Moving Hubitat hub to IOT network, will it then be considered remote?

I'm creating an IOT VLAN for the 100+ WiFi and other IP connected IOT devices. I want to move the HE hub there as well, so it's on the same network as all the devices it needs to connec to.

However, will the hub now be considered "remote" so I'll have issues accessing it?

I’m certainly no VLAN expert but I think you need to keep a couple things in mind.

The hub does expect to be managed from a device on the same subnet. There is an http endpoint you can enter in a browser window like this:

http:///hub/allowSubnets?192.168.1.0

You would plug in your hub address above, and also the subnet that you want to be able to connect from. Multiple subnets can be entered with commas between them (no space).

There’s also possible firewall rules that exist to drop connections between your subnets. Which router are you using to setup your VLANs?

1 Like

Were will your phone reside relative to the hub. I set up a vlan for IOT stuff not long ago and in the end determined it made the most sense my phone would reside on it as well.

Thank you! Where is this documented? Searching for hubitat and allowSubnets didn't come up with any formal documentation, just a few community posts. It also looks like there is some other endpoints that are configurable as well.

Why are these not in the settings pages? How can you determine what you have set already?

I also found one post that leads one to believe that all RFC1918 addresses are considered local so maybe this won't be necessary?

I have traditonally kept our phones on the "more" secure home network, for access to things like Plex and SMB file shares.

When I set this up recently I didn't have to do anything for my desktop to access the hubitat on the IOT network.

I just setup a firewall rule for devices connecting to plex. You could also do one for SMB as well.

After talking with others it made since to me to put the phones in the IOT network. Partially because of connectivity for things like roku and such, but then also because so much is loaded on these phones that who know how really secure they are.

1 Like

I should clarify Unifi allows you to specify the vlans can see each other and then it sets up traffic rules for communication. You may need to setup similar rules on your gear. I also then added a firewall rule to drop traffic originatinf from the iot vlan to the secure network.

What are you using to manage vlans and do the routing?

There are a number of undocumented endpoints like that one.

You might be right, if it was necessary at some point, that endpoint may no longer serve much of a purpose.

I have IoT VLAN w/Hubitat and all IoT devices (hubs, smart speakers, etc. It's on 192.168.20.x

Phone and laptops, etc., are on personal VLAN. On 192.168.10.x

IoT devices have internet access, can't create new connections to personal VLAN, but can respond to connections initiated from personal VLAN.

Never had a single issue accessing my hub on IoT from personal, it's treated as local when I'm on VLAN1 and hub is on VLAN 2, including mobile app running on phone.

3 Likes

At work we configure layer 3 support to a vlan to allow traffic to route between them. Was not a firewall rule. Although routing firewalls can be set up to support that. Depends on what device we are configuring. To get features like that a Small Office Home Office SOHO appliance seems to be the starting point for that sort of thing. Fortinet, SonicWall, Quantum Spark come to mind off the top of my head. A bit on the spendy side for home networks though.

OK but the OP probably isn’t using (or planning to use) enterprise-level network appliances at home.

The point I was trying to make is that consumer (or prosumer) router manufacturers have different approaches to default/automatic firewall rules (or other possible methods of routing packets) once a VLAN is created.

If the OP follows up with more details about which router they are using, that’ll clarify things.

At our previous home, We had three VLANs on a Peplink (enterprise grade) router: Ours, Guests, and IOT devices. I am very far from knowing much about networking, but I managed to get this done, for security. I could NOT see the IOT devices including the Hubitat devices, from the other VLANs unless I configured "cross VLAN" access for specific devices (which I never did as it seemed ridiculously complex to me on that router and related hardwired access points). I would just switch to the VLAN I needed to do what I needed, or for Hubitat, log in remotely. Is that true for all VLANs, on all brands of equipment? I dunno. But it was for that equipment.

And FWIW, in our new home, that "fancier" equipment is sitting unused on a shelf largely because it was so darn hard to manage. Our need for security is less here (no VRBO guests in a guest house, thank goodness, and no need for multiple hardwired access points all over the place) so I just set up a regular SSID and guest SSID on a consumer grade mesh router, put all the IOT on the guest network, and called it a day. Working great, and much simpler.

I'm using Opnsense for the firewall, Unifi U6PRO WiFi access points and Cisco SG300 managed switches.

It can definitely be done with those devices. You're just going to have to do a lot of setup work (setting up the vlans and traffic is separate on each of those brands, so you will end up doing it 3ish times) and a bit of micromanagement of the traffic/rules.

If you open traffic pretty wide open in between the iot vlan and your other VLAN, you didn't do much of anything from a security perspective (so why bother?). That's why I say you will need to micromanage the traffic.

Some people enjoy that for the perceived security benefit, some people don't.

As @JasonJoel points out since the gear is from different vendors you will need to configure each device individually accounting for their quirks. At least you have a Layer 3 switch so it can help manage some of this stuff.

I would suggest you sit down and draw out what you want to do and how it will connect. You will need to figure out the number of VLAN's you want and how the trunk ports will work first then setup VLAN Tagging in the corresponding devices. This won't be a simple setup.

As far as your original question though, I would expect it shouldn't be a problem as long as you have access out from your secure vlan to your hub's IP and you have mDNS setup to span cross your VLAN's(assuming the Cisco SG300 supports that).

Configuring all of those devices though is beyond my scope.

Since I don't know how Hubitat is doing it due to their App instantly reporting I am not on the same network when in fact I am. So they must be attempting some unique method and got it wrong. In general it is the mask portion of the IP address which determines if a host address is discoverable using a ARP (address resolution protocol) broadcast or if the traffic needs to be forwarded to the gateway. Routable vlans will have a locally unique ip address and mask making the discovery of a device like the hub undiscoverable using ARP from a different VLAN. If the local - destination IP/mask does not match ARP will not even try to find it. Can the device be discovered anyway. Certainly if some kind of directory is implemented such as DNS or Active Directory. But I have not seen devices made for home use support any thing other than some sort of broadcast discovery protocol. Apples Bonjour comes to mind as one such protocol configurable in Hubitat.

That is why i brought up mDNS. That needs to be able to span the vlans.

1 Like

There's that mDNS again. (shutter)...

I have hubitat hub on my IOT VLAN along with all other IOT devices. No issues with connectivity as long as you have your firewall/route rules setup properly. I have rules to allow me to access hubitat and other specific IOT devices from lan (effectively, speak when spoken to).

I run Openwrt s/w on my router; great interface for firewall zones and rules...
each vlan/interface is mapped to its own zone. So I can setup things like LAN(originates) ->IOT (Allow).. but IOT (originates)->LAN (Disallow), with exceptions; I also have some special case pinhole rules to allow for example, (specific) iot devices to speak to my syslog server for events/errors/alerts.

The hub uses mDNS for some functions. I believe discovery is one of them. Now you don't need that if you just use a browser to get to the ip, but discovery may be a problem. I have and auggest rules that allow fron secure to iot vlan and deny the opposite direction.

1 Like

Yup yup yup