Firewall ports

Posted on
Fri Oct 07, 2022 6:50 am
roquej offline
User avatar
Posts: 564
Joined: Jan 04, 2015
Location: South Florida, USA

Firewall ports

I have all my IoT devices on a separate VLAN. The MQTT broker is the main VLAN. A rule in the firewall allows port allows devices in the IoT VLAN to use port 1883 to communicate with the broker.

The above works for everything except the Shelly-1 relay using the ShellyMQTT. I know something is funky because when I open all ports between the Shelly-1 and the MQTT broker, the topics in MQTT Explorer are different from when I just opened 1883, AND the relay works to perfection.

Hence, the questions. What are all the ports needed between Shelly-1 and the MQTT Broker?

Thank you,

JP

Posted on
Sat Oct 08, 2022 12:00 pm
aaronlionsheep offline
Posts: 185
Joined: Feb 24, 2019
Location: Virginia, USA

Re: Firewall ports

1883 should be the only port required if all you want is MQTT. You'd obviously need port 80 for HTTP into the device from outside your VLAN.

I'm assuming since you are using VLANs that you are well versed in the area, but have you actually tested to see if your rules are working as expected? Do you have another device that you can connect to your IoT VLAN and attempt to connect to the broker over 1883?

Posted on
Sat Oct 08, 2022 6:43 pm
roquej offline
User avatar
Posts: 564
Joined: Jan 04, 2015
Location: South Florida, USA

Re: Firewall ports

Yes, I am fairly familiar with complex network configurations, which is why this is strange. I have dozen of devices across multiple VLANs without issues, and I use Node-Red and MQTT to automate my Trane thermostat, iAqualink pool controller, and others back to Indigo.

The firewall rule for this problem is easy.
- the rule that works: Shelly devices to MQTT Controller - allow all ports
- the rule that DOESN'T work: Shelly devices to MQTT Controller - allow port 1883 only

As you can see, the only difference is the port number, hence my question. Port 80 is not an issue because you can't use Cloud with Shelly devices and simultaneously use MQTT.

A puzzle. I will have to break out Wireshark and see what's going on.

JP

Posted on
Sun Oct 09, 2022 1:50 am
tazswe offline
Posts: 204
Joined: Mar 13, 2017
Location: Sweden

Re: Firewall ports

roquej wrote:
I have all my IoT devices on a separate VLAN. The MQTT broker is the main VLAN. A rule in the firewall allows port allows devices in the IoT VLAN to use port 1883 to communicate with the broker.

The above works for everything except the Shelly-1 relay using the ShellyMQTT. I know something is funky because when I open all ports between the Shelly-1 and the MQTT broker, the topics in MQTT Explorer are different from when I just opened 1883, AND the relay works to perfection.

Hence, the questions. What are all the ports needed between Shelly-1 and the MQTT Broker?

Thank you,

JP
What do you mean with ”The topics in MQTT are different ” ?


Sent from my iPad with Tapatalk

Posted on
Sun Oct 09, 2022 4:24 pm
roquej offline
User avatar
Posts: 564
Joined: Jan 04, 2015
Location: South Florida, USA

Re: Firewall ports

See the difference in the enclosed graphics.

JP
Attachments
rule set to allow all.jpg
the rule that works: Shelly devices to MQTT Controller - allow all ports
rule set to allow all.jpg (122.94 KiB) Viewed 1783 times
rules set to allow only 1883.jpg
Shelly devices to MQTT Controller - allow port 1883 only
rules set to allow only 1883.jpg (109.22 KiB) Viewed 1783 times

Posted on
Sun Oct 09, 2022 4:51 pm
cuhouse offline
Posts: 112
Joined: Feb 21, 2007
Location: Virginia, USA

Re: Firewall ports

I have my Shelly devices isolated with an IoT vLAN also using Ubiquiti. Just have a rule for port 1883 and that is all that is needed.

Do you possibly need to do a rule for each direction with your firewall?

Indigo 2022.1.2, Big Sur v11.7.1, Dedicated late 2014 Mac Mini, PowerLinc 2413U.

Posted on
Sun Oct 09, 2022 7:00 pm
FlyingDiver offline
User avatar
Posts: 6337
Joined: Jun 07, 2014
Location: Southwest Florida, USA

Re: Firewall ports

It looks like the only difference is the command topic, which I expect is going the other direction. You need to make sure the firewall port is open both directions.


Sent from my iPhone using Tapatalk

joe (aka FlyingDiver)
my plugins: http://forums.indigodomo.com/viewforum.php?f=177

Posted on
Mon Oct 10, 2022 10:23 am
roquej offline
User avatar
Posts: 564
Joined: Jan 04, 2015
Location: South Florida, USA

Re: Firewall ports

I am using an USG-Pro, and the rules mentioned are on the LAN side. Something else is going on. I am going to reset the relay and reconfigure everything again.

I will update the thread.

Thank you to everyone for their suggestions. This is why I love the Indigo community!

JP

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 1 guest