Homey app stops working correctly after moving Homey to IoT VLAN

Hi All,

I am struggling with a Homey & Homey App connectivity issue.
Hope this community might have some suggestions that point me in the right direction.

What is the problem?
For security reasons I have recently moved my Homey-Pro to my IoT VLAN. I did this by re-connecting Homey to a dedicated IoT SSID that is part of the IoT VLAN.
Devices with the Homey app (iPad and iPhone) stayed in the main network.

Result: Everythings works fine (Homey app connects to Homey, status of all devices is shown etc).
Except…that the Homey app seems to be unable to receive updates from Homey that it did not request itself.
Examples:

  • I can turn on a light, the light will turn on, but the status in the app is not being updated (e.g it stays off in the app)
  • I can add a devices to my favourite devices (on top), but it doesn’t show up in the favourites list.
  • During pairing of a new Fibaro Smart Plug I get the generic instruction, but the animation and feedback is missing (since I know what to do I can finish the proces ‘blindly’)

Only after I restart the Homey app , the correct status are shown (e.g status lamp is correct, favourite devices is added on top and newly paired device is visible)

So my conclusion is that all Homey generated updates do not reach the app, unless Homey explicitly askes for an update.

What did I already do?

  • Moving my iPad (with the Homey app) to the IoT VLAN solved the issue (so it has to do with connectivity). But that is not what I want. iPad and Homey should be seperated in different VLANs.
  • Connecting from Athom cloud (= from outside) also solved the issue, but that is also not what I want. I want to be able to have a local connection if I am at home (and I cannot enforce only using the external connection even if I wanted to)
  • I allowed connectivity on port 80 and 443 from IoT VLAN to Main network in my firewall but that didn’t help (during analyses I have not even seen any connection being setup from Homey → App)
  • Tried some different Wireless Network settings in the Unifi Console (such as ‘Enable multicast enhancement (IGMPv3)’ or Remaps ARP table for station’ , but nothing seems to change the situation

My setup

  • Ubiquity Unifi setup with AP’s and Cloudkey
  • Untangle router/firewall
  • Homey Pro in IoT VLAN and iPAd with Homey app in main network VLAN;
  • “Allow all” firewall rule from main network → IoT
  • Block all from IoT → Main network (but I experimented unsuccesfully with various allow rules);

My question for help
Any clue what I am doing wrong or what I should do the make the app work properly again?
I guess I am not the only one running Homey in a seperate VLAN.

Thanks a lot for your thoughts! :+1:

1 Like

Hello,
You wrote: [quote=“Merpster, post:1, topic:58977”]
I allowed connectivity on port 80 and 443 from IoT VLAN to Main network in my firewall but that didn’t help (during analyses I have not even seen any connection being setup from
[/quote]

You must allow traffic from your Main network to your Iot network. Just think How do I acces to my homey. Not how will acces homey to me. (what you did)

Succes (Start all so with open ICMP to use the ping command so you can test it if your rules and routinng are ok.

Hi Johan, traffic from main network to IoT is fully open.

See above:

  • “Allow all” firewall rule from main network → IoT

After all my app is perfectly fine to find and connect to the Homey (and ping indeed works fine)
So that should not be the issue.

What if you temporary allow all and sniff traffic first?
Like when you operate / pair the fibaro and Homey should show an updated status.
Somehow you’ll have to discover which ports are used (or ask around in here).

I did but that didn’t change anything.

As far as I can see, the only thing is a connection being setup from iPad (app) to Homey on port 80.
No separated traffic back or anything like that.

Indeed I hope somebody knows in more depth how connectivity between app and Homey works.
Thanks for your thoughts! :+1:

Does https://my.homey.app work? If so, you can check the browser’s developer tools to see how it communicates.

Hi Robert, yes, it does. Everything works fine. Just like when I connect with the standard ‘classic’ Homey app , but using the external route i.s.o the local connection.

I think I do not understand what you mean.
Do you mean https://tools.developer.homey.app/ ?
If so, how could I find info there on how the ‘classic’ Homey app connects to my Homey?

