Homey Community Forum

Security concerns

Thanks for all good answers.

Another topic: let’s say I would want to create a magic mirror or something like that. Is there a way to pull the info I want locally from Homey, or do I need to call their APIs?

To display information about devices connected to Homey on another device, you would need to use the API, thought I guess technically you could use flows to ‘push’ information.

If light turned on
Make http Request

Another option is the MQTT broker.


Though this all feels ‘offtopic’ now, perhaps it would be best if you created a new topic for your new question.

1 Like

Exactly what @Jamie wrote. Look at the MQTT broker. But this is getting offtopic :wink:

1 Like

Thanks everyone. I feel a bit better around this now. I’ll make sure to split up the networks and wait for the reply from Athom.

Hey,
Again, thanks for your input. I’ve been fiddeling with this today and I’m wondering. Is there a way to verify that the setup works? For example:

  1. How do I know the Homey calls are routed via the DNS proxy?
  2. How do I know I’ve set up the VLANs correctly? Any ideas on how to cross-check?

Thanks

1 Like

Hi,
Sorry for the late reply.
That is an interesting one :slight_smile:
As mentioned earlier, Homey doesn’t listen to the DHCP server in your network, but uses the Google DNS servers by default. It also uses ‘regular’ DNS (so no DoH or DoT or something). Given that information you can simply listen on your WAN port to port 53.

So on your router (as root), which will show all outbound DNS-traffic.
tcpdump -i eth0 -nn port 53

If I’m not mistaking eth0 should be your wan interface. If you have set up your iptables correctly (as in, all DNS-traffic should be forwarded to dnscrypt-proxy, if that is your goal), (almost) no regular DNS-traffic should pass through on the eth0 interface.

Another way would be to configure the dnscrypt-proxy daemon to log all requests (it’s in the configuration file) and check if you see the requests to Athom/Homey specific domains (or any other cloud services you have installed on your Homey).

Your second question can be a bit more difficult to give a generic answer to. To kick in an open door: You have set it up correctly if everything works the way you want it to. This means, are your goals achieved?

If you want to confirm if you have achieved your goals (as VLANs shouldn’t be conciderd a goal, but a method), then tcpdump on your router is your friend. If you have a Windows PC, you can use wireshark as a packetshiffer. (wireshark can also read and interpret tcpdump output files, which makes analyses of the output easier, due to colours and visible relations betweens (responses) are shown.

If you are not familiar with tcpdump, you may have a challenge, but it isn’t very difficult to master the basics. I’m not claiming to be an expert, but this may help you on your way:

As I have no way to give you a direct answer, I’m going to write a situation that you may have set up on your own. It is probably a bit simular, but not the same. So you’ll have to amend the examples to your own setup:

First off. Your router has three interfaces. (eth0, eth1 and eth2). eth0 is your wan (internet side), eth1 is the first lan port on your router. All traffic which doesn’t use a vlan tag will go through this interface. But since you’ve set up VLANs, I am making the following assumptions:

Suppose you have set up (at least) 2 vlans:
One for your IOT devices (chromecasts/smart TV/refrigirator/thermostat/whatever/etc). One for your ‘user devices’ (phones/tablets/pcs/etc).
Let’s say that you have created vlan 10 and vlan 20 with the following network settings:

     vv          vv                         vv
vlan 10: 192.168.10.0/24 - gateway: 192.168.10.1   (non-iot)
vlan 20: 192.168.20.0/24 - gateway: 192.168.20.1   (iot)
     ^^          ^^                         ^^

(I concider it best practice to add the vlan number in your network segment, to make it easier to figure out which vlan you are using at any point)

This means that you will have two additional virtual network interfaces on your router, which will act as the gateways for the specific vlans

eth1.10 - 192.168.10.1
eth1.20 - 192.168.20.1

Using tcpdump, you can filter on any traffic on either interface. The following will give you ALL traffic going through that vlan. This can be a lot, but you can at least easily check if any of your devices are actually in your vlan. There is no other practical reason to the following :slight_smile:

tcpdump -i eth1.20

You will have to create filters with tcpdump in order to make the output useful for your:
tcpdump -i eth1.20 -nn port 53 (all DNS-traffic in vlan 20)
tcpdump -i eth1.20 -nn host 192.168.20.30 (all traffic from and to host 192.168.20.30 in vlan 20)
tcpdump -i eth1.20 -nn host 192.168.20.30 and port 53 (all DNS-traffic from and to host 192.168.20.30 in vlan 20)
tcpdump -i eth1.20 -nn host 192.168.10.50 (all traffic from and to host 192.168.10.50 (which lives in vlan 10) in vlan 20.

(-nn prevents resolution of hostnames and ports. So you’ll see IP address and port numbers rather than host names and port ‘names’)

You can also replace host with dst or src which filter on traffic ‘to’ or ‘from’ a specific host, etc. etc. etc. There are a lot of sites that have a lot of examples using tcpdump, but these are the fundamentals.
Your main challenge will lie in creating a proper ‘filter’ in tcpdump, to show only traffic you are interested in.

So. What I concider ideal:

  • No traffic is shown from vlan to vlan, except for the necessary traffic. (so the Netflix app, must be able to talk to your Chromecast, and your Chromecast must be able to ‘respond to’ but not ‘initiate’ communication towards your phone, but should be able to connect to the internet (on specific ports if you so desire?), since it needs to be able to request a stream from the Netflix servers.
  • No DNS traffic should leave your router towards the internet, which originates from one of the vlans. ( Since I want all of my DNS-requests to go through dnscrypt-proxy, which blocks my ads and uses DoH)

I hope this helps :slight_smile:

3 Likes

Wow! Big thanks. I will give this a shot in the next few weeks and make sure to read up on some network basics as well. Again: thanks!

@anon8748058 I have recently installed Unify equiment and splitted my network in Vlan’s using your suggestion on different types of devices.
A lot of work to get every system connected on their wifi and/or VLAN but managed to do so.
Now I have a problem. Homey cannot find the chromecasts anymore. Some other equipment outside his own VLAN yes, but no chromecast.
I created a rule to allow Homey to connect to that VLAN with all the protocols and allowed the returned answers. But it still gives an error saying “not reachable”.
Do you have any suggestions? Else I have to put them in the same VLAN

By default broadcast doesn’t traverse across subnets. Most likely that is the case…