I'm hoping someone can help me pin this problem down! Using a Synology router, I have the hub (C8 Elevation running the latest release) and IoT devices on one VLAN (192.168.3.x) and our main computers etc on another (192.168.1.x). The hub has a static IP reserved on the router; the laptop I want to use to access the hub also has a static IP reserved. On the router, I've set up a firewall rule to allow the laptop to access to the hub from the 1.x VLAN. Every time I try to connect to the web interface, it times out. No blocking events are reported on the router. So I'm wondering if there's a hub configuration item I'm missing, such that the hub only allows access from devices on its own VLAN or something. Can anyone point me in the right direction?
True.
Read this to start your journey towards spanning subnets:
It's 3 years old, so there's probably a 'recipe' spelled out in someone else's topic... I stopped looking at the first I found.
That endpoint should do it.
I'm not sure I understand the popularity of VLANs on Home Networks.
If you have 2000+ devices on a 'flat' network, subdividing the ARP domain does make sense. I am sure most of us have WAY too many devices on our home networks, but even 500 devices don't benefit significantly from a smaller ARP domain.
I hear "security" as a response to my query over the years but it's been 20 years or so since VLAN hopping got added to 'script kiddie' tools, if I remember correctly. If you have a good VLAN setup, don't imagine I'm suggesting you tear it down 
But if you're reading this before you build out a VLAN, give it another think.
For clarity on terminology.. if you have isolated subnets with a firewall between, that is a real LAN, not virtual. If you have a "firewall on a stick", where there's just one network cable (the stick) you've probably got a VLAN. VLANs usually exist on the same wire and you simply select which Tag to use in a specific device.
I just tore my network down and redesigned it for myself. A few reasons I did this. One, I was using an ASUS router as my gateway for my FIOS internet connection, firewall, and router (single point of failure). It rebooted nightly at 4am and occasionally caused issues on my network with the reboot. I was using my QNAP NAS for storage AND virtual containerized apps like nodered, infixdb, etc… I also work from home and have devices on my network from my work that could potentially spy on my home network. I wanted network isolation for my work devices so they’d be segmented from everything else. I wanted guest wifi access segmentation on my network, and isolation of my IOT devices. I also wanted 10gb fiber runs between my switches. I also wanted to move away from containers on my NAS as a single point of failure and wanted a 3 node Proxmox virtual environment to run these devices and wanted to move my firewall to its own device and get it off my ASUS wifi and just use the ASUS as a wifi access point so if I needed to reboot it nightly, it was really only affecting my wife and I phones and watches and a laptop or two. Everything else is hardwired in our house. I agree for the average person all this isnt really necessary, but I wanted redundancy, security, and speed internally. I have 5 different vlans but really only use three of them the most.
I am doing something similar to you.
I am using a Ubiquity Edge router X, and I have created two subnets, as you have described. Note that these are subnets, not VLANS.
After setting up the firewall rules, I have no problem connecting to my C8 while my computers are on either of the two subnets.
Are you able to connect to your other IOT devices? If your firewall rule looks the same as it does for the other devices, then try pinging the HE using it's IP address, rather than by any device name you may be using, such as find.hubitat.com
EDIT. In fact I think I only use a single rule that let's any device on my "PC" subnet to access any device on the "IOT" network, but not vice versa. Because of this simple rule, I did not need to create a unique rule for the hubitat hub.
I also use UniFi equipment and found I had to create the reverse rule to allow the HE hubs to talk to users. This is likely your problem.
I think that would defeat the reason to have IOT devices isolated on a separate subnet. But yes, the rule should allow only "established" connections made to the IOT subnet, access back to the PC subnet.
But if the OP has access to his other IOT devices, then the rule must already be correct. I'm assuming he didn't write a different rule for each device.
Looks like I have some reading to do. Thanks!
Don't we all.... well me at least.... 
Well, I'm a big dumb-dumb. Network isolation was turned on with the mistaken belief that the firewall rules would punch through it, whereas the opposite is true. So once I'd properly configured the router, everything was hunky-dory. What gave it away? Zero hits on the firewall rules with access still failing. Should have been obvious but wasn't...to me. Thanks, everyone, for your suggestions!
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
