Having Trouble With Nest & Energenie Gateway Since pfSense
-
Those WAN rules do nothing. You should delete them.
What would be interesting would be the rules on the interface the devices are connecting through (probably LAN or UNIFI.)
-
Just at a complete and utter loss to what you think those rules were going to allow? I take it you have no clue to how rules are evaluated on pfsense or on any firewall for that matter.
What is lanandwifi - you have some sort of bridge setup?
What rules did you create on the interfaces you created other than LAN? Which lan default to any any, any opt interface you create would have no rules and everything would be denied. So no your nest would not be able to phone home if you put no rules on the interface its connected to, etc.. Same would also hold true for any other sort of "gateway" for smarthome stuff that needs to get to the internet.
-
Ah, ok... I am completely new to this so don't be too harsh!
My thought was that I can communicate with the nest & energenie gateway over the LAN but the issue I have is with them both accessing the internet so excluding them from the WAN I thought would be the way to go?
I have 3 interfaces as you can see (WAN LAN & UNIFI)
I am not sure where LANANDWIFI came from as I have read so many guides it would be something I picked up somewhere and will revisit at some point.
I will set the rules on the WAN for the energenie as it is hard wired and on the UNIFI for the Nest as it is Wifi.
Thanks for the replies @johnpoz & @Derelict I appreciate it.. I am new to this as I say but will learn fast!
-
Not sure why you think you need any rules on WAN.
https://www.netgate.com/docs/pfsense/book/firewall/configuring-firewall-rules.html
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-basics.html
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-troubleshooting.html
-
@mbc0 said in Having Trouble With Nest & Energenie Gateway Since pfSense:
I will set the rules on the WAN for the energenie
No!! You would not set any rules on the wan... I really suggest you familiarize yourself with how rules are evaluated on pfsense..
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-processing-order.html
The only time you would have any rules on wan would be if you were doing port forwards, etc. As to no understanding whawtt lanandunifi is - I would make it a priority to understand interfaces you have seutp.. With such a name I would take it a bridge maybe? You have NO need for a bridge in a typical setup.
I run nest therm and protect, there are no port forwards needed, so no rules on wan would ever be needed. And also run myq gateway for my garage and another gateway for wall switches tied to lights. No port forwards needed for any of that. If your smarthome stuff needs port forwards into your network - your doing it wrong!!! return such hardware would be my suggestion.
-
Ok,
I will read through all this that you have kindly linked and hope it will help me understand why I am having issues with these devices.
The Energenie gateway is found on my network and is assigned an IP but the app cannot see it when on pfsense, the nest works as such that it thinks it is connected to the interenet and it does function properly but it is unable to collect weather information on pfsense but works perfectly when on my vodafone router.
As for the LANANDWIFI the only interface that was assigned to it in the group was LAN so I have deleted it now.
-
Post up the rules you have setup on your lan and unifi interfaces.
Also are you running packages like pfblocker, snort, proxy, etc..
Out of the box lan is any any rules and clients can go anywhere they on on the internet on any port. So if your having some problem pulling weather you have modified the rules or are running something blocking it like pfblocker or havng dns problems.
-
Below are the current rules, I am not running any packages yet, I want to get pfsense up and running with normal operation before adding any packages.
If you cannot see any problems with my rules maybe I should reset and start again?
-
All of those rules on your lan are POINTLESS!!! rules are evaluated top down first rule to trigger wins no other rules evaluated. So those being below an any any rule mean nothing!
Rule on on unifi do you have a downstream network of 192.168.1/?
What network is your unifi net and what network is your lan net.
If you were adding rules on your lan net via seeing blocks - ie the easy rules. You prob had out of state blocks.. What is 192.168.1.5?? That rules is pretty pointless if 192.168.1 is your unifi network.
Is your lan 172.17.0/?
-
Hi,
Thank you so much for your time!!
My LAN is 192.168.0.*
My Unifi (WiFi) is 192.168.1.*
My Unifi AC-Lite is 192.168.1.5I was experimenting with an issue with some of my dockers on unRAID which are all 172.17.0
I hope that makes sense!
-
Well if your dockers on your "lan" but on a different network that is a borked config. You need to put your dockers on an actual network.. It is not proper to run multiple layer 3 networks on the same layer 2 - and not secure and does not isolate the networks, and can cause asymmetrical traffic, etc. etc.. There is really never a good reason to do it - other than say the time it takes to migrate hosts to new address scheme, etc.
I would suggest you either put your dockers on a vlan or put them on current network they are connected to.
