pfSense Blocking Roborock app

kahodges1721

Hey guys need some help. I’m not a networking guru like many of you so please bear with me. About a week ago my roborock app will not connect to the internet anymore. Roborock is a robot vacuum company based in china I believe. I spent most of the day trying to troubleshoot and have reached my wits end. Things I have tried. Looked into logs to identify a pattern to see if I could locate the ip being blocked. Ill be honest here I couldn't tell anything really as there was so many trying to I guess ping my IP for open ports. I then reinstalled pfsense from scratch leaving only the default configuration. After this I found an old netgear router I had laying around. I hooked it up bypassing pfsense and boom it started working again. Oddly in all this everything is working except the one app which i need to connect and use my vacuum. Since bypassing pfsense fixed the issue I have to assume something is flagging and being blocked. Problem is I have no idea how to determine what that is. I believe the only rule I have active is the default deny rule which I think you cant turn off (not that I would want to anyways). Can anyone here point me in the right direction for next steps? Ive got an angry pregnant wife looking at me like I'm crazy as I tear my rack apart swapping things our trying to solve the issue! Help!

bmeeks

Do you have any "blocking type" packages installed, such as one or more from this list?

1. pfBlockerNG or pfBlockerNG-devel
2. Snort
3. Suricata
4. Squidguard

Are you forwarding DNS queries to any type of filtering DNS service?

pfSense, without any extra packages installed, will not just suddenly start blocking something unless you change a firewall rule or modify some existing alias.

But most of the packages I listed above WILL download sometimes hourly updates of IP lists or IDS/IPS detection rules. A change in one of those downloaded items could result in something that was not being blocked suddenly becoming blocked by the package using the downloaded data.

If you are using an upstream filtering DNS and forwarding queries to it, it is possible the DNS provider updated something in their filtering list that now results in a block of your roborock app.

kahodges1721

@bmeeks At the time I did have pfblockerng installed. Currently however I am running the default out of the box setup for pfsense. No packages installed and no DNS filtering service. I agree that pfSense wont just do this out of the blue but I just cant explain whats happening which led me to make an account and ask you all for help! Thanks for the reply!

kahodges1721

@bmeeks Here is what I see in the firewall logs when I try the search. IDK if maybe an app update changed something and not triggers the rule or what it might be.

bmeeks

@kahodges1721 said in pfSense Blocking Roborock app:

@bmeeks Here is what I see in the firewall logs when I try the search. IDK if maybe an app update changed something and not triggers the rule or what it might be.

This firewall log snippet is not helpful. It appears to be just showing random Internet noise. I assume the 132.147.17.230 address is your public WAN IP. The source addresses (in the left-hand IP column of the log) appear to be random hosts on the Internet attempting a connection with your box (notice the "S" flag on the end of the TCP attempts, which is a SYN packet). The default deny rule present on the WAN is properly dropping those requests.

Filter the firewall log for your LAN interface, and then look for the IP address of your robot vacuum app. See if any packets are being dropped from it on the LAN interface.

kahodges1721

@bmeeks I didn’t know you could do that. But yes I’m out to dinner right now but will try when I get home. The issue I see is there is nothing in the time frame I’m “being blocked” for the ip address I’m using. But clearly there has to be something.

kahodges1721

@bmeeks I sorted the firewall logs and didnt find anything for the IP address. In playing around this morning I ran a packet capture for the LAN when trying to login to the app which remains unsuccessful with the network error. Below is what I got for the IP address of my phone.

08:24:04.537939 IP 192.168.1.245.63881 > 192.168.1.1.53: UDP, length 64
08:24:04.537940 IP 192.168.1.245.53067 > 192.168.1.1.53: UDP, length 64
08:24:04.537993 IP 192.168.1.245.57639 > 52.22.51.41.443: tcp 0
08:24:05.533522 IP 192.168.1.245.57639 > 52.22.51.41.443: tcp 0

I then proceeded to do what shouldn't be done and created a firewall rule to allow any IP to any IP open on all ports. I also did this for WAN just to test but that is now closed again.

bmeeks

@kahodges1721 said in pfSense Blocking Roborock app:

@bmeeks I sorted the firewall logs and didnt find anything for the IP address. In playing around this morning I ran a packet capture for the LAN when trying to login to the app which remains unsuccessful with the network error. Below is what I got for the IP address of my phone.

08:24:04.537939 IP 192.168.1.245.63881 > 192.168.1.1.53: UDP, length 64
08:24:04.537940 IP 192.168.1.245.53067 > 192.168.1.1.53: UDP, length 64
08:24:04.537993 IP 192.168.1.245.57639 > 52.22.51.41.443: tcp 0
08:24:05.533522 IP 192.168.1.245.57639 > 52.22.51.41.443: tcp 0

I then proceeded to do what shouldn't be done and created a firewall rule to allow any IP to any IP open on all ports. I also did this for WAN just to test but that is now closed again.

The default configuration for pfSense puts a "pass all" rule on the LAN. However, if you created any other interfaces (or VLANs), then those would be created with only a default deny rule. You would need to explicitly configure a pass rule on extra interfaces.

You should pretty much NEVER open your WAN to unsolicited inbound traffic except in very limited circumstances (such as a remote access VPN, for example).

