Ecobee thermostat can’t connect to servers
-
@ezhawk said in Ecobee thermostat can’t connect to servers:
Actually, I've had it. This board wants to blame everything other than the pfSense and I'm done
Fair enough, although I never tried to blame Ecobee and I was a bit frustrated that you don't read it as I wrote it: get Ecobee involved to find out what pfSense makes behave different when connecting to idt.ecobee.com. Well, that's life guess.
-
@ezhawk said in Ecobee thermostat can’t connect to servers:
If the issue is with idt.ecoebee.com closing the connection, why isn't this an issue on a Cisco router?
because the packet from the cisco NAT looks okay at the ecobee end
because the packet from the pfsense NAT in "automatic mode" might not look okay and they reject it
Several other posts and in fact other forums talk about this subject and most suggest that you may have to help the pfSense by providing either hybrid or manual configuration for this particular NAT.
kind of like you do with the cisco overload line you have in the config.idt.ecobee.com. - the address actually doing the client hello is telling you to go away likely because something isn't quite right in the packet.
if you scan idt.ecobee.com you will find that it allow pings, port 80 http traffic, and port 443 but there is no https response - they are running (as you would expect some other service) -- further if you attempt to do a TLS/SSL scan on the port you will be flat out told to go away. (FIN, ACK) ie your packet doesn't match what we want to see.
Not seeing anyone specifically blaming ecobee. yes ecobee might have a very particular set of connection rules (they should) and clearly they do.Yes DNS does play a role here, so the other suggestions on the thread are valid.
as are the questions regarding your firewall rules, any internal VPN etc.Auto NAT might not always get it right (in some cases) your particular combination of gear - the order you flow the traffic might be causing one of those "special" cases. That's not a blame game, that's fact, that's why you have options ..
(ah google nest) I've never had a problem) but I have a different modem I'm sure (fibre) static IP, different access point, different managed switch and no cisco - my access point also goes directly to the one of the pfSense ports on the 2100 - My 2100 has the managed switch on 1, the main AP on 2, and a small hub with a bunch of goodies plugged in (include two additional access points in another build) on port 3 -- zero issues -- and I just realized I have an empty port I better go find something to plug in - LOL
Clearly if you had problems with the nest as well, says something is wrong with that path out and back, (assuming the nest also went through the same AP, cisco switch - pfsense ) as in the diagram ...
Have you tried plugging the AP directly into the pfsense and letting that run for a while ? just curious.
you might have to help pfSense build the NAT for this service. Not because pfsense or ecobee or the AP or anything else is wrong or specifically broken, just because you have something special happening (the edge case the is one off)
It's really kind of hard for anyone without that exact combination of gear you have to sort it out for you, when all they hear is "it is broken can you make it go". If the Cisco works and does everything you need for the 80+ devices why change anything ?
Carry on
-
I think you may be over reacting to users questions.
There are plenty of things pfSense could be better at!
Most commonly when we see reports of some service that worked fine behind some other router but not pfSense it's either a NAT issue or some ALG/Proxy that was present on the other device but not in pfSense.
Try setting a static source port.
The difficulty here is that it doesn't fail immediately. It looks as though the ecobee server marks the IP address bad in some way after some time and presumably after some conection event that pfSense fails to pass. But we have yet to see exactly what that is which makes it difficult to diagnose.
