When it comes to managing a secure smart home network, certain devices have access to the internet, but don't necessarily need it. For example, if you use the Apple HomeKit standard, the HomePods and Apple TV units manage the secure remote access and only in some edge cases do the standalone smart devices need internet access themselves. Case in point is the IKEA TRÅDFRI Gateway.

In my setup, the HomePod and Apple TV devices are on my main devices VLAN and the TRÅDFRI is on my NoT VLAN, which has no access to the wider internet, or any other VLANs. The only thing it can do is communicate using mDNS to my HomePods or Apple TVs. This means the IKEA app won't be able to manage them, but we aren't losing any other functionality in doing this.

How to block the IKEA TRÅDFRI Gateway from using the internet

To be able to block the the TRÅDFRI, you'll need to do a few things:

• Set a static IP address on the TRÅDFRI
• Set custom firewall rules to block the TRÅDFRI from WAN
• Test to see if it is working

Set a static IP address on the TRÅDFRI

First thing to do is set a static IP address on the TRÅDFRI, this will stop the IP from changing and the firewall rules from breaking. To do this, find the device in the clients list within UniFi. If you can't find it, look for a device from vendor 'Murata Manufacturing Co., Ltd.' and you should find it. Once you click 'Fixed IP address' it'll reuse the one it obtained from DHCP.

Set custom firewall rules to block the TRÅDFRI from WAN

Next, if you already have a secure NoT network setup within UniFi, this can be skipped but in short the VLAN that the TRÅDFRI is going to be on needs to have a rule that looks similar to this, blocking the VLAN from the WAN.

Sometimes, if you have issues with mDNS repeaters, you will need to block mDNS from the main VLAN too, in this instance this was required for it to work correctly. mDNS is on port 5353 so we need to make a rule that looks like the following.

DNS Port Group Setup

To setup the mDNS Port Group, you need to go to UniFi > Settings > Profiles > IP Groups then make a new port group with 5353 included.

Test to see if it is working

If the HomeKit functionality still works and the globe icon on the TRÅDFRI is flashing then everything is working as expected. The flashing globe indicates that the TRÅDFRI has no internet access, which is the intention.

HostiFi

HostiFi provides hosting for both Ubiquiti and TP-Link software-defined-networking (SDN) applications, with servers for UniFi, UISP and Omada. We also offer professional networking consulting, with HostiFi Pro.