How is your phone connecting to the pfSense LAN? You have Wi-Fi I assume, but is that provided via a simple access point (with no routing/NAT), or are you using a typical consumer "router" for that access? Where is your pfSense firewall in the connection scheme? A simple diagram of your network would help for starters.

kahodges1721

@bmeeks my network is modem to pfsense machine. From that it enters a 24 port switch and then to several AP throughout the house. I connect via iPhone through the APs without any Nat or firewall associated with them. Given the exact same setup I removed the pfsense box and replaced it with a NETGEAR router. Keeping everything else the same. In this setup I could connect through the AP and be able to login and use full functionality of the app. It’s honestly boggling my mind here it simply doesn’t make sense bc I do not see any traffic being blocked but it clearly must be bc it works without pfsense

bmeeks

@kahodges1721 said in pfSense Blocking Roborock app:

@bmeeks my network is modem to pfsense machine. From that it enters a 24 port switch and then to several AP throughout the house. I connect via iPhone through the APs without any Nat or firewall associated with them. Given the exact same setup I removed the pfsense box and replaced it with a NETGEAR router. Keeping everything else the same. In this setup I could connect through the AP and be able to login and use full functionality of the app. It’s honestly boggling my mind here it simply doesn’t make sense bc I do not see any traffic being blocked but it clearly must be bc it works without pfsense

And have you rebooted the pfSense box during all of the swapping? Perhaps something is "wedged" on the pfSense firewall. If you are simply swapping cables, that would not reset the firewall.

Are the IP addresses for the LAN side the same for pfSense and the Netgear router? In other words, are both using 192.168.1.0/24 on their LAN interfaces?

I think you said that everything else network-wise works with pfSense in place. I assume that means browsing the web successfully from a PC on your LAN ??

kahodges1721

@bmeeks Network diagram that doesnt work.

Network diagram that does work.

bmeeks

Yep, that connection diagram is pretty simple. Like you, I see no reason for the app not work -- especially if all the other devices on the network operate normally with the pfSense machine in place.

kahodges1721

@bmeeks That is correct. when swapping the router both are using 192.168.1.0/24. Both routers allow full functionality of PCs, smart devices, and phones etc. The literal only difference between them is with pfSense I get a network timeout error using the roborock app and on the other router, neighbors wifi, and lte I dont get the error. Not only was pfSense rebooted but I have clean installed it twice as part of the troublshooting process as well as trying the CE and plus editions just to test.

kahodges1721

@bmeeks The odd thing is I have been using this app for many years with pfSense without any issues. Out of the blue my home assistant connection broke which prompted me to investigate. I noticed the robot lost wifi connection for some reason so I went into the app to troubleshoot. Thats when I learned it was being blocked somehow. The worst part is about 2 months ago I upgraded to the new model for about $1200 and now cant use the damn thing haha.

bmeeks

One thing pfSense does by default, that the Netgear likely does not, is randomize the source port when NAT is applied to outbound traffic.

There is a setting for that described in the docs here: https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#static-port. You can try toggling that off to see if it helps.

kahodges1721

@bmeeks If I understand it correctly adding a mapping for both WAN and LAN from any to any with static port and hybrid NAT should eliminate this correct? I set that up below and just tested. Same issue. Going to do a reboot now and test again.

bmeeks

The Static Port idea was a shot in the dark. I keep forgetting you said it worked for quite some time and then suddenly broke. Static Port is not something that would suddenly turn on or off -- requires manual user action.

That would make me think perhaps an update somewhere might be the culprit. Unless you updated pfSense, that would point to the app getting updated.

Not familiar with how the vacuum works, but I would usually expect these things to work by the vacuum "phoning home" to the mothership on a web server and establishing a connection. The app on your phone then connects to the same web server, and then the server relays traffic/commands back and forth between the vacuum and the app on your phone. So, if that is how the vacuum works, is it your phone app that can't connect to the web server, or is the robot vacuum unit itself not connecting to the remote server? There should be nothing preventing a direct connection between phone and vacuum across Layer 2 on your switch, but I doubt the vacuum is a peer-to-peer device.

You show a UniFi device in your drawing for the AP. I've had some weird issues with recent UniFi updates and my IoT Wi-Fi thermostats. But if that were the issue, it would be expected to impact both pfSense and the Netgear router.

kahodges1721

@bmeeks The vacuum lost wifi connection (assuming bc it tried to phone home and was blocked. Thats when I attempted to use the app to reconfigure the vacuum and set it up again. During this is when I found the app couldnt phone home either. I agree with your theory on how its working. I think you are correct. I would also point to the app being updated as the reason why there is a sudden change bc when the issue started to occur nothing on pfsense side was updated to my knowledge. So basically I see the app is to blame for the sudden issue but I just cant seem to find a reason why only pfSense doesn't like the changes it has made and I really hopped I wouldn't have to rely on some Chinese company to make an app change for functionality to return haha.

Edit: The phone doesnt communicate directly with the robot until the robot is added to the network. Even them Im not 100% sure. The main issue is with the app bc when trying to add the device to the app you need to be connected to the wifi it will use. In doing so I try to select the add button and it will spin and give me a network error. Assuming this is during its call home.

kahodges1721

@bmeeks This gives me an idea. I can connect the netgear to the network after the pfsense box. I can then connect the phone to the routers wifi bypassing the APs. Just to ensure that the APs are not causing any issues but I agree it doesn't seem likely with it working with the netgear router.

bmeeks

Well, if you have re-installed pfSense from scratch and just taken the defaults and NOT restored a previous config, then it should just work out-of-the-box. The fact the rest of your network operates normally with pfSense in place is what makes this so confusing.

You can remove the Hybrid NAT setup and return to Automatic Outbound NAT. That was not the issue.

Next up is capturing packets from the vacuum and your phone (while attempting to use the app) to see what's actually on the wire. You can find the packet capture utility under DIAGNOSTICS. But you will need some experience running wireshark to use this. You can capture by IP address and/or Interface. Do you know what the IP address of your vacuum might be? You can easily find the IP of your phone under the network or Wi-Fi setttings of the phone. I would capture packets from both IP addresses if you know them (vacuum and phone) on your LAN to see what they are sending and what, if anything, is coming back.