Internal device should be allowed but still cant connect

vsaad

Hi Forum,
I've got a device which connects to a cloud service from OPT1 (it has an allow all rule), its connecting but when we try to connect back it times out. However if I connect the internet directly on it, it works.

The device has the ip 192.168.214.20.

I ve created all kind of open doors on wan interface, trying to see if something would be blocking there with all ports the manufacturer recommended, but it really shouldnt be as the state was open from OPT1 and none seemed to match anyway.

I 've enabled the State filter to bypass.

The States are established
I've allowed the ports only as well, done all kind of things, but I cant make this work. Appreciate any help.

Packets	Bytes	
OPT1	tcp	192.168.214.20:60582 -> x.x.x.x:40844	ESTABLISHED:ESTABLISHED	18 / 15	1 KiB / 1 KiB	
WAN	tcp	192.168.8.102:39188 (192.168.214.20:60582) -> x.x.x.x:40844	ESTABLISHED:ESTABLISHED	18 / 15	1 KiB / 1 KiB

Gertjan

@vsaad said in Internal device should be allowed but still cant connect:

The device has the ip 192.168.214.20.

Is it a NAS ? A TV ? Camera ?
Why would 'the cloud' want connect to your device ?

vsaad

@gertjan Its an Alarm unit, it can be managed via cloud or local, at the moment I cant connect via cloud, it sees the device but doesnt complete.
When connected without firewall it works.

Gertjan

@vsaad

When you manage it locally, you use its RFC1918 IP, a port - and a protocol like TCP.

You should create a NAT rule on your firewall, pfSense. using the LAN IP, port and protocol.

vsaad

@gertjan I dont think so,
connecting directly to a ISP router without nat it works.
Is stateful, the client connects to the cloud, it established, but something is blocking still, I ve checked the firewall logs e no blocks from this IP

johnpoz

@vsaad said in Internal device should be allowed but still cant connect:

connecting directly to a ISP router without nat it works.

Well if your device on the isp router gets a public IP then yeah it would work. But when your behind a nat, you would need a port forward to allow unsolicited inbound connections.

But I find it highly unlikely that some alarm device would need inbound access from the internet behind a nat router.. Since pretty much every home user is behind a nat router, and most of them are not going to be able to setup a port forward, and UPnP is quite often disabled - and inbound connections would be a huge security concern in the first place.

Like most other systems, it would make an outbound connection to the mother ship, and you talking to the mothership could control or get info from said device behind your router.

This is how all my lights work, this is how my garage door opener works, this is how my thermostat works, etc. etc.

To be honest if some device I was putting on my network, like an alarm system needed to allow for unsolicated inbound traffic - that device wouldn't be on my network.

What is this specific alarm system, what is the make and model - so we can look up from the maker of said device what they say about firewalls, etc.

edit:
btw - from your states you show, your behind double nat.. Pfsense is natting to your isp devices lan side network of 192.168.8

If your device was leveraging UPnP to allow for inbound unsolicited traffic, and even if you had UPnP enable don pfsense this would not work.

To allow for unsolicited inbound traffic from the internet to some device behind pfsense in a double nat setup. You would have to port forward the traffic on your isp router to pfsense "wan" IP -- from your states you posted 192.168.8.102, or pfsense wan IP would need to be setup in your isp router as say a dmz host, where all inbound traffic to your actual public IP is sent to pfsense wan. Then you would need to setup a port forward on pfsense to send this traffic to your 192.168.214.20 device.

But again - I find it unlikely that you would need to do such a setup. Because you shouldn't need to allow for the internet to talk to your alarm system.. That is a horrible idea from a security point of view.

vsaad

@johnpoz Thanks for the great reply before anything!

Im aware of the double nat, Im using 4g router atm, I needed to have the router to connect the sim card, but its temporary. I ll have another ISP installed tomorrow which should connect directly to the WAN. So it may sort it out?
Anyway I ll keep the 4g as a backup connection, so I may try the port forwarding 1-65535 as well!

I've added the pdf provided by the alarm representative to a gdrive link, as I cant upload a pdf here, is it alright?
The brand is from here(Australia), so you might havent heard about it.

https://drive.google.com/open?id=1kYQj79WzkNgZ0U2Z3VdckYv7kfDXvliz&authuser=vsaadesber%40gmail.com&usp=drive_fs

johnpoz

@vsaad said in Internal device should be allowed but still cant connect:

Im using 4g router atm

To be honest I find it unlikely they would even allow unsolicited inbound traffic..

"Once the public IP Address is known, port-forwarding (and possibly firewall)
rules will need to be added to the router to route port 4711 to the Local IP
Address of the Integriti Software"

So this controller is out on the internet? If my 2 second breeze over of that doc is correct then you would need to setup a port forward for that 4711 port to your IP..

Or is that also at this location? It would seem the skytunnel setup would not require any port forwarding.

edit: btw a way around the pdf restriction is to zip it up and attach the zip.

flat4

On you 4g modem you could also be dealing with CGNAT.
I had the same problem when trying to use my reverse proxy while I waited for fiber to be installed.

All conventional ways of port forwarding went out the window,

johnpoz

@flat4 cgnat or not even ipv4 address, and only ipv6 with a 464xlat setup..

T-mobile here in the states uses this - your phone for example never gets any IPv4 address, just IPv6..

If you need to allow for unsolicited inbound IPv4 traffic I find it highly unlikely that would work with some sort of 4g/lte or 5g device.. Now maybe it could work with IPv6?

Maybe when you connected directly to the ISP device you were getting an IPv6 address that this would allow for unsolicited inbound traffic?

flat4

@johnpoz

I use ATT, they do this not just t-mobile

for me for a low low price of $125 a month and 10GB/per month I could get a routable ipv4 for 4g.

No thanks, in the case that my fiber fails and i switch to 4g, no reverse proxy but still got interwebs.

vsaad

@johnpoz i ve got the controller on the otherside of a site 2 site openvpn, this doc shows if we re using local ip and/or the skytunnel. Atm Im talking about skytunnel.
The local ip via vpn also didnt work and has all allowed permission, as well, but I didnt look into it.
I just didnt want to port forward this port on public, I may try to see if it works NATting and if does I may restrict the nat firewall rule based on source?
2am here now, I ll try all these later and hopefully with the new ISP things may change

The documentation is not the super clear, but using local ip may need the nat as far as I understood.

johnpoz

@vsaad if your controller is at another site that is connected via a vpn then all traffic between controller, server, client, etc. should be through the vpn..