Web interface traffic not transiting VLAN to primary network

nomad · March 27, 2023, 7:32pm

Over the weekend I upgraded from a C-5 to a new C-8. I thought I'd take advantage of that to move the hubitat from my primary VLAN to my IoT VLAN for security reasons. As part of the install the C-8 was updated to latest firmware.

While it mostly worked, I am having a problem getting web browser access to the new device. tcpdump running on the firewall/router says the hubitat is seeing the connection but refusing to deal with it, sending 0-length packets. When I drop a laptop on the IoT network it is able to talk HTTPS directly with the C-8.

11:57:38.565534 IP desktop.[redacted].42834 > hubitat.[redacted].http: Flags [S], seq 165907487, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3465591524 ecr 0], length 0
11:57:38.566216 IP hubitat.[redacted].http > desktop.[redacted].42834: Flags [S.], seq 3090753147, ack 165907488, win 28960, options [mss 1460,sackOK,TS val 1416899 ecr 3465591524,nop,wscale 7], length 0
11:57:38.566344 IP desktop.[redacted].42834 > hubitat.[redacted].http: Flags [.], ack 1, win 1027, options [nop,nop,TS val 3465591526 ecr 1416899], length 0
11:57:38.566474 IP desktop.[redacted].42834 > hubitat.[redacted].http: Flags [P.], seq 1:83, ack 1, win 1027, options [nop,nop,TS val 3465591526 ecr 1416899], length 82: HTTP: GET / HTTP/1.1
11:57:38.566964 IP hubitat.[redacted].http > desktop.[redacted].42834: Flags [.], ack 83, win 227, options [nop,nop,TS val 1416899 ecr 3465591526], length 0
11:57:38.669505 IP hubitat.[redacted].http > desktop.[redacted].42834: Flags [F.], seq 1, ack 83, win 227, options [nop,nop,TS val 1416925 ecr 3465591526], length 0
11:57:38.669627 IP desktop.[redacted].42834 > hubitat.[redacted].http: Flags [.], ack 2, win 1027, options [nop,nop,TS val 3465591629 ecr 1416925], length 0
11:57:38.669638 IP desktop.[redacted].42834 > hubitat.[redacted].http: Flags [F.], seq 83, ack 2, win 1027, options [nop,nop,TS val 3465591629 ecr 1416925], length 0
11:57:38.670346 IP hubitat.[redacted].http > desktop.[redacted].42834: Flags [.], ack 84, win 227, options [nop,nop,TS val 1416925 ecr 3465591629], length 0

I've confirmed the firewall isn't blocking this traffic. The problem appears to be entirely on the hubitat side. Is there a configuration setting I missed? Is it WAD? Is this a bug?

thebearmay · March 27, 2023, 7:36pm

Sounds like you need to tell the hub to add your primary VLAN to its permitted scope:

http://<yourHubIP>/hub/allowSubnets?123.123.123.0,124.124.124.0

rlithgow1 · March 27, 2023, 7:42pm

@nomad , @thebearmay is correct. Normally Hubitat will only talk to you on it's on subnet. You need to use the allow subnet endpoint. This is by design.

brad5 · March 27, 2023, 7:46pm

Interesting. I have a similar configuration and it just works. But both of mine are RFC1918 /24 subnets... maybe that's the difference?

nomad · March 27, 2023, 7:59pm

Thanks. That was indeed the solution for this problem.

system · March 26, 2024, 7:59pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.