MyPlace/MyAir support for IoT VLAN

I've upgraded my home network to use separate VLANs for security, specifically keeping IoT devices and guests off my main network.

One device that did not "just work" is the air conditioning controller tablet from Advantage Air.  While the controller device was functional, I could not get the mobile app MyPlace to connect from the source (secure) VLAN to the IoT VLAN.


To figure this out I had to do some Wireshark analysis.  Not only did I figure out how to get MyPlace to work across VLANs, but I also discovered how to improve the app connection reliability.

When you start the MyPlace app (the client), it needs to make a connection to the controller tablet (the server), so that it can retrieve information, and allow updates.

Discovery protocol and connection reliability fix

The app doesn't provide any mechanism to configure the network, instead it automatically attempts to discover the controller.  This is achieved by making a HTTP connection request to TCP port 2025 on every IPv4 address in the local network.

Since it only connects to local subnet network addresses, it is not possible for the MyPlace app to discover the device in another network.  Furthermore, depending on the network configuration it may need to scan up to 254 network addresses before the correct address is found.  I've found that the Android app will often timeout and give an unhelpful screen with the status code AA46.
The best strategy to prevent timeout issues is to assign a static IP with a low device number, or alternatively consider changing your LAN to use a smaller subnet size (/23, /22).

VLAN communication fix

If the client app only communicates to IP addresses in the client VLAN, then I will need to use a "proxy" to redirect requests to the server VLAN.  It doesn't even need to be anything fancy - just something to forward the TCP request/reply packets.

You will need to configure the controller tablet (server) to use a static IP within the IoT VLAN.  Then in the client VLAN you will need host a forwarding proxy.  I ended up with running a utility on my Synology NAS - which is in the same secure network as the client app.

Now there's a few different ways of forwarding TCP requests, using ssh, iptables, or utilities like netcat and socat.  I found the simplest and most reliable was to use socat - adapting these instructions.

The socat utility is not installed by default on my NAS, so I used ipkg to install.  Then configured a scheduled task to run at NAS boot up.  Just substitute DestIP with the actual IP address (static IP) of your controller tablet.
/opt/bin/socat tcp-listen:2025,reuseaddr,fork tcp:DestIP:2025

For firewalling between the two VLANs, I allow all packets from Secure to IoT, but only allow TCP replies from IoT to Secure.

I've found the app communicates reliably over this inter-VLAN connection.  However if you experience connection timeouts then you might need to use a low IP address number for the forwarding proxy.

I hope that helps you out.

Comments

Adrian said…
Hi Mark,
Thanks very much for the details. I am a security conscious guy with a separate IOT network for crap devices like this. For those who need a bit more details, I found this helpful to get OPKG/IPKG installed on my Synology NAS DS220+ so i could then install socat:
https://community.synology.com/enu/forum/1/post/127148

I installed OPKG instead of IPKG.

Once you have IPKG or OPKG installed, then install SOCAT:
sudo /opt/bin/opkg install socat

To create the task to run SOCAT at boot up go to Control Panel > Task Scheduler > Create Triggered Task > User Defined Script.
3 February 2023 at 09:15
Post a Comment

Popular posts from this blog

Resolving FOSCAM connection dropouts

Image
I bought a FOSCAM FI8908W wireless IP webcam off eBay recently. It has lots of features for the price. However, I've had problems with being unable to connect to the camera after a period of time (an hour or so). Power cycling the camera would fix the problem. I've tried upgrading to the latest firmware (version 11.14.2.17 is supposed to fix WiFi disconnection problems), but it did not fix my problem. Problem analysis The problem is not related to my browser or the wireless network. I've tried disabling DHCP (router based static IP). It turns out the problem is that the webcam simply ceases to respond to ARP  (Address Resolution Protocol) requests (once in this broken state). ARP is a mechanism to translate between IP addresses and device MAC addresses. It underpins all IP communications over both Ethernet and WiFi, since at the lowest level it relies on exchange of packets between device MAC addresses. The ARP protocol allows a network device to discover t
Read more

Building an automatic chicken door opener

Image
We recently got chickens and found them to be noisy in the morning because they wanted to be let out of their coop.  Of course, we just wanted to sleep in.  What we needed was an automatic door opener. Here's our 3 hens (Edna, Dora and the bantam Dotty).  Click for more photos. Here's the chicken coop, with the addition of an automatic door opener.  The chicken coop was purchased from Pets Station . There are some (expensive) automatic chicken doors that are available for purchase, but I decided to design and make my own.  You are welcome to copy or adapt the design to suit your own requirements.
Read more

TVersity media serving to the Astone AP-300

Image
TVersity is a digital media server that can share media over your home network using UPnP/DNLA. This is kind-of like Windows file sharing/SMB, except that a digital media server can be a lot smarter.  You get access to traditional media such as picture, audio or movie files, like you would through network file sharing.  TVersity though can take things further, supporting: On-the-fly transcoding of media into a format suitable for your media player, Downloading content from the Internet, Streaming media as it is being downloaded or transcoded, Tagging of media to present a smarter content view instead of just a traditional directory structure, Improved network performance compared with normal network file sharing.  I'm able to stream 1080p video rather than having to copy it to the internal HDD My media player is a Astone AP-300 and is similar to many others in that it has network connectivity, HD video support, and of-course acts as a UPnP Media Player/Renderer. It s
Read more