Naaah, okay, sorry, then you're right, it shouldn't be this way... well, then split it to /24s, and route between them... (just joking)
Maybe we should tag @chuck.schwer, he was the one who solved the TTL issue.
Not blaming the user, not my intention, working on something for you right now. Sorry that it was understood that way, I just wanted to provide some background. I'll be back (probably PM) once I cleared one "little" step
I have Hubitat on a IOT dedicated VLAN and Influxdb and grafana on my main one and Hubitat correctly redirects to the default gateway to find the Influx server.
I think anyway that cstory777 issue is not VLAN related, but more to the subnet that as described is always /24 even if the DHCP one is bigger (I haven't test the scenario).
Instead I cannot completely understand mgilbert one, because at the beginning you ask for vlan support but after you say "that dramatically increases the complexity as you must now keep track of every cable and to which switch port it is plugged into" but that's the correct usage of the VLAN, if you are just using different subnets on the same VLAN, that's not VLAN but instead a poor network isolation..
1 Like
Maybe multiple subnets would have been a better title.
There are times where I do not want a device to be on a different VLAN than other nearby equipment and would want the Hubitat to be able to traverse the subnets. Allowing the Hubitat to traverse the networks simplifies my setup because I am able to create rules in the firewall centrally for block and allow rather than having to create complexity with assigning untagged VLANs to devices that I may not want to be on a different network. For example, I may want my Hubitat to be on a DMZ network rather than on my LAN. There are many scenarios where people may want to segregate their devices. Sometimes it is a mobile app that must be on the same /24 as the device. Being able to have the Hubitat traverse multiple subnets opens up opportunities that more technically inclined people will have. I consider Hubitat to be a device that is for people that are more inclined to be of a higher technical level and requirement. Unlike Amazon Echo or Smartthings (Now).
I am able to create rules in the firewall centrally for block and allow rather than having to create complexity with assigning untagged VLANs to devices that I may not want to be on a different network.
That's the point: if they are all on the same VLAN, then your central firewall can't do anything to prevent that a DMZ hacked device, moved to your LAN subnet, will connect to your LAN devices.
Instead, using VLANs routed with proper rules by a central device, even if hacked it will still be in his isolated DMZ without any access to the LAN.
Sorry you lost me. If I have vlans which is what I want I can then create rules to limit connectivity between the different devices on the vlans/subnets at Layer 7. I can limit connectivity based on port, protocol, Operating system, direction etc. So if a device gets hacked in my DMZ that has access to my LAN it only has access to the devices and ports that the device needs and not the entire range of ports. A simple example is my printers are on the same subnet as my office but all my Networks/wireless networks have the ability to print to the printers IP's but that is it. They cannot manage the printers. Only TCP 9100 for RAW or TCP 515 for LPR.
So you have VLANs or just different subnets on the same VLAN? Could you post a network scheme so it's easier to understand?
4 different subnets.
1 x /24 subnet per vlan
So how you define which VLAN is the device using if you don't want to set a VLAN on the switch port depending on the device connected to that port?
I have multiple switches. Not just one. My office switch is all on the same untagged vlan my VOIP vlan being tagged. the only other port which has all the other untagged vlans assigned is the Unifi AP's. Rather than having to assign different vlans to different ports I would rather use rules and policies in the firewall to control the traffic. A simple example again is the printers. Because the firewall is aware of all the subnets any device on any subnet that needs to print can get to the IP of the Printer but can only access the IP/port based on the policy that it is in.
Sorry but I still don't understand.. And anyway how is this related to Hubitat? You want Hubitat to support a subnet bigger than /24 or to have multiple IPs?
Multiple IP’s? If you mean multiple ip assigned to Hubitat then no.
Yes larger. Could I use a /26 and break up the /24 into 4 subnets for my 4 vlans? Yes but that makes it harder to keep track. Creating 4 unique subnets with /24 makes thing a lot easier.
