Is that to force purchase of remote hub access?
No it was done for security. You can set up your own VPN to do admin negating the need for the Remote Admin sub. Remote admin is for those not interested in setting up a VPN. You can also do a reverse proxy to give you access. Again negating the need for the Remote admin sub.
3 Likes
I believe this came about as so many people were just exposing their Hubitat to the internet at large that it was becoming a huge security issue. And these hubs weren't even secured with a password in most cases. Even after Hubitat staff practically begged people to look at their hubs and fix the problem, people just didn't do anything.
In the end it was apparent that users can't be trusted to set things up properly, so Hubitat had to make the decision to close things off to prevent being known for lax security.
1 Like
Nope. Too many instances of users compromising themselves by exposing their hubs to the internet via port forwarding.
3 Likes
I keep IOT things like the hub, Fire tv, guests etc on their own subnet for security so they can't compromise my pc' and server if they go rouge. My network spans 2 houses that are vpn connected (vpn endpoints have to be different subnets) and I need control from one to another.
I think this means the hub security change breaks my use.
As long as the subnet it's on routes to the network your PC is on and get get to the internet there should not be a problem. Do the endpoint config that @thebearmay specified and make sure that you don't have any rules blocking traffic from your primary network to the iot network. I assume both networks are running /24 and you're usinig vlan's?
/24 but physically seperate ports for subnets on the Netgate firewall which controls access between subnets. No vlans. My primary is allowed to talk to any subnet but the IOT subnet cannot initiate other than to the WAN.
I'll look into the endpoint config. I don't understand its function yet.
So port forwarding won't work with hubitat because being able to open holes like that to public ip's are a security nightmare. You could set up a reverse proxy on that subnet but that could be a pain. Much easier to spin off your iot subnet as a vlan and implement rules for communication with your primary lan. The only other option while you're getting that done is to get the remote admin subscription so you can loop back in from the cloud. This is obviously not ideal though.
Essentially it's setting allowable routes (filtering) to hubitat to talk to so that it will respond to calls not from it's own network.
AH! That makes sense. Thanks.
FWIW we only allow remote access using our own firewall's VPN. Trying to be secure. The firewall logs show a few probes a minute from various countries looking for access or whatever...
1 Like
Vpn works just dandy for remote access without the need for Remote Admin sub... That said, another solution to your problem may be adding a hairpin rule to your firewall. Essentially allowing you to go out then come back in via vpn to your external port from internally without creating a loop. So essentially you're just vpning from your segregated network to your public ip that gives the VPN access to the subnet that your iot devices are on. That should work given what info you've provided on your setup.
Note: Not all firewalls support hairpin..
Back at remote location on a different subnet over vpn on a wired AND WIFI PC having run the allowSubnets command and hub comunication works well. The issue seems to be in the Netgear WIFI wap (Note: it is not set to isolate WIFI users).
So, much progress! Thank you all.
3 Likes
This worked well for a couple of years with Hub Link but my new C-8 hub replacing the C-5 that failed doesn't seem to have Hub Link or the option to work with subnets. Is there another work around?
3 hubs. two on 192.168.0.0 and the third (C-8) on 192.168.1.0 (VPN linked to different building)
Netget firewalls PF sense linked.
On the two hubs on 192.168.0.0 try entering
http://<hubIpAddress>/hub/allowSubnets?192.168.1.0
on the other enter:
http://127.0.0.1/hub/allowSubnets?192.168.0.0
Then you should be able to utilize Hub Mesh to share devices.
I understood that hub mesh didn't work on subnets due to it using broadcast and now way to tell it about a paticular IP. I had tried the allow subnet command. Tried again with no luck. Any way to install link to hub on the C8?
HubConnect is still able to work across differing subnets.
I'd really suggest using HPM and HubConnect's ProBundles if you're going to try this path.
You'd select HubConnect Server and also HubConnect Drivers on your first hub, then select HubConnect Remote and also HubConnect Drivers on the second hub. Then, for each hub, in Apps, click Add User App and pick the HubConnect app.
Instructions and videos are found:
https://hubconnect.hubitatcommunity.com/
I have 6 hubs, 4 are "production" and 2 are "development". HubConnect is still my choice for connecting each set of hubs. I do use HubMesh between the two sets. I certainly don't need to set it up that way, but I was curious to give it a try.
I did the cloud backup from an old c7 restored it to the c8 and rebuilt my system with hub link now avaiable. Disabeld hub mesh. All now works.
1 Like
