Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense Blocking Roborock app

    Scheduled Pinned Locked Moved
    Firewalling
    5
    56
    7.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kahodges1721 @bmeeks
      last edited by kahodges1721

      @bmeeks my network is modem to pfsense machine. From that it enters a 24 port switch and then to several AP throughout the house. I connect via iPhone through the APs without any Nat or firewall associated with them. Given the exact same setup I removed the pfsense box and replaced it with a NETGEAR router. Keeping everything else the same. In this setup I could connect through the AP and be able to login and use full functionality of the app. It’s honestly boggling my mind here it simply doesn’t make sense bc I do not see any traffic being blocked but it clearly must be bc it works without pfsense

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @kahodges1721
        last edited by

        @kahodges1721 said in pfSense Blocking Roborock app:

        @bmeeks my network is modem to pfsense machine. From that it enters a 24 port switch and then to several AP throughout the house. I connect via iPhone through the APs without any Nat or firewall associated with them. Given the exact same setup I removed the pfsense box and replaced it with a NETGEAR router. Keeping everything else the same. In this setup I could connect through the AP and be able to login and use full functionality of the app. It’s honestly boggling my mind here it simply doesn’t make sense bc I do not see any traffic being blocked but it clearly must be bc it works without pfsense

        And have you rebooted the pfSense box during all of the swapping? Perhaps something is "wedged" on the pfSense firewall. If you are simply swapping cables, that would not reset the firewall.

        Are the IP addresses for the LAN side the same for pfSense and the Netgear router? In other words, are both using 192.168.1.0/24 on their LAN interfaces?

        I think you said that everything else network-wise works with pfSense in place. I assume that means browsing the web successfully from a PC on your LAN ??

        K 1 Reply Last reply Reply Quote 0
        • K
          kahodges1721 @bmeeks
          last edited by

          @bmeeks e5ce111e-030f-4d0b-9fd5-8f56c9f2cf3e-image.png Network diagram that doesnt work.

          ce85c9e8-2b57-4212-ba01-7fca24e833dd-image.png

          Network diagram that does work.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Yep, that connection diagram is pretty simple. Like you, I see no reason for the app not work -- especially if all the other devices on the network operate normally with the pfSense machine in place.

            K 1 Reply Last reply Reply Quote 0
            • K
              kahodges1721 @bmeeks
              last edited by

              @bmeeks That is correct. when swapping the router both are using 192.168.1.0/24. Both routers allow full functionality of PCs, smart devices, and phones etc. The literal only difference between them is with pfSense I get a network timeout error using the roborock app and on the other router, neighbors wifi, and lte I dont get the error. Not only was pfSense rebooted but I have clean installed it twice as part of the troublshooting process as well as trying the CE and plus editions just to test.

              1 Reply Last reply Reply Quote 0
              • K
                kahodges1721 @bmeeks
                last edited by

                @bmeeks The odd thing is I have been using this app for many years with pfSense without any issues. Out of the blue my home assistant connection broke which prompted me to investigate. I noticed the robot lost wifi connection for some reason so I went into the app to troubleshoot. Thats when I learned it was being blocked somehow. The worst part is about 2 months ago I upgraded to the new model for about $1200 and now cant use the damn thing haha.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  One thing pfSense does by default, that the Netgear likely does not, is randomize the source port when NAT is applied to outbound traffic.

                  There is a setting for that described in the docs here: https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port. You can try toggling that off to see if it helps.

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    kahodges1721 @bmeeks
                    last edited by

                    @bmeeks If I understand it correctly adding a mapping for both WAN and LAN from any to any with static port and hybrid NAT should eliminate this correct? I set that up below and just tested. Same issue. Going to do a reboot now and test again.

                    14aca9d2-88cb-4fdb-b113-e9e2aebbdf33-image.png

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks
                      last edited by bmeeks

                      The Static Port idea was a shot in the dark. I keep forgetting you said it worked for quite some time and then suddenly broke. Static Port is not something that would suddenly turn on or off -- requires manual user action.

                      That would make me think perhaps an update somewhere might be the culprit. Unless you updated pfSense, that would point to the app getting updated.

