[Solved] Can't get SMA solar inverter to communicate
-
Well if they are saying they require a firewall that supports sip, I take it their device is not nat aware and trying to use its rfc1918 address. So you need an alg or sip proxy, etc. To rewrite that IP..
So you prob need
https://www.netgate.com/docs/pfsense/packages/siproxd-package.htmlAnd yes out of the box the outbound rules for clients on lan is any any.
-
@rosch said in Can't get SMA solar inverter to communicate:
sunnyportal.com
https://www.sunnyportal.com/Documents/HM-20-BE-en-11.pdf
Interesting page 29, doesn't look like a device than does VOIP.
"There must be no packet filtering or manipulation for SIP packets on the router or modem."
Didn't have to do anything special for my VOIP phone:-
-
@johnpoz thanks, I'll try siproxd.
@NogBadTheBad it's not a VOIP device, it's exchanging data with SMA servers so the user (me) can see the live and statistics data on the sunny portal.
I 'm also using a VOIP SIP app on my phone and that works without any additional firewall configuration. -
MIght be worth doing a packet capture on pfSense and opening it up in wireshark and filter on SIP.
I've only seen SIP used in VOIP & Multimedia.
"I'm also using a VOIP SIP app on my phone and that works without any additional firewall configuration" on the same LAN segment ?
-
@nogbadthebad said in Can't get SMA solar inverter to communicate:
MIght be worth doing a packet capture on pfSense
Completely agree with that - should be simple enough to see what it might be doing.
-
@johnpoz said in Can't get SMA solar inverter to communicate:
@nogbadthebad said in Can't get SMA solar inverter to communicate:
MIght be worth doing a packet capture on pfSense
Completely agree with that - should be simple enough to see what it might be doing.
Here you go:
So it's trying to register but is not authorized.
-
Isn't the 401 code coming back from the sip server?
https://en.wikipedia.org/wiki/List_of_SIP_response_codes
401 Unauthorized
The request requires user authentication. This response is issued by UASs and registrars.[1]:§21.4.2 -
yeah looks like that said go away ;) What are the details of the register? Does it list your public IP or your rfc1918 address?
-
@nogbadthebad said in Can't get SMA solar inverter to communicate:
Isn't the 401 code coming back from the sip server?
Yes 171.25.178.74 is proxy.ied.sma.de
@johnpoz said in Can't get SMA solar inverter to communicate:
yeah looks like that said go away ;) What are the details of the register? Does it list your public IP or your rfc1918 address?
There is only my public IP (WAN) I see in the package details:
-
Well then you need to get with them on why the 401
-
@johnpoz said in Can't get SMA solar inverter to communicate:
Well then you need to get with them on why the 401
Will do that. So you're saying this can only be on their side?
I did enable siproxd but I'm not sure I did that correctly. It's disabled at the moment.
-
If your client was sending its rfc1918 it would be problem.
But you talked to them you can see that in the sniff and they answered back with 401 say you need to auth... You will need to get with them on why that might be, and how to auth, etc.
-
@johnpoz said in Can't get SMA solar inverter to communicate:
But you talked to them you can see that in the sniff and they answered back with 401 say you need to auth... You will need to get with them on why that might be, and how to auth, etc.
Ok thanks for all these details. The only thing that makes me wonder is my brother was able to register his SMA without any issues, he's not on pfsense but on a Fritz!Box.
-
Well it prob has built in sip ALG.. ie the thing that changes rfc1918 to wan IP.. You could always turn off the sipproxy and sniff again and see if the device is actually sending its wan on its own or its rfc1918.
-
@johnpoz said in Can't get SMA solar inverter to communicate:
Well it prob has built in sip ALG.. ie the thing that changes rfc1918 to wan IP.. You could always turn off the sipproxy and sniff again and see if the device is actually sending its wan on its own or its rfc1918.
No where do I see the device's private IP in the SIP packages.
A workaround would be to use another router to register the SMA but that means we won't get to know the answer to this SIP mess.. -
You shouldn't!! Did you turn off the sipproxy? Do you see it on the lan side sniff vs wan side sniff. If client is sending your wan IP without the sipproxy then you can turn that off.
Do you still get the 401?
Sniff on the lan side not your wan interface. What does the sip package show then in wireshark?
-
@johnpoz said in Can't get SMA solar inverter to communicate:
You shouldn't!! Did you turn off the sipproxy? Do you see it on the lan side sniff vs wan side sniff. If client is sending your wan IP without the sipproxy then you can turn that off.
Do you still get the 401?
Sniff on the lan side not your wan interface. What does the sip package show then in wireshark?
The lan sniff is talking to my neighbour's SMA (we're on the same share network, at least for now). It's probably not helping, but it shouldn't interfere if well designed.
1.51 is my neighbour's, 1.50 is mine.
-
@rosch It's night over here so no current on the device, so not helping.
I'll get back to you asap. -
You need to look INSIDE the packet for what address its trying to use.. Not the actual IPs talking..
Um sure looks like the 2nd sniff is talking to the same public IP as first.. Your saying that is your neighbors device? Maybe thats why its not registering, and saying you need to auth?
-
Sorry about the delay, I was away for a few days.
I have good news: it works out of the box, I was using the wrong "registering button". I used the big centered button instead of simply clicking "next". Well I didn't know, and I am sorry I made you lose some time, but I am glad it's fixed and you were all very helpful:
The center button is only to be used when you have a data logger called "SMA DATA MANAGER M".
I hope somebody else can use this info.
ps: the German SMA support got it right in their first email reply, the Belgian one did not, not even after 7 days of emails back and forth..