-
ok,
I will investigate this further, I have not specified the dockers IP's on my unRAID server, they are all set to bridge mode automaticallly and auto assign their own IP's I have never had an issue but I have never set up pfsense before.
Many Thanks for all your time, I really appreciate it!
-
hmmm I run some dockers on my synology nas, and I access them via the nas IP not some other one.. Do you have a specific docker I could try out on my nas? That your having problems with, ie your seeing those blocks when it tries to go to the enternet for example - I run for example tautulli as a docker for my plex, and I access it via the nas IP
http://192.168.9.10:8181/home
Via that 8181 port..
I will admit I am not a docker guru by any stretch of the imagination, but what I can tell you for sure is trying to run 2 different address schemes on the same L2, ie 192.168.x/24 and 172.17.x/? is not really a valid configuration and should be avoided.
My guess is the "nat" that should be happening between your docker container and what "docker" network its connected to the bridge is not happening.. So while all dockers.. I looked at one of mine and its running in a "bridge" that is 172.17/16 but when you talk to it from outside its like a port forward from your network to the container network.. So if your seeing traffic on pfsense lan from this container network - I take it the ip masquerade is not happening.. But remember I am in no way qualified to be talking about the ins and out of how docker works - its just something from looking at my nas setting for a few minutes.
-
Hi,
I decided to carry out a factory reset and try again as nothing I could do with regard to firewall rules was working for me. I am still positive I was doing something wrong but since wiping and starting from fresh my energenie gateway is working perfectly (wired) the only issue I still have is with the nest (wireless) getting the weather information? The nest connects to the wifi via my UniFi wireless network (as do another 13 devices) The only "strange" thing I notice is that the nest itself says the router address is 192.168.1.5 which is the IP address of the UniFi so maybe that is "correct" but pfsense IP is 192.168.0.10 (different range) so maybe that could be the issue?
Please can you take a look at my screenshots and let me know if I am missing anything on my firewall setup?
As for my dockers, they are all working perfectly and as you can see from the picture below they are mapped ports so I don't think that will cause an issue.
Again, HUGE thanks for your help!
-
your nest has IP address of your AP as its gateway? Yeah that would not be right, a unfii AP does not do any nat..
Any device connected to your unifi wifi network should see pfsense as its gateway. If its pointing to your AP ip as its gateway I have no idea how it could actually be getting to the internet at all..
Where are you seeing that the nest got that as its gateway? On the unit itself...
Your saying the nest has a LAN ip vs your Unfii network, 192.168.0 is your lan, and 192.168.1 is your unifi network?
-
Hi,
Just an update,
I have been out and in the last couple of hours My Energenie gateway has now lost connection (last seen at 14:31)
I had not made any changes to pfsense since late morning so I am struggling to see what the issue is here? (it works 24/7 when on my vodafone router)
As for my nest (on the nest itself) it says the router is 192.168.1.5 there is no mention of gateway, I am going to investigate this further now. When connecting the nest you just choose an SSID which in my case is the UniFi, 13 other devices all work fine on the same connection so it must be looking for a port of somekind specific to the nest.
My LAN is 192.168.0.* and my UniFi is 192.168.1.*
-
@mbc0 said in Having Trouble With Nest & Energenie Gateway Since pfSense:
As for my nest (on the nest itself) it says the router is 192.168.1.5
Where does it say that? What are you looking at? The device on the wall has nothing that says router,
Take a picture of where you see that.. It clearly shows IP, mask and gateway - I will take a picture when I get home. I would swear it doesn't say router when you look at network details. I just looked at mine this morning before left for work - I was going to take a picture of it even ;) For use on this thread.
Did you name your SSID 192.168.1.5?
Lets say nest used port XYZ doesn't matter your rule is ANY ANY!!
When I get a chance I will sniff the traffic coming off the nest on how it checks the outside temp.
Also where is not showing the outside temp, is your location set? What version of the software running on your nest, on your app?
I found this seems like your same sort of problem
https://www.reddit.com/r/Nest/comments/8cg367/nest_app_no_longer_shows_outside_temp_ios/
Here is my info showing software version and when last updated, etc. I will take a picture of it detailed network info when I get home
-
Hi!
I have taken some photo's to show you what I mean,
I am contacting energenie today to see what their gateway is looking for port wise.
It is the farsight weather that the nest will not display when on pfsense...
-
1262 ping response time is a bit
What respones time do you get if you ping 8.8.8.8 from a PC / Laptop ?
-
@nogbadthebad yes, I agree! I get 16ms from wired devices and 21 from wireless devices in the same room