                      Not familiar with how the vacuum works, but I would usually expect these things to work by the vacuum "phoning home" to the mothership on a web server and establishing a connection. The app on your phone then connects to the same web server, and then the server relays traffic/commands back and forth between the vacuum and the app on your phone. So, if that is how the vacuum works, is it your phone app that can't connect to the web server, or is the robot vacuum unit itself not connecting to the remote server? There should be nothing preventing a direct connection between phone and vacuum across Layer 2 on your switch, but I doubt the vacuum is a peer-to-peer device.

                      You show a UniFi device in your drawing for the AP. I've had some weird issues with recent UniFi updates and my IoT Wi-Fi thermostats. But if that were the issue, it would be expected to impact both pfSense and the Netgear router.

                      K 2 Replies Last reply Reply Quote 0
                      • K
                        kahodges1721 @bmeeks
                        last edited by kahodges1721

                        @bmeeks The vacuum lost wifi connection (assuming bc it tried to phone home and was blocked. Thats when I attempted to use the app to reconfigure the vacuum and set it up again. During this is when I found the app couldnt phone home either. I agree with your theory on how its working. I think you are correct. I would also point to the app being updated as the reason why there is a sudden change bc when the issue started to occur nothing on pfsense side was updated to my knowledge. So basically I see the app is to blame for the sudden issue but I just cant seem to find a reason why only pfSense doesn't like the changes it has made and I really hopped I wouldn't have to rely on some Chinese company to make an app change for functionality to return haha.

                        Edit: The phone doesnt communicate directly with the robot until the robot is added to the network. Even them Im not 100% sure. The main issue is with the app bc when trying to add the device to the app you need to be connected to the wifi it will use. In doing so I try to select the add button and it will spin and give me a network error. Assuming this is during its call home.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kahodges1721 @bmeeks
                          last edited by

                          @bmeeks This gives me an idea. I can connect the netgear to the network after the pfsense box. I can then connect the phone to the routers wifi bypassing the APs. Just to ensure that the APs are not causing any issues but I agree it doesn't seem likely with it working with the netgear router.

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks
                            last edited by

                            Well, if you have re-installed pfSense from scratch and just taken the defaults and NOT restored a previous config, then it should just work out-of-the-box. The fact the rest of your network operates normally with pfSense in place is what makes this so confusing.

                            You can remove the Hybrid NAT setup and return to Automatic Outbound NAT. That was not the issue.

                            Next up is capturing packets from the vacuum and your phone (while attempting to use the app) to see what's actually on the wire. You can find the packet capture utility under DIAGNOSTICS. But you will need some experience running wireshark to use this. You can capture by IP address and/or Interface. Do you know what the IP address of your vacuum might be? You can easily find the IP of your phone under the network or Wi-Fi setttings of the phone. I would capture packets from both IP addresses if you know them (vacuum and phone) on your LAN to see what they are sending and what, if anything, is coming back.

                            K 1 Reply Last reply Reply Quote 0
                            • K
                              kahodges1721 @bmeeks
                              last edited by kahodges1721

                              @bmeeks I did a package capture above this morning. I copied any traffic that matched the IP of the phone. I also downloaded the entire package and can link below. Hmm nvm it wont let me attach the file

                              At this point the vacuum doesnt have an IP since its not connected at all. Basically I am leaving that out of the equation until I can get through the app issue which is likely linked as the same issue I am thinking.

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks
                                last edited by

                                You mentioned in a previous post that you could "bypass the UniFi" by attaching your phone to the Netgear Wi-Fi. Is the IP address subnet there the exact same as the on in the UniFi? Is it possible the vacuum established a connection to the Netgear Wi-Fi, and so when pfSense is not there the vacuum has no network? Just grasping at straws here, but you have tried all the obvious things, now it's time to look for the downright weird 😁.

                                I have to be away for several hours for some family business, so can't reply to further posts until later tonight.

