Hi all,
I’m looking for the list oof ports and URL used by Homey to pass through a Firewall to go to Internet.
I have a project to secure flows and connectivity from/to Internet with Homey and I need exclude URL in my firewall.
For example, Insight is not working, but controlling homey from the web is OK.
Something wrong and i don’t see some relevant information from firewall logs.
ex :
LAN > Homey > Firewall > Router > Internet = Insight FAIL
LAN > Firewall > Homey > Router > Internet = Insight OK
Thanks in advance.
But Insights is part of the web app? What is your browser’s developer console saying?
From Homey Insight, history in nor recorded.
Below an example with values from “public” network and after changing wifi to a secured LAN :
Only the last entry is recorded without history.
Dev tools console extract :
What are the URL’s for the working (white) and the non-working (red) preflight requests? It doesn’t really make sense that half seem to work and the other half don’t.
Sure, totally agree.
The white URL
The red URL :
I have no idea where to search.
It’s like the order to record data is not able to make the SET.
That’s the same URL, isn’t it? Also, the (regular) xhr request in the top screenshot also seems to be working as well (receiving 31K of data), so that doesn’t really make sense.
No other errors (the MaxListenersExceededWarning isn’t relevant) in console?
Also, any idea if your secured LAN setup prohibits external DNS’s from returning local network addresses? Because Homey relies on that “for safety” (to check, from inside your secured LAN network, try resolving the hostname 10-0-0-41.homey.homeylocal.com; if it fails, your LAN setup doesn’t allow such lookups, which may partially cause the problem).
The 2 URL are the same.
And I confirm the host 10-0-0-41.homey.homeylocal.com is well resolved :
I have seen this :
Then :
An idea, I don’t know if any link :
https://docs.oracle.com/cd/E55956_01/doc.11123/user_guide/content/general_cors.html
The error mention something about CORS. I don’t think this may have an impact.
Continuing my troubleshoot
Ah, so not such a secured LAN after all 
The ping request failing is probably the frontend trying to determine how to contact Homey, either through the cloud, through a secured (TLS) local connection, or through an unsecured (plain HTTP) local connection.
What I still don’t understand is that some of the entry requests are failing. Those are required for Insights to work.
Sure ! you unmasked me 
Anyway, I have tried with another browser (currently using Edge, and tested wityh Firefox), same behavior.
If it can helps, my secure solution is a Sophos XG. I’m pretty sure it’s this appliance which causing the issue, but i don’t see any log or any things in relation with this issue, and which explain why the only last Insight entry is recorded and not history.
The URL’s that you need to allow are the ones you’ve already shown (the one starting with 10-10- and the one in the connect.athom.com domain).
I have tried to exclude these url from any inspection/security, no success …
Thanks @robertklep for your help.
I will contact Athom support to try if they have another idea about this point.
If I have any new elements I will post here.
I hope you or another person reading this post can help me.
Regards.
@robertklep do you think the broadcast address may have an impact ?
No, that’s used for device discovery (Homey performs periodically performs a broadcast ping to fill its ARP table).
Coming back with good news
First, I have replaced my current router (Sophos XG) with another one (Fortigate 30E).
Same behavior.
So this means the root cause is not the router, but something else in the network.
I have 2 only other network appliance plugged to my network, the switch and a Pi-Hole (10.0.0.249).
My eyes go to the Pi-Hole and after forcing the resolution of the name to point to the Pi-Hole, my previous tests was not good (DNS result with good value) because my DNS resolution is forwarded to other servers and the name resolution from Pi-Hole was wrong :
My bad, the previous test was not relevant.
This is very strange because the Pi-Hole entry is good:
But associated resolution was wrong … WHAT THE H*** ???
So I delete and recreate the DNS entry into the Pi-Hole and after flushdns cmd and reboot Homey, the resolution is ok :
After that, all is working like a charm and Insight come back.
To conclude, I confirm that 10-0-0-41.homey.homeylocal.com must works and point to Homey.
Thank you very much @robertklep for your help and for your time. Your focus on homeylocal url was the good resolution path, and I assume that my network environment is not “classic”, so I understand it can be difficult to troubleshoot.
My case may serve others. I share my resolution for people in case same or similar behavior.
Regards.
1 Like
