I am struggling with a Homey & Homey App connectivity issue.
Hope this community might have some suggestions that point me in the right direction.
What is the problem?
For security reasons I have recently moved my Homey-Pro to my IoT VLAN. I did this by re-connecting Homey to a dedicated IoT SSID that is part of the IoT VLAN.
Devices with the Homey app (iPad and iPhone) stayed in the main network.
Result: Everythings works fine (Homey app connects to Homey, status of all devices is shown etc).
ExceptâŚthat the Homey app seems to be unable to receive updates from Homey that it did not request itself.
Examples:
I can turn on a light, the light will turn on, but the status in the app is not being updated (e.g it stays off in the app)
I can add a devices to my favourite devices (on top), but it doesnât show up in the favourites list.
During pairing of a new Fibaro Smart Plug I get the generic instruction, but the animation and feedback is missing (since I know what to do I can finish the proces âblindlyâ)
Only after I restart the Homey app , the correct status are shown (e.g status lamp is correct, favourite devices is added on top and newly paired device is visible)
So my conclusion is that all Homey generated updates do not reach the app, unless Homey explicitly askes for an update.
What did I already do?
Moving my iPad (with the Homey app) to the IoT VLAN solved the issue (so it has to do with connectivity). But that is not what I want. iPad and Homey should be seperated in different VLANs.
Connecting from Athom cloud (= from outside) also solved the issue, but that is also not what I want. I want to be able to have a local connection if I am at home (and I cannot enforce only using the external connection even if I wanted to)
I allowed connectivity on port 80 and 443 from IoT VLAN to Main network in my firewall but that didnât help (during analyses I have not even seen any connection being setup from Homey â App)
Tried some different Wireless Network settings in the Unifi Console (such as âEnable multicast enhancement (IGMPv3)â or Remaps ARP table for stationâ , but nothing seems to change the situation
My setup
Ubiquity Unifi setup with APâs and Cloudkey
Untangle router/firewall
Homey Pro in IoT VLAN and iPAd with Homey app in main network VLAN;
âAllow allâ firewall rule from main network â IoT
Block all from IoT â Main network (but I experimented unsuccesfully with various allow rules);
My question for help
Any clue what I am doing wrong or what I should do the make the app work properly again?
I guess I am not the only one running Homey in a seperate VLAN.
Hello,
You wrote: [quote=âMerpster, post:1, topic:58977â]
I allowed connectivity on port 80 and 443 from IoT VLAN to Main network in my firewall but that didnât help (during analyses I have not even seen any connection being setup from
[/quote]
You must allow traffic from your Main network to your Iot network. Just think How do I acces to my homey. Not how will acces homey to me. (what you did)
Succes (Start all so with open ICMP to use the ping command so you can test it if your rules and routinng are ok.
What if you temporary allow all and sniff traffic first?
Like when you operate / pair the fibaro and Homey should show an updated status.
Somehow youâll have to discover which ports are used (or ask around in here).
Hi Robert, yes, it does. Everything works fine. Just like when I connect with the standard âclassicâ Homey app , but using the external route i.s.o the local connection.
I think I do not understand what you mean.
Do you mean https://tools.developer.homey.app/ ?
If so, how could I find info there on how the âclassicâ Homey app connects to my Homey?
No, all modern browser have developer tools where you can see (amongst other things) which network connections a web page is using.
The web app (and also the âclassicâ app, by which I assume you mean the mobile app?) first tries to connect to https://A-B-C-D.homey.homeylocal.com, where A-B-C-D are the octets of your Homeyâs local IP address (so if your Homey is at 192.168.1.10, it will try and connect to https://192-168-1-10.homey.homeylocal.com).
You can start by checking if that hostname leads anywhere in your network, by opening the URL in a browser for instance.
Hi Robert, maybe I have not described my issue clear enough, but making connection to my Homey is not the issue.
In all cases - with âclassicâ mobile app with external and direct internal connection as well as with the new online app (donât know how you can see whether it is using the direct internal connection or the external connection) - this works fine.
The issue seems to be in the realtime Homey generated feedback (like updating the status of a lamp in the Devices overview) in the situation with âclassicâ mobile app and a local connection.
How do you think that analysing the browser data will tell me why this is not working? Thanks for your clarification!
Yes it works in the webapp (https://my.homey.app/), but my guess is that it works because it always connects via Internet and not locally ( Is there a way to check how it connects?)
If I use the âclassicâ mobile app on my iPhone via internet (just put it on 4G) it also works fine.
The issue with return traffic starts when using the âclassicâ app locally and my iPhone ends up in a different VLAN than the Homey.
When homey talks to a device. Itâs OK. It will do a request/response thrue the firewall.
When a device sends an update it gets blocked in the firewall.
The only way to solve this is by whitelisting the devices you want to communicate with homey.
So a simple block all outgoing of iot vlan will not work. It should be. Block all except device a:port diviceb:port etc etc
Hi FSW, thanks for suggestion!
The weird thing is however that even without any firewall rules between the IoT and main vlan it still doesnât work. So it it not purely firewall rule related.
I am currently trying to find out how the realtime traffic from homey back to the Mobile app actualy works.
I guess it is more than just homey replying on a request that the mobile app has done. Especialy since you can have multiple mobile apps that all receive the same realtime updates.
As I found out that my router/firewall (Untangle) does not support mDNS, my suspicion currently goes out to a broadcast/multicast type of issue.
It doesnât really make sense that my.homey.app (including realtime updates) is working but the mobile app isnât, though. Websockets use the same HTTP(S) server on Homey, and when I run the Homey app on my Mac I can see realtime updates being transmitted over the HTTPS connection from Homey back to my Mac.
When I start the my.homey.app with Chrome developper tools on, I see the following messages in the console tab.
(192.168.100.92 is the IP adres of Homey in the IoT vlan)
So I think the my.homey.app connects via internet since it fails to find something inside, explaining why it behaves differently than the mobile app.
Weird thing is that it also does this when all firewall rules are off.
(BTW IP adres looks weird to me: dashes i.s.o. dots)
Does your router (or the machine that is handling your local DNS) have DNS rebinding protection enabled? Athomâs method of providing âsecureâ local access depends on that protection being disabled (ironically making your local network less secure, but Iâve given up on trying to explain this to Athom).
Also, it looks like Athomâs nameserver that handles homeylocal.com is something home made; whenever you send it a query that is not simply an A record, it times out