                                K 2 Replies Last reply Reply Quote 0
                                • K
                                  kahodges1721 @bmeeks
                                  last edited by

                                  @bmeeks Hey No problem I will keep plugging away at anything I can think of or read on. I really appreciate your help on this for sure. I just cant conceive of any issue that would cause this at all. Its well beyond my limited knowledge of home networking for sure.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kahodges1721 @bmeeks
                                    last edited by rcoleman-netgate

                                    @bmeeks Just so we have it here is the package capture with full detail when trying to log into the app for only my phone IP

                                    14:04:17.884291 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 106: (tos 0x0, ttl 64, id 56173, offset 0, flags [none], proto UDP (17), length 92)
    192.168.1.245.62132 > 192.168.1.1.53: [udp sum ok] 64387+ Type65? api-slb-1106974124.us-east-1.elb.amazonaws.com. (64)
14:04:17.885232 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 106: (tos 0x0, ttl 64, id 38167, offset 0, flags [none], proto UDP (17), length 92)
    192.168.1.245.61663 > 192.168.1.1.53: [udp sum ok] 12878+ A? api-slb-1106974124.us-east-1.elb.amazonaws.com. (64)
14:04:17.964276 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 202: (tos 0x0, ttl 64, id 38567, offset 0, flags [none], proto UDP (17), length 188)
    192.168.1.1.53 > 192.168.1.245.61663: [udp sum ok] 12878 q: A? api-slb-1106974124.us-east-1.elb.amazonaws.com. 6/0/0 api-slb-1106974124.us-east-1.elb.amazonaws.com. A 54.91.129.233, api-slb-1106974124.us-east-1.elb.amazonaws.com. A 44.199.12.174, api-slb-1106974124.us-east-1.elb.amazonaws.com. A 52.44.149.220, api-slb-1106974124.us-east-1.elb.amazonaws.com. A 52.22.51.41, api-slb-1106974124.us-east-1.elb.amazonaws.com. A 34.192.137.33, api-slb-1106974124.us-east-1.elb.amazonaws.com. A 52.20.64.186 (160)
14:04:17.969458 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x8868 (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160136033 ecr 0,sackOK,eol], length 0
14:04:17.987740 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 188: (tos 0x0, ttl 64, id 45996, offset 0, flags [none], proto UDP (17), length 174)
    192.168.1.1.53 > 192.168.1.245.62132: [udp sum ok] 64387 q: Type65? api-slb-1106974124.us-east-1.elb.amazonaws.com. 0/1/0 ns: us-east-1.elb.amazonaws.com. SOA ns-1119.awsdns-11.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60 (146)
14:04:18.947754 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x847c (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160137037 ecr 0,sackOK,eol], length 0
14:04:19.950539 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x8094 (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160138037 ecr 0,sackOK,eol], length 0
14:04:19.950560 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x7fc2 (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914208927 ecr 0,sackOK,eol], length 0
14:04:20.953663 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x7bd6 (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914209931 ecr 0,sackOK,eol], length 0
14:04:20.954454 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x7ca8 (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160139041 ecr 0,sackOK,eol], length 0
14:04:21.951029 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x7fa2 (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488740973 ecr 0,sackOK,eol], length 0
14:04:21.952962 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x78bf (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160140042 ecr 0,sackOK,eol], length 0
14:04:21.952981 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x77ed (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914210932 ecr 0,sackOK,eol], length 0
14:04:22.960759 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x7bb5 (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488741978 ecr 0,sackOK,eol], length 0
14:04:23.008603 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x74d4 (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160141045 ecr 0,sackOK,eol], length 0
14:04:23.008627 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x7402 (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914211935 ecr 0,sackOK,eol], length 0
14:04:23.968055 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x7018 (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914212937 ecr 0,sackOK,eol], length 0
14:04:23.968057 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xde5c (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621493416 ecr 0,sackOK,eol], length 0
14:04:23.968059 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x77cb (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488742980 ecr 0,sackOK,eol], length 0
14:04:24.965452 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x6d02 (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160143047 ecr 0,sackOK,eol], length 0
14:04:24.965454 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x73e3 (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488743980 ecr 0,sackOK,eol], length 0
14:04:24.965454 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xda74 (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621494416 ecr 0,sackOK,eol], length 0
14:04:24.965475 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x6c30 (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914213937 ecr 0,sackOK,eol], length 0
14:04:25.967205 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x6ff6 (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488744985 ecr 0,sackOK,eol], length 0