Thanks for thinking with me! :+1:

No, all modern browser have developer tools where you can see (amongst other things) which network connections a web page is using.

The web app (and also the “classic” app, by which I assume you mean the mobile app?) first tries to connect to https://A-B-C-D.homey.homeylocal.com, where A-B-C-D are the octets of your Homey’s local IP address (so if your Homey is at 192.168.1.10, it will try and connect to https://192-168-1-10.homey.homeylocal.com).

You can start by checking if that hostname leads anywhere in your network, by opening the URL in a browser for instance.

1 Like

Hi Robert, maybe I have not described my issue clear enough, but making connection to my Homey is not the issue.
In all cases - with ‘classic’ mobile app with external and direct internal connection as well as with the new online app (don’t know how you can see whether it is using the direct internal connection or the external connection) - this works fine.

The issue seems to be in the realtime Homey generated feedback (like updating the status of a lamp in the Devices overview) in the situation with ‘classic’ mobile app and a local connection.

How do you think that analysing the browser data will tell me why this is not working? Thanks for your clarification!

Yes, but does this work in the web app or not?

The developer console may show errors, for example.

FWIW, both the mobile and the web apps use WebSocket connections to Homey for realtime updates.

Yes it works in the webapp (https://my.homey.app/), but my guess is that it works because it always connects via Internet and not locally ( Is there a way to check how it connects?)

If I use the ‘classic’ mobile app on my iPhone via internet (just put it on 4G) it also works fine.

The issue with return traffic starts when using the ‘classic’ app locally and my iPhone ends up in a different VLAN than the Homey.

Yes, with the aforementioned developer tools. It will connect locally if it can.

I understand the problem, but if you can’t debug the issue yourself it’s going to be very hard for people to help you.

Ok, I’ll do some reading/studying and see what I can find!
Thanks for the help so far! :pray:

When homey talks to a device. It’s OK. It will do a request/response thrue the firewall.
When a device sends an update it gets blocked in the firewall.
The only way to solve this is by whitelisting the devices you want to communicate with homey.

So a simple block all outgoing of iot vlan will not work. It should be. Block all except device a:port diviceb:port etc etc

Hi FSW, thanks for suggestion!
The weird thing is however that even without any firewall rules between the IoT and main vlan it still doesn’t work. So it it not purely firewall rule related.

I am currently trying to find out how the realtime traffic from homey back to the Mobile app actualy works.

I guess it is more than just homey replying on a request that the mobile app has done. Especialy since you can have multiple mobile apps that all receive the same realtime updates.

As I found out that my router/firewall (Untangle) does not support mDNS, my suspicion currently goes out to a broadcast/multicast type of issue.

Maybe this is of any use, Homey uses websocket connections for realtime updates.

It doesn’t really make sense that my.homey.app (including realtime updates) is working but the mobile app isn’t, though. Websockets use the same HTTP(S) server on Homey, and when I run the Homey app on my Mac I can see realtime updates being transmitted over the HTTPS connection from Homey back to my Mac.

When I start the my.homey.app with Chrome developper tools on, I see the following messages in the console tab.
(192.168.100.92 is the IP adres of Homey in the IoT vlan)

So I think the my.homey.app connects via internet since it fails to find something inside, explaining why it behaves differently than the mobile app.
Weird thing is that it also does this when all firewall rules are off.
(BTW IP adres looks weird to me: dashes i.s.o. dots)

Check your DNS

nslookup 192-168-100-92.homey.homeylocal.com

It should resolve to a IP from that DNS

Does your router (or the machine that is handling your local DNS) have DNS rebinding protection enabled? Athom’s method of providing “secure” local access depends on that protection being disabled (ironically making your local network less secure, but I’ve given up on trying to explain this to Athom).

Also, it looks like Athom’s nameserver that handles homeylocal.com is something home made; whenever you send it a query that is not simply an A record, it times out :roll_eyes: