paulbates

My Security setup / changes:: iot SSL from Nodelink/Pi to the ISY (2018 change) Configuring the Venstar Colortouches for SSL only local API access (2018 change) SSL from Nodelink/Pi to Venstars (2018 change) SSL is the default from Nodelink to rainmachine zero ports open on the router. Devices accessed remotely via proxies: ISY Portal, Rainmachine redirect, or venstar skyport. No remote access to the Rpis. Router No open ports LAN side only management access. SSL/SSH only access (2018 change) TrendMirco's Malicious Site Blocking / 2 way IPS (2018 change) / Infected device blocking Alientvault and Speedguide dynamic malicious host/port blocking (2018 change)Amazing number of blocks on our main HP all-in-one Norton connect safe DNS and OpenDNS secondary DNS SMB 2 LAN shared drive access. Signing / credentials required to access, but not encrypted PCs and key iot only on the main lan. Tablets,phones, work laptop anything else is routed through guest net No ISP device security dependence, I plug into a dumb docsis 3 Arris 822 CM PureVPN through comcast. Some web proxy, some openvp. Some devices like I have guest and main lan for PCs and printers. I'd like to segment iot, but that may be beyond the asus and thorny as I do want to manage the iot segment from the main lan. More to think about Paul

Mark Something else is wrong. All of your program and memory setup look fine Once a minute should not be a problem. I have routines for my furnaces (x2) does a runtime calc for humidification cycles that repeat and count up runtime once a minute. Both can be running at the same time. I'm at 76 programs. I've had my ISY over 3 years and can't recall a reboot that wasn't me rebooting or a power failure. I've also been on the alpha v5. I would suggest submitting a ticket, and ISY can help figure this out, its not normal. Provide a link back to this thread Paul

To Teken's point, how you are using your ISY programs may influence or cause the rebooting. Some basic systems "blocking and tackling" questions How many programs do you have? Memory use: Go to tools, diagnostics, system status, paste a graphic of the response or type it in TIght loop programs: Go to the programs tab, rightclick on an item, pick status icons and detailed Go through and look at all running programs... are any continuous flickering and flashing (sign of a tight loop mentioned by teken) How many? If you are able to, disable those programs for a few days and see if the rebooting stops There's other memory diagnostics through telnet, but I'm not 100% clear how to interpret, lets start with the above Paul

I have a program with a similar function and it has only run when I reboot the ISY, or there is a powerfailure. Typically programs set to run at start-up have no "If" clause? Is that the case for yours? Meaning the existence of an "if" clause might cause the program to run even though the ISY did not reboot Paul

There are a number of zwave switches that do not automatically send their status when locally activated, like Insteon switches always have been. However it is becoming more prevalent in newer products and expected by z-wave users.

Yep, that's been suggested and pleaded for, for years. Teken can attest to that. Its a proprietary HW scheme. I've not run into anyone that has "cracked the code" for readdressing a PLM (or any insteon HW). If someone had, I'd be sending them my spare PLM, current PLM address and $$ to do it so I would have something mostly ready to swap. SH did something similar in 2012 when the first hub 1s had a major problems and they had to swap. There was a form to fill out, including your current Insteon address, and a new hub was shipped with the same address. Plug and chug. However, I've seen nothing like that since Paul

Ideally it would work by letting me, personally, order a back up PLM with my current PLM's address already burned in. Then I believe Don's idea would work perfectly, as long as it was updated when devices and scenes were changed They've done that in the past for hubs, sending a new one with the address of the old one, but that was once 4 years ago, never heard about it again. Paul

'Hot swapping' PLMs won't work unfortunately. The design of insteon is companion links between devices, sharing their specific insteon addresses. Each PLM has a unique 3 octet insteon address that is programmed into the all insteon devices it controls. With ISY, there is a 1:1 between one specific PLM insteon address and its controlled devices. If you "swap in" a new PLM with out a manual "restore modem" from the admin console, the devices on the insteon network won't have that PLM's address link and will not respond to programs. In addition, this is complicated by the need to manually put insteon wireless devices in set mode, one at a time to update their insteon addresses. I do keep a spare PLM on a shelf by the ISY, ready to "restore modem" when the current one dies. Keeping a backup on hand a good back up plan. Paul