14:04:25.967207 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xd687 (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621495421 ecr 0,sackOK,eol], length 0
14:04:25.968328 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xf5d4 (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458830294 ecr 0,sackOK,eol], length 0
14:04:26.958670 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x645f (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914215938 ecr 0,sackOK,eol], length 0
14:04:26.967270 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xf1eb (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458831295 ecr 0,sackOK,eol], length 0
14:04:26.967273 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xd29f (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621496421 ecr 0,sackOK,eol], length 0
14:04:26.967278 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x6c0e (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488745985 ecr 0,sackOK,eol], length 0
14:04:28.026426 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xceb4 (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621497424 ecr 0,sackOK,eol], length 0
14:04:28.026429 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62079 > 52.20.64.186.443: Flags [S], cksum 0x693a (correct), seq 3857833468, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1332711101 ecr 0,sackOK,eol], length 0
14:04:28.026432 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.1.245.62072 > 17.253.7.205.443: Flags [P.], cksum 0xcb8b (correct), seq 3038464547:3038464571, ack 3982235061, win 2048, options [nop,nop,TS val 2969241129 ecr 646053392], length 24
14:04:28.026461 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.245.62072 > 17.253.7.205.443: Flags [F.], cksum 0xc001 (correct), seq 24, ack 1, win 2048, options [nop,nop,TS val 2969241129 ecr 646053392], length 0
14:04:28.026473 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xee03 (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458832295 ecr 0,sackOK,eol], length 0
14:04:28.066810 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 55, id 24693, offset 0, flags [DF], proto TCP (6), length 64)
    17.253.7.205.443 > 192.168.1.245.62072: Flags [.], cksum 0xacc9 (correct), seq 1, ack 0, win 252, options [nop,nop,TS val 646076778 ecr 2969210974,nop,nop,sack 1 {24:25}], length 0
14:04:28.066817 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 55, id 24694, offset 0, flags [DF], proto TCP (6), length 52)
    17.253.7.205.443 > 192.168.1.245.62072: Flags [.], cksum 0x6bab (correct), seq 1, ack 25, win 252, options [nop,nop,TS val 646076778 ecr 2969241129], length 0
14:04:28.067431 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 55, id 24695, offset 0, flags [DF], proto TCP (6), length 52)
    17.253.7.205.443 > 192.168.1.245.62072: Flags [F.], cksum 0x6baa (correct), seq 1, ack 25, win 252, options [nop,nop,TS val 646076778 ecr 2969241129], length 0
14:04:28.163295 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.1.245.62072 > 17.253.7.205.443: Flags [FP.], cksum 0x6f74 (correct), seq 0:24, ack 1, win 2048, options [nop,nop,TS val 2969241317 ecr 646076778], length 24
14:04:28.163318 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.245.62072 > 17.253.7.205.443: Flags [.], cksum 0x63ea (correct), seq 25, ack 2, win 2048, options [nop,nop,TS val 2969241317 ecr 646076778], length 0
14:04:28.958647 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62073 > 44.199.12.174.443: Flags [S], cksum 0x5d61 (correct), seq 3373424508, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3160147048 ecr 0,sackOK,eol], length 0
14:04:28.963121 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x643e (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488747985 ecr 0,sackOK,eol], length 0
14:04:28.967073 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xcacb (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621498425 ecr 0,sackOK,eol], length 0
14:04:28.967075 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xea1a (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458833296 ecr 0,sackOK,eol], length 0
14:04:28.969766 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62079 > 52.20.64.186.443: Flags [S], cksum 0x6551 (correct), seq 3857833468, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1332712102 ecr 0,sackOK,eol], length 0
14:04:29.977014 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62079 > 52.20.64.186.443: Flags [S], cksum 0x6167 (correct), seq 3857833468, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1332713104 ecr 0,sackOK,eol], length 0
14:04:29.977034 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xe62d (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458834301 ecr 0,sackOK,eol], length 0
14:04:30.966164 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62074 > 54.91.129.233.443: Flags [S], cksum 0x54bc (correct), seq 1033444204, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 914219941 ecr 0,sackOK,eol], length 0
14:04:30.969138 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62076 > 52.22.51.41.443: Flags [S], cksum 0xc2fa (correct), seq 2443986731, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 621500426 ecr 0,sackOK,eol], length 0
14:04:30.973274 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xe244 (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458835302 ecr 0,sackOK,eol], length 0
14:04:30.973296 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62079 > 52.20.64.186.443: Flags [S], cksum 0x5d7e (correct), seq 3857833468, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1332714105 ecr 0,sackOK,eol], length 0
14:04:31.895547 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 233, id 23671, offset 0, flags [DF], proto TCP (6), length 91)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [P.], cksum 0xf3f6 (correct), seq 2959089295:2959089334, ack 838566967, win 477, options [nop,nop,TS val 487961176 ecr 3140854179], length 39
