I recently switched from a basic router to a Unifi network system. My old SSID has become the IoT network, and my HomeAssistant server is on the new main network. The GEM seems to be having trouble talking outside its subnet.
From my main network, I can talk to all my other IoT devices (such as Shelly switches). Attempting to talk to the GEM just hangs (http://<gem_ip>:8000). However, from the IoT network, I can connect to GEM. GEM also can no longer talks to the Home Assistant server.
Is there a limitation that prevents GEM from communicating outside its subnet? If so, my only option would be to move the GEM to the main network. Is there a way of doing this?
Can't connect to GEM after moving to a different subnet
-
dallingham
- Posts: 7
- Joined: Thu Apr 28, 2022 10:27 pm
-
dallingham
- Posts: 7
- Joined: Thu Apr 28, 2022 10:27 pm
Re: Can't connect to GEM after moving to a different subnet
When I connect to the main network and run "tracepath", I get:
$ tracepath -p 8000 192.168.40.67
1?: [LOCALHOST] pmtu 1500
1: unifi.lan 3.522ms
1: unifi.lan 1.926ms
2: no reply
3: no reply
4: no reply
5: no reply
From the IoT network, I get:
$ tracepath -p 8000 192.168.40.67
1?: [LOCALHOST] pmtu 1500
1: GreenEye 96.595ms reached
1: GreenEye 4.265ms reached
Resume: pmtu 1500 hops 1 back 1
When I select a different IoT device (Shelly 1L, web server at port 80) from the main network I get:
$ tracepath -p 80 192.168.40.38
1?: [LOCALHOST] pmtu 1500
1: unifi.lan 2.190ms
1: unifi.lan 2.718ms
2: shelly1-C45BBE57DAAA 6.495ms reached
Resume: pmtu 1500 hops 2 back 2
And the Shelly from the IoT network gives:
$ tracepath -p 80 192.168.40.38
1?: [LOCALHOST] pmtu 1500
1: shelly1-C45BBE57DAAA 27.969ms reached
1: shelly1-C45BBE57DAAA 16.021ms reached
Resume: pmtu 1500 hops 1 back 1
For some reason, the GEM is not responding across subnets, but the other IoT devices are.
$ tracepath -p 8000 192.168.40.67
1?: [LOCALHOST] pmtu 1500
1: unifi.lan 3.522ms
1: unifi.lan 1.926ms
2: no reply
3: no reply
4: no reply
5: no reply
From the IoT network, I get:
$ tracepath -p 8000 192.168.40.67
1?: [LOCALHOST] pmtu 1500
1: GreenEye 96.595ms reached
1: GreenEye 4.265ms reached
Resume: pmtu 1500 hops 1 back 1
When I select a different IoT device (Shelly 1L, web server at port 80) from the main network I get:
$ tracepath -p 80 192.168.40.38
1?: [LOCALHOST] pmtu 1500
1: unifi.lan 2.190ms
1: unifi.lan 2.718ms
2: shelly1-C45BBE57DAAA 6.495ms reached
Resume: pmtu 1500 hops 2 back 2
And the Shelly from the IoT network gives:
$ tracepath -p 80 192.168.40.38
1?: [LOCALHOST] pmtu 1500
1: shelly1-C45BBE57DAAA 27.969ms reached
1: shelly1-C45BBE57DAAA 16.021ms reached
Resume: pmtu 1500 hops 1 back 1
For some reason, the GEM is not responding across subnets, but the other IoT devices are.
-
dallingham
- Posts: 7
- Joined: Thu Apr 28, 2022 10:27 pm
Re: Can't connect to GEM after moving to a different subnet
The best that I can determine is that GEM will not talk across subnets. I connected to the ethernet port inside the monitor and was able to change the SSID off the IoT network and onto my main network. It is now accessible again.
-
lard-afore-harvest
- Posts: 6
- Joined: Tue Dec 13, 2022 8:28 pm
Re: Can't connect to GEM after moving to a different subnet
I have a similar setup with the GEMs on an IoT subnet and I'm not experiencing these issues. I also use Ubiquiti equipment although it's the older EdgeMax series. Can you share your firewall rules?
-
dallingham
- Posts: 7
- Joined: Thu Apr 28, 2022 10:27 pm
Re: Can't connect to GEM after moving to a different subnet
That is the funny thing. Even without firewall rules, they could not talk to each other. By default in Unifi, VLANs should be able to talk to each other. I had no rules between VLANs, and I could talk to every other device without issues - except the GEM.
Now that I have the GEM on my main VLAN, I've implemented rules to isolate the VLANs, but let the main VLAN still talk to the IoT VLAN. Everything is working now. It was just the GEM that was causing problems.
So I'll end up writing firewall rules to isolate the GEM from everything but the HomeAssistant server, and it will be pretty the same thing as being on its own VLAN, yet on the same subnet.
Now that I have the GEM on my main VLAN, I've implemented rules to isolate the VLANs, but let the main VLAN still talk to the IoT VLAN. Everything is working now. It was just the GEM that was causing problems.
So I'll end up writing firewall rules to isolate the GEM from everything but the HomeAssistant server, and it will be pretty the same thing as being on its own VLAN, yet on the same subnet.