Homey app stops working correctly after moving Homey to IoT VLAN

Yes it does.
I get the exactly same response as in your screenprint.

and if you leave out the 8.8.8.8 using your own DNS ?

Then it fails.
Timeout. Can’t find 192-168-100-92.homey.homeylocal.com: Server failed

Change your DNS to something that works for this or disable DNS rebinding protection from your Router.

Changing the DNS (from Ziggo standard DNS to 8.8.8.8) did the trick! :grinning: :+1:

Both the webapp now starts without any errors and the realtime feedback in the mobile app also works fine.
Thanks for the tips!!

But… for the learning part/usefullness for other Homey users: what exactely was the issue? :nerd_face:

  • If I understand correctly the webapp always connected externaly because it didn’t get a internal IP adress? (from the DNS server right?)
  • But what about the mobille app? Any idea on how the DNS change affects the realtime feedback from Homey to the client?

Something that stroke me was that with the new DNS the mobile app says it is locally connected and secured, whereas with the old DNS it only sais ‘local’, without the ‘secured’. :roll_eyes:

And interestingly enough I also got the mobile app working correctly this evening by disabling the Webfilter, Virusblocker and Ad-Blocker functionality of my Untangle router/firewall. So that had the same afffect as using a different DNS.
How this ties together and what the issue with the mobile app was remains a mystery to me… :flushed:

My guess is that Athom has disabled realtime updates when the app cannot connect “secured locally”.

What you did to get it working is compromise your entire local network, by allowing external DNS servers to resolve hostnames to local-only IP-addresses. This is an attack vector, that’s why properly configured routers will not allow it.

You mean the solution with the changed DNS (google i.s.o. Ziggo) or the solution with disabeling the Webfilter, Virusblocker and Ad-Blocker functionality of my Untangle router/firewall?

I do not want my network to be vulnerable….

It’s a DNS-related protection, so I assume it’s the former.

To paraphrase Athom: “tough sh*t”.

Well….after some headache and analysis, I think I know what is going on now.

See below my hypothesis. Challenges welcome :blush:.

1. In the old situation (Homey and mobile app on same vlan)

Mobile app (on iPad)

  • DNS request for 192-168-100-92.homey.homeylocal.com from the mobile app did never resolve (apparently a Ziggo ISP feature, maybe DNS rebind protection)
  • Mobile app connect to local address of Homey (in same vlan) over http ;
  • Mobile app works fine and its connection is local (and not ‘Local secured’)

Web app (https://my.homey.app/)

2. In the new situation (Homey and mobile app on different vlan) still with ISP DNS

Mobile app (on ipad)

  • DNS request for 192-168-100-92.homey.homeylocal.com from the mobile app can still not be resolved;
  • Mobile App can connect to local address in other vlan over http (so connection is local’ and not ‘local secured, I see port 80 traffic happening )
  • But … since the traffic now flows through my router/firewall (because inter vlan traffic) it get analyzed by apps and somehow the return traffic gets blocked by these apps;
  • Bypassing three specific apps (i.e. Webfilter, VirusBocker-Lite and Ad-Blocker) lets the traffic flow again and makes the app work fine.

Web app (https://my.homey.app/)

In the new situation (Homey and mobile app on different vlan) but with Google DNS

Mobile app (on ipad)

  • DNS for 192-168-100-92.homey.homeylocal.com can be resolved;
  • Mobile App can connect to local address in other vlan but now apparently also over https (because of https the connection is now ‘local secured’ and I see port 443 traffic happening)
  • And… because traffic is now encrypted the router/firewall apps cannot analyze it anymore and thus also does not block it → Everything works flawless

Web app (https://my.homey.app/)

So now what?

Since I would rather not use Google DNS (because Google… :nerd_face:) I think situation 2 with the ISP DNS and the 3 apps bypassed is the best solution for me.

Not having https on my internal traffic (from main vlan to IoT) should be acceptable I guess.

Why the three router/firewall apps block the return traffic is still not clear to me but I’ll accept that as a given…

For me : case closed!
Thanks for your help! :+1:

2 Likes