14:04:31.986202 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62079 > 52.20.64.186.443: Flags [S], cksum 0x5991 (correct), seq 3857833468, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1332715110 ecr 0,sackOK,eol], length 0
14:04:32.195900 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 233, id 23672, offset 0, flags [DF], proto TCP (6), length 91)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [P.], cksum 0xf2ca (correct), seq 0:39, ack 1, win 477, options [nop,nop,TS val 487961476 ecr 3140854179], length 39
14:04:32.483928 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 233, id 23673, offset 0, flags [DF], proto TCP (6), length 91)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [P.], cksum 0xf1aa (correct), seq 0:39, ack 1, win 477, options [nop,nop,TS val 487961764 ecr 3140854179], length 39
14:04:32.590838 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [.], cksum 0x5a9b (correct), seq 1, ack 39, win 2047, options [nop,nop,TS val 3141034833 ecr 487961476], length 0
14:04:32.601283 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 91)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [P.], cksum 0x21b2 (correct), seq 1:40, ack 39, win 2048, options [nop,nop,TS val 3141034833 ecr 487961476], length 39
14:04:32.601306 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [P.], cksum 0x3aea (correct), seq 40:64, ack 39, win 2048, options [nop,nop,TS val 3141034834 ecr 487961476], length 24
14:04:32.601309 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [F.], cksum 0x5a59 (correct), seq 64, ack 39, win 2048, options [nop,nop,TS val 3141034834 ecr 487961476], length 0
14:04:32.626901 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [F.], cksum 0x8504 (correct), seq 64, ack 39, win 2048, options [nop,nop,TS val 3141034857 ecr 487961764,nop,nop,sack 1 {0:39}], length 0
14:04:32.637635 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 233, id 23674, offset 0, flags [DF], proto TCP (6), length 64)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [.], cksum 0xbc07 (correct), seq 39, ack 1, win 477, options [nop,nop,TS val 487961918 ecr 3141034833,nop,nop,sack 1 {64:65}], length 0
14:04:32.637641 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 233, id 23675, offset 0, flags [DF], proto TCP (6), length 64)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [.], cksum 0xbbe0 (correct), seq 39, ack 40, win 477, options [nop,nop,TS val 487961918 ecr 3141034833,nop,nop,sack 1 {64:65}], length 0
14:04:32.637644 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 233, id 23676, offset 0, flags [DF], proto TCP (6), length 52)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [.], cksum 0x5ec2 (correct), seq 39, ack 65, win 477, options [nop,nop,TS val 487961918 ecr 3141034834], length 0
14:04:32.637647 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 233, id 23677, offset 0, flags [DF], proto TCP (6), length 76)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [P.], cksum 0xfa1e (correct), seq 39:63, ack 65, win 477, options [nop,nop,TS val 487961918 ecr 3141034834], length 24
14:04:32.637650 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 233, id 23678, offset 0, flags [DF], proto TCP (6), length 52)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [F.], cksum 0x5ea9 (correct), seq 63, ack 65, win 477, options [nop,nop,TS val 487961918 ecr 3141034834], length 0
14:04:32.652089 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 129: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 115)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [FP.], cksum 0xb778 (correct), seq 1:64, ack 39, win 2048, options [nop,nop,TS val 3141034904 ecr 487961918], length 63
14:04:32.652109 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [R], cksum 0x59b8 (correct), seq 838567031, win 0, length 0
14:04:32.652112 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [R], cksum 0x59b8 (correct), seq 838567031, win 0, length 0
14:04:32.663468 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 233, id 23679, offset 0, flags [DF], proto TCP (6), length 64)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [.], cksum 0xbb7d (correct), seq 64, ack 65, win 477, options [nop,nop,TS val 487961943 ecr 3141034857,nop,nop,sack 1 {64:65}], length 0
14:04:32.687222 a0:36:9f:8c:00:de > 2a:87:3e:21:c1:b4, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 233, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    3.142.229.116.443 > 192.168.1.245.62042: Flags [R], cksum 0x4177 (correct), seq 2959089334, win 0, length 0
14:04:32.752081 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.245.62042 > 3.142.229.116.443: Flags [R], cksum 0x59b8 (correct), seq 838567031, win 0, length 0
14:04:33.056290 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62079 > 52.20.64.186.443: Flags [S], cksum 0x55a9 (correct), seq 3857833468, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1332716110 ecr 0,sackOK,eol], length 0
14:04:33.056296 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62075 > 52.44.149.220.443: Flags [S], cksum 0x549a (correct), seq 22052766, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 488751989 ecr 0,sackOK,eol], length 0
14:04:33.056314 2a:87:3e:21:c1:b4 > a0:36:9f:8c:00:de, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.1.245.62077 > 34.192.137.33.443: Flags [S], cksum 0xda74 (correct), seq 1300251584, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 458837302 ecr 0,sackOK,eol], length 0
                                    R 1 Reply Last reply Reply Quote 0
                                    • K
                                      kahodges1721
                                      last edited by

