNS which is a multicast service. Typically, if you have a bridge interface, multicast packets should flow without interruption.  I would suggest the following approach 

1. Use a bonjour browser to see if device discovery is working
2. Reboot the firewall after you disable the routing on this bridge pair. Reboot the devices too. 
3. Try using an external switch for bridging (if you have one) instead of the firewall ports.
4. Add a LAN to LAN firewall route enable everything. Place on top.

Under Routing>> Static routing >> Enable Multicast forwarding (you wouldn't need this in a bridge but well let's give it a try). I have a Synology NAS sitting on a different VLAN and I use this along with a static route to enable DLNA discovery across VLAN's. I know its not applicable for your scenario but try enabling the Multicast forwarding without a route and see if this works. 

This is my NAS (11.11 on VLAN 11) broadcasting DLNA to my main subnet.

Thanks for this detailed Step by Step, it's helping me learn. I already had Enable Multicast Forwarding enabled fortunately (great thought on your part).

For each step:

1. I loaded the Bonjour browser, and next time Siri is not responding to the Lutron system, I will check it. Currently it displays as working as does apple home kit (this browser is great! I can see the ports!) What I am seeing though, is all the devices have IPv6, which.. I don't recall ever enabling. Wondering if I need to?
2. I'll perform the reboots this evening
3. I have an external switch, the reason I bridged port1 to port3 is because I have the Sophos AP55c and wanted them on the same subnet. Do you recommend a different way to configure that?
4. I have the LAN > LAN rule which I have enabled any > any. I moved it to the top (I didn't have it there). (that actually was a life saver already for some devices)

Note: I have a Synology NAS as well, and may have to replicate your configuration

For #3

I had the bridge setup on the firewall, same as your setup when i realized that i cannot add another VLAN to the bridged ports.

I have an ubiquity AP that provides different SSID’s and each SSID is mapped to a VLAN. If i bridge the AP uplink to the LAN port on the firewall, then the bridge cannot take the VLAN’s ( Sophos may add this feature later).

To prevent this, i use the switch. The uplink from the switch to the firewall is a trunk port.  So SSID ‘a’ is untagged SSID ‘b’ is tagged vlan’21’. Lan ports on the firewall are untagged.

#4 - Well, you shoudn’t need that rule there but well if it works for you :)

AB5g said:

For #3

I had the bridge setup on the firewall, same as your setup when i realized that i cannot add another VLAN to the bridged ports.

I have an ubiquity AP that provides different SSID’s and each SSID is mapped to a VLAN. If i bridge the AP uplink to the LAN port on the firewall, then the bridge cannot take the VLAN’s ( Sophos may add this feature later).

To prevent this, i use the switch. The uplink from the switch to the firewall is a trunk port.  So SSID ‘a’ is untagged SSID ‘b’ is tagged vlan’21’. Lan ports on the firewall are untagged.

#4 - Well, you shoudn’t need that rule there but well if it works for you :)

 

Hi AB5g,

the issue still persists. I have noticed that since I made the changes, sometimes it will work, but it's a delayed reaction. Is there anything you suggest I do directly with the Lutron bridge? It's hardwired into my switch which then goes to Port 1 on the bridge.

I have considered unbridging ports 1 and 3 (wifi), but will all the apple devices communicate properly back to the bridge on a different IP range? seeing as ports 1 & 3 would have to be something along the lines of:

172.16.10.1 and 172.16.11.1?

Is your Lutron bridge on the same local network as your Apple devices? In other words, are they separated by a different subnet or VLAN? If so, try putting everything on the same subnet or VLAN. Do you have a network diagram of your setup?

As a side note, realize Bonjour MDNS will not broadcast across networks/subnets/VLAN. It doesn't sound like device discovery is your issue so I don't think this is your problem, but I spent a lot of time trying to get Bonjour working across a different VLAN with Sophos XG and it's not possible without a separate device that acts as a Bonjour reflector. Multicast Forwarding in Sophos XG does not work for Bonjour.

shred said:

Is your Lutron bridge on the same local network as your Apple devices? In other words, are they separated by a different subnet or VLAN? If so, try putting everything on the same subnet or VLAN. Do you have a network diagram of your setup?

As a side note, realize Bonjour MDNS will not broadcast across networks/subnets/VLAN. It doesn't sound like device discovery is your issue so I don't think this is your problem, but I spent a lot of time trying to get Bonjour working across a different VLAN with Sophos XG and it's not possible without a separate device that acts as a Bonjour reflector. Multicast Forwarding in Sophos XG does not work for Bonjour.

 

Hi Shred,

My Lutron bridge is on the same local network as my Apple Devices. I have a Sophos WAP on one port, and the Lan on another port. Both ports are bridged together. I tried actually building a Bonjour reflector, which seemed to work.. Except, my apple devices started showing up in duplicate. For example, my MacBookAir changed to MacBookAir(2) and (3) and so on. In fact, so did my apple home pod.

Any thoughts?

shred said:

Is your Lutron bridge on the same local network as your Apple devices? In other words, are they separated by a different subnet or VLAN? If so, try putting everything on the same subnet or VLAN. Do you have a network diagram of your setup?

As a side note, realize Bonjour MDNS will not broadcast across networks/subnets/VLAN. It doesn't sound like device discovery is your issue so I don't think this is your problem, but I spent a lot of time trying to get Bonjour working across a different VLAN with Sophos XG and it's not possible without a separate device that acts as a Bonjour reflector. Multicast Forwarding in Sophos XG does not work for Bonjour.

 

Hi Shred,

My Lutron bridge is on the same local network as my Apple Devices. I have a Sophos WAP on one port, and the Lan on another port. Both ports are bridged together. I tried actually building a Bonjour reflector, which seemed to work.. Except, my apple devices started showing up in duplicate. For example, my MacBookAir changed to MacBookAir(2) and (3) and so on. In fact, so did my apple home pod.

Any thoughts?