pfBlockerNG somehow blocking IOT devices

fidelity40

I kept having issues with IOT devices going offline so I decided to setup a VLAN and put all IOT devices on the VLAN and outside the firewall rules. This works for a short period of time after booting up pfsense but then the devices go offline again. Specifically, Vocolinc devices stop responding and two other Homekit compatible devices stop responding. The Apple TV works, Apple homepod works, the Schlage lock works. The MyQ, Vocolinc and Meross devices just stop responding. I'm not sure why or how this is even possible because the VLAN is outside of the firewall rules. The weird thing is that restarting the Netgate 4100 doesn't fix the issue but pulling the power plug and then rebooting the device seems to get the Homekit devices working again for a short period of time before they stop responding again.

I also have a Unifi Flex XG and I can see the IOT devices connected to the switch but they're all showing no data usage.

I following this: https://www.sunnyvalley.io/docs/network-security-tutorials/pfblockerng
to setup the PFblockerNG firewall and I'm confident that the VLAN is outside of the firewall rules but PFblockerNG is still monitoring the WAN port so perhaps that's the problem?

SteveITS

@fidelity40 I suggest not pulling power on any device with a writeable file system. It is far safer to Diagnostics/Halt first.

Powering off helping sounds like a port problem but that doesn’t really make sense if some of them continue to work.

PfBlocker doesn’t “monitor” anything…did you set up DNSBL? If so check its DNSBL log to see if any sites are blocked for those devices. Or disable DNSBL and see if the problem goes away.

fidelity40

I think I need to go back to square 1 and start over. Disabling pfblockerNG doesn't fix the issue. Disabling and restarting doesn't fix the issue. Only pulling the power plug and then booting up fixes the issue. So one would think it's NOT a pfblockerNG issue but then again the problem didn't start until I initially ran that program. I'm really confused by this and I'm wondering if maybe it has more to do with a netgate 4100 issue than a pfblockerNG issue

fidelity40

Ok, I'm incredibly confused on why this isn't working. I've tried everything I can think of and these IOT devices on their own VLAN just refuse to work. I've restarting everything several times, I've disabled pfblockerNG entirely and restarting everything. I just can't seem to get the IOT devices to respond but I can see them from my switch. I can see that they have an IP, I can see that they're connected to wifi and they've transmitted and received data. I just can't figure out why this pfsense device is preventing them from working and how to fix it! Prior to disabling pfblockerNG, I went into DNSBL logs and none of the associated IP addresses are being blocked.

The best option I have right now is to go back to an amplifi router and the IOT devices work fine. So what could be going on with this netgate 4100 that's causing these devices to just stop working?

Devices in question:
Vocolinc VPX5 switches (Three devices don't work in homekit OR their own native app)
Apple Homekit devices (Two devices work in their native app but not homekit)

Meanwhile, the devices inside the VLAN that refuse to respond have identical devices outside the VLAN that are working just fine. Does this make sense to anyone?

johnpoz

@fidelity40 said in pfBlockerNG somehow blocking IOT devices:

the devices inside the VLAN that refuse to respond

Discovery of something in a different vlan isn't going to work, discovery is almost always L2.. Native applications normally work because the device is phoning home, and you control it by telling home via your application to do something on the application.

fidelity40

@johnpoz The apple TV and homepod devices are on the VLAN, so shouldn't the IOT devices on the VLAN be able to see and communicate with them? Then the apple devices should be talking to my phone via the Home app. At least that's how I thought it worked when I set it up. I can't get the devices to respond regardless of whether my phone is on the VLAN or the other network.

I did notice that DNSBL was actually blocking traffic on the IOT VLAN which makes me think I have something setup wrong...or does DNSBL just watch every network on the pfsense? I can't seem to find a single record of 200.13, 200.14 and 200.17 from being blocked by DNSBL. Is there any way I can lock into a specific device and see what's going on with it? There has to be a reason that these Vocolinc devices just stopped working as soon as I installed the Netgate 4100.

Could this be caused by blocked all countries outside of the United States? It just occurred to me that one of the devices working in the app but not Homekit is obviously a device from China. Manufacturer: ChengduM
The vocolinc devices: Manufacturer: Shenzhen

SteveITS

@fidelity40 said in pfBlockerNG somehow blocking IOT devices:

apple TV and homepod devices are on the VLAN, so shouldn't the IOT devices on the VLAN be able to see and communicate with them

Devices on the same network don't communicate directly to each other through the router.

If as you suggest later they connect out to some external server, and all communication is through that external server then that's different. But that's not very common except for managing settings.

@fidelity40 said in pfBlockerNG somehow blocking IOT devices:

I can't seem to find a single record of 200.13, 200.14 and 200.17 from being blocked by DNSBL

Not sure what those are, but the pfBlocker dnsbl.log log shows hostnames it has blocked/overridden, and source IP for the query.

fidelity40

@steveits Thanks for your help so far! None of the devices appear in the dnsbl.log file. How do these devices normally work? I can see they have an IP address, nothing seems to be blocking them.

I have the netgate 4100 and then I have the Ubiquiti Enterprise 8 POE switch and then the devices connect using a Ubiquiti AP nanoHD with the SSID configured to connect client devices to the VLAN network.

SteveITS

@fidelity40 If they're not in the dnsbl.log file then it's not a DNS block. That leaves country rules, or something else. Did you block DoH when you enabled DNSBL? I found our Dish DVR uses DNS for most things but only DoH for streaming.

fidelity40

So I got this back from Vocolinc and hopefully it helps others.

My question: Are they using TCP or UDP?
Support: Both. MDNS service discovery using UDP. And then iPhone establishes a TCP connection with the accessory.

Support: Launch terminal and try the following command to make sure your accessories are listed at least once:
dns-sd -B _hap._tcp

So upon realizing that mDNS needed to be configured, I installed Avahi as a service and allowed the interfaces to interact through Avahi. I'm not sure if it helped but I added "_hap._tcp" to the "service" under "reflection Filtering" when I set up Avahi. A short time later, the IOT devices started working again. Problem solved...hopefully permanently.