It seems like all roads lead back to the PLM. There's no log data from the ISY? Things to try. Pick a few of the malfunctioning devices, delete them and re-add them to the ISY Particularly, do this with the "3am" device as you have some predictability with it to compare Wait and see if that helps, if it does, continue down that path Factory reset the PLM, restore plm, but that's more a shot in the dark. If the PLM has a "runtime" issue, this might remove it. If the link table in the ISY is corrupt, then potentially restoring it will just bring it back, so I would suggest this separately and after the delete/add above doesn't work Paul

That's a great point. There are a lot of new free services that come out, some work great like this, other's like IFTTT have been so-so for me. I can't comment on other notification services, but pushover has just worked, I don't worry about it. Paul

There is this wiki article that describes some of them I can comment on pushover. I've been using it on ios. I use network resources to send notifications. Their concept of setting up "applications" from their website is more like folders, I can look at all notifications in time order, or click under each "application" to see just their alerts. I have "applications" (folders) for HVAC, Sprinkler, Alarm system, garage door, ISY alerts (battery, reboots,etc). I have multiple, different messages in each application, and the app keeps them organized together. I focus on key messages that help me follow what's going on, or observe how key ISY programs are performing using variable/module substitution. For best practice (for me): Its's worth thinking about key events that you want to know about, or help you "tweak" how the ISY is behaving, e.g. balancing power / water usage. Are ISY programs doing what you want? Or did something systemic happen like an ISY reboot, battery alert, lose contact with something like nodelink that offers a heartbeat to follow. Its a little bit of a curve to get the first one going, but after you do, you can copy the NR for an app, and update the network resources and type the different messages you want to see in them. You can also use variable substitution to get better intelligence on what is going on.. eg the battery alert is 25%, or 10% (if the device supports it), actual temps, rainfall, etc. Typically the ISY programs are very simple, and there'll be one for each notification. Paul

Another way to do it is change the router instead of the devices: Login to the new router prior to plugging anything or setting up wifi, and switch its subnet to your LAN current RFC 1819 subnet (192.168.x.x, 10.x.x.x) first. Most will let you do that, by changing the router's LAN IP address. Then add all reserved device IPs (web pages side by side) from the old router in by MAC address, and turn off the old router. Finish configing the new router, add wifi, etc.... then physically swap them out. Go around and restart devices that don't respond. If you are going from/to the same brand, sometimes you can back up and restore router settings which takes care of it. I've used this with dlink and asus

Yes Paul

Agreed mwester. Its a new year're resolution for me too. The ISY and echo relationship make it more complicated and its not as simple as segmentation alone: I want the ISY to talk to nodelink (pi) and the venstars and rainmachine. Having the echo command the ISY for lighting, etc, does get used a lot. But I don't want the echo to have any chance of affecting the venstars or the rainmachine (or most of anything else on my network) Need to find a way to separate it but make it work without creating a configuration nightmare. I'm going to start by removing the echo skills for the venstars and rainmachine. Their functions are fully automated and alexa has not been used I like the idea of fencing off key things like NAS and PCs. Lots to think about Paul

Thanks mwester and Scott for sharing those ideas. I've let a lot of these iot things inside my lan. Time to investigate and step up security. 2 of the devices, including the echo, are full Android OS. Risk/potential wise that's scary to me, in that there's no evidence that they're getting regular patches/upgrades. No evidence of harm either, but I simple don't know. I'm using an asus router with merlinwrt that has TrendMircro's 2-way IPS. It caught a few things from my kids iphones when they were home for Christmas. Since phones/tablets are on the guestnet, it posed no real threat. I'm thinking about firewall rules within the house and a whitelist style connection rules for things going out. Paul

SmartenIT (SimpleHomeNet) creates and sells insteon compatible devices... including their ezseries. I don't understand "willing to pay the price"? I've not found that zwave switches that are peers to insteon switches (scenes, signal local status changes) are less money. The HS 100 zwave is $49.50. I can drive to Menards and put a dualband switchlinc dimmer in my cart for $49.97.