                                      Just cause I downloaded OPNsense to test and see if I got different results. Shocker OPNsense behaved the exact same way as pfsense so no change in firewall behavior. I reloaded pfsense and will continue banging my head against this brick wall. I reached out to roborock support just to see if they knew anything and of course they just told me that to use their products I must disable my firewall completely. Guy had absolutely no idea how things work so that’s basically a dead end.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by bmeeks

                                        Very strange if pfSense and OPNsense both exhibit the same behavior and only the Netgear router works. I would say that somewhat vindicates the FreeBSD-based firewall (pfSense and OPNsense).

                                        I would concentrate my efforts on seeing what is possibly different in the configuration now of the Netgear versus the two FreeBSD-based firewalls. Logic and the process of elimination kind of now points to something being configured differently somehow. In an earlier post you mentioned a way to "bypass" the pfSense firewall by using the wireless on the Netgear. Are you 100% sure your vacuum and/or phone app are not trying to use the Netgear's wireless, and so when the Netgear is out of the picture they see no network? From the description you have provided, that would be where I would start looking. I would make sure without a shadow of a doubt that the vacuum and your phone app were both using the UniFi AP both when using the Netgear router and when pfSense is in the loop. The fact your Netgear likely has a available Wi-Fi network that may be enabled makes a sort of "bypass" pathway conceivable. And when the Netgear was unhooked, the "bypass" Wi-Fi pathway would be missing for the vacuum and/or the phone app.

                                        K 1 Reply Last reply Reply Quote 0
                                        • R
                                          rcoleman-netgate Netgate @kahodges1721
                                          last edited by

                                          @kahodges1721 said in pfSense Blocking Roborock app:

                                          package capture with full detail

                                          Full detail is only so helpful; you could have done with just regular detail for visibility. For next time :)

                                          Ryan
                                          Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                                          Requesting firmware for your Netgate device? https://go.netgate.com
                                          Switching: Mikrotik, Netgear, Extreme
                                          Wireless: Aruba, Ubiquiti

                                          K 1 Reply Last reply Reply Quote 0
                                          • K
                                            kahodges1721 @bmeeks
                                            last edited by

                                            @bmeeks sorry I should have been more clear. When I say bypass I mean I took pfsense out of the loop. Exactly how the network diagram shows above. The WiFi for the NETGEAR was disabled so no chance of bypassing the APs but I agree it makes sense. Unfortunately that wasn’t the case here. The biggest red flag to me is that nothing changed in my setup except a possible update to the app. I won’t pretend to know how it all works but if the update brought a change to the server settings on their end I’m curious if I make a pfsense machine and take it to a buddies house and hook it up if I get the same results.

                                            While you were out I did try to get fancy with it and connected the NETGEAR after the pfsense in the chain. Added some port forward rules for the router activated the WiFi on the NETGEAR and nothing still same result. I expected that but I think I’ve reached the point where I just am out of things to try. I even started just going through all the documentation and trying random settings just to see what would happen haha.

                                            bmeeksB 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post