Troubleshooting Firewall zones?

I have my network set up with two different APs (dumb, running OpenWrt) with a Rpi4 acting as the main router. These APs provide several VLANs: for LAN, IOT, and my kids.

I have a Sense energy monitor, connected to the IOT. While it gets an IP address, and I can ping it, it remains "offline" to the app on my iPhone, which is in zone LAN. If I merge the IOT zone with the LAN zone, the two communicate just fine.

How can I troubleshoot this so I can modify the right settings to let the Sense monitor communicate with the LAN, short of giving it free reign? Is there a firewall log mode where I can see what requests from a particular device are being made and rejected?

Many thanks.

The app most likely monitors the network for SSDP-messages or similar, ie. broadcasts, and obviously the energy monitor can't send broadcast messages to LAN, if you have forwarding disabled. There is no good solution for that, only kind of bad ones, if the intent is to have the IOT-network securely segregated away from LAN.

You'd use packet-capture and then analyze the captured traffic in e.g. Wireshark.

Enable logging on the zone and check logread
But as mentioned earlier, it seems that the sensor is communicating with the application using broadcasts to advertise its presence. If you cannot configure the address of the sensor on the application, then it might be quite hard to make it work over different networks.

Can I make a firewall rule to let that device (by MAC) broadcast across zones? Or by that point, should I just connect it to the LAN zone and not worry about that particular hole in my separation of devices?

No, it is not a firewall issue, broadcasts do not go beyond a broadcast domain. However if the application can be configured with the IP of the sensor, then you can try to access it from a different network and hope it works. Firewall does allow lan->iot so it won't block you.

Ah. So if I connect the monitor to the kid zone, which is a different domain but in the same firewall zone, it works. So does that suggest it's not a broadcast issue?

You mentioned in the first post that the phone is in lan, which is different zone than childsafe zone where the monitor is. Does this still apply or you have changed something?

To troubleshoot, I tried adding it to the Childsafe zone. Those are on 192.168.7.x vs 192.168.1.x for the LAN, and it worked. Which made me think it was something to do with zones...

I'll try to see if the firewall log helps.

1 Like

Assuming that your phone remained on the lan zone the whole time, the difference is that your child safe zone can initiate connections to the lan zone and vice versa. Whereas your iot zone cannot connect to the lan, but lan can connect to the iot zone.

From your experiment, it appears that the device in question must have the ability to initiate connections, so you will need to allow that to happen if you put it back in the iot zone, try creating a traffic rule that allows the ip of that device to connect to the lan.

At that point, having it in the IoT-zone becomes pointless, though, and OP could just as well just have it in the LAN-zone, then.

1 Like

I agree. But this would prove out the requirements for the device. Once that is done, the OP could determine what port(s) the device/app will use and limit the connection accordingly. Although other services could potentially use the same port(s), it would be still block all else.

2 Likes