Homey app stops working correctly after moving Homey to IoT VLAN

Yes it does.
I get the exactly same response as in your screenprint.

and if you leave out the 8.8.8.8 using your own DNS ?

Then it fails.
Timeout. Can’t find 192-168-100-92.homey.homeylocal.com: Server failed

Change your DNS to something that works for this or disable DNS rebinding protection from your Router.

Changing the DNS (from Ziggo standard DNS to 8.8.8.8) did the trick!

Both the webapp now starts without any errors and the realtime feedback in the mobile app also works fine.
Thanks for the tips!!

But… for the learning part/usefullness for other Homey users: what exactely was the issue?

• If I understand correctly the webapp always connected externaly because it didn’t get a internal IP adress? (from the DNS server right?)
• But what about the mobille app? Any idea on how the DNS change affects the realtime feedback from Homey to the client?

Something that stroke me was that with the new DNS the mobile app says it is locally connected and secured, whereas with the old DNS it only sais ‘local’, without the ‘secured’.

And interestingly enough I also got the mobile app working correctly this evening by disabling the Webfilter, Virusblocker and Ad-Blocker functionality of my Untangle router/firewall. So that had the same afffect as using a different DNS.
How this ties together and what the issue with the mobile app was remains a mystery to me…

My guess is that Athom has disabled realtime updates when the app cannot connect “secured locally”.

What you did to get it working is compromise your entire local network, by allowing external DNS servers to resolve hostnames to local-only IP-addresses. This is an attack vector, that’s why properly configured routers will not allow it.

You mean the solution with the changed DNS (google i.s.o. Ziggo) or the solution with disabeling the Webfilter, Virusblocker and Ad-Blocker functionality of my Untangle router/firewall?

I do not want my network to be vulnerable….

It’s a DNS-related protection, so I assume it’s the former.

To paraphrase Athom: “tough sh*t”.

Well….after some headache and analysis, I think I know what is going on now.

See below my hypothesis. Challenges welcome .

1. In the old situation (Homey and mobile app on same vlan)

Mobile app (on iPad)

• DNS request for 192-168-100-92.homey.homeylocal.com from the mobile app did never resolve (apparently a Ziggo ISP feature, maybe DNS rebind protection)
• Mobile app connect to local address of Homey (in same vlan) over http ;
• Mobile app works fine and its connection is local (and not ‘Local secured’)

Web app (https://my.homey.app/)

• Web app always connects via external connection since 192-168-100-92.homey.homeylocal.com cannot be resolved

2. In the new situation (Homey and mobile app on different vlan) still with ISP DNS

Mobile app (on ipad)

• DNS request for 192-168-100-92.homey.homeylocal.com from the mobile app can still not be resolved;
• Mobile App can connect to local address in other vlan over http (so connection is local’ and not ‘local secured, I see port 80 traffic happening )
• But … since the traffic now flows through my router/firewall (because inter vlan traffic) it get analyzed by apps and somehow the return traffic gets blocked by these apps;
• Bypassing three specific apps (i.e. Webfilter, VirusBocker-Lite and Ad-Blocker) lets the traffic flow again and makes the app work fine.

Web app (https://my.homey.app/)

• Web app always connects via external connection since 192-168-100-92.homey.homeylocal.com cannot be resolved

In the new situation (Homey and mobile app on different vlan) but with Google DNS

Mobile app (on ipad)

• DNS for 192-168-100-92.homey.homeylocal.com can be resolved;
• Mobile App can connect to local address in other vlan but now apparently also over https (because of https the connection is now ‘local secured’ and I see port 443 traffic happening)
• And… because traffic is now encrypted the router/firewall apps cannot analyze it anymore and thus also does not block it → Everything works flawless

Web app (https://my.homey.app/)

• Web app also connect locally since 192-168-100-92.homey.homeylocal.com can now be resolved

So now what?

Since I would rather not use Google DNS (because Google… ) I think situation 2 with the ISP DNS and the 3 apps bypassed is the best solution for me.

Not having https on my internal traffic (from main vlan to IoT) should be acceptable I guess.

Why the three router/firewall apps block the return traffic is still not clear to me but I’ll accept that as a given…

For me : case closed!
Thanks for your help!

I know this is an old post but in planning my setup I came across your discussion. Do you still have your setup this way? As I understand it, your newer setup is not really local. All traffic between your 2 networks actually goes via the interweb then back. It an issue I have with using IoT network, having the controlling device not on same network as Homey and friends.
This 2023 article for TPLink explains their implementation… and in order to have my controllers (wall tablets, phone etc) able to control locally, I am planning to isolate IoT players not really part of my smarthome, and keep everything on the main net. This allows them all to work locally. The risk added I’ll have to trust the TPLink security monitoring tools to hopefully trap any bad players. (I also try to only buy smart devices from reputable sources, and most are Zigbee/Zwave to ensure they stay local, matter may change that)

Let me know if you’ve changed since your last conclusion.

Hi, this has been quite a while ago…
I checked my config but I think later on I ended up creating a static DNS entry in my router from 192.168.100.92.homey.homeylocal.com to 192.168.100.92.
I do not see any DNS overwrite in my DHCP server anymore so everything is back to standard I think.
And it still works.