Interesting results. The upload peaks are all exactly 8 hours apart. It doesn't seem like its recording voice without prompting, since I turned the mic off, but it is sending something 3 times a day. Makes me wonder if its info on the locally connected skill devices, or is it observing lan traffic and profiling? Not sure... Also, there is a slight end-of-day traffic hump. These are the graphs from the last 24 hours where the mic button was pressed, no use of the dot for the last 24 hours Upload Download It is making me wonder about the other iot things on my LAN. What are they watching and sending back? Paul

Did you try using the "Start linking" option, and then put the smokebridge in linking mode? Its been a while since I had this device, but my recollection was I had to do it that way Paul

Move the "Repeat" statement up to be the first statement. That will do it Paul

Is there an If statement? If that logic becomes false the program will stop. Can you share the program? That will help Paul

Hey, great idea... and I just muted it. I'll see what happens Paul

There have been discussions here about how much traffic the Echo/Dot transmits. I've watched mine in the past and it didn't seem like much. I started monitoring it again.. the results aren't alarming, but curious We do very little with it. Lights, TV, Thermostat commands occasionally, questions here and there. No music. Its consistently about 2.5MB a day uploaded, and about 1.5MB download. The use is bursty (see the graphs). It doesn't always map to people being in the room or noise/conversation. It is interesting that its reverse client server... a little more up than down The amount of data transferred in the peaks is minimal, and hard to believe decent audio was sent: 111K in an hour (the biggest peak) is 1800 bytes a minute. Maybe that's too simplistic though Some of the peaks are times that no-one was home or in the middle of the night and no-one was in the room Traffic sent over 24 hours Traffic received over 24 hours Not sure what to do with this, wondering if anyone else has monitored their's. Maybe I'll try and muffle it and see if anything changes Paul

I think something else is wrong. We average a power outage maybe every year and a half. The ISY and PLM come back no problem. Some older devices like togglincs occasionally have heartburn over extended brownouts and need to be factory reset. When you say "manually reboot the PLM", do you mean unplugging and re-plugging it back in? It might be that the PLM is older and also has been affected by the frequent black outs. You might try factory resetting it and then follow that up with a "Restore modem" from the ISY admin console's file menue Paul

To add to Larry's great idea, you can have your programs in various folders, and have a condition like a variable called "stop" (= 1). Add that as a folder condition to each folder, and make sure its prefixed by an "or". Keep your "stop" program at the root level so its not affected. You will want to initialize stop = 1 so your ISY works when rebooted (or check for 0 instead of 1) If (stop condition) Then $Stop = "1" Else $Stop = "0" ( run program A if) ( run program B then) Keep in mind that the ISY is event driven, so turning the "stop" variable to 1 will stop all of the programs... but changing it to 0 not start all of the stopped programs.. when their conditions are met they will start individually, or you might have to manually run the "ifs". Or add statements in the else to run key programs to restart them. I do something similar when my ISY restarts, I kick off certain key programs so values get populated, etc Paul

Glad you figured it out. I've had a bad one as well. Here is the program that's worked for me. The hearbeat doesn't have an on/off state per-say. It sends a message every ~24 hours and is detected "If xx is switched on" I give it 25 hours as its not always exactly 24 hours, 25 proved safely outside the window. The next message, ~24 hours later, restarts the program (until it doesn't, and falls through to the notification) Battery Doorwall Heartbeat If 'Zystem / Battery Alerts / Doorwall Sensor-Heartbeat' is switched On Then Wait 25 hours Resource 'Pushover Doorwall Sensor Battery Low' Else - No Actions - (To add one, press 'Action') Paul