IOT access problem

Hi,

change your NAT rule to any instead of the specific, your rule will cover where the device can go.

Ian

Hi Ian

Thank you for the suggestion. Do you mean unlink the NAT rule from Firewall (as source parameters are locked) and then change it to any?

Marcin

I suppose you could just try creating a new NAT rule above it, but I’m not sure why that would make a difference unless there’s something broken with using NAT rules with MAC addresses. Your NAT rule seems fine.

What kind of thermostat is it?

It is BecaSmart Series 6000, which should communicate to cloud base server at bestbeca.cn. When i switch to my ISP router, it sync with the server straight away.

Do you have any SSL/TLS inspection rules setup?

I’m sure you checked this already (or it’s static) but just to make sure, have you verified the local IP address for your thermostat is still the same?

Do you have IPv6 configured by chance? If so, did you verify there’s a separate firewall rule for that?

Is everything unchecked under content scanning in the firewall rule? Also, are all your policies set to “None” and not “Allow all”?

Hi

Yes I do have single SSL/TLS rule for one device only, but I disabled it with decryption off for troubleshooting and I don't use IPv6.

I've checked IP address and it's correct one assigned to device and the rule.

I cannot see anything in the logs to prove that the traffic is blocked. It almost looks like routing issue or as if it cannot reach the server (handshake communication interrupted).

Also, the policies are set to “None”

Hm, that is strange. The only thing I can think of would be:

1. Create a firewall rule without a linked NAT.

2. Create a NAT rule as mentioned before with ‘Any’ as the source (in addition to the destination) with the translated source for original source set to ‘MASQ’.

Hi

Set it up as advised, but no difference..

That’s really strange. Might be worth trying to delete that ‘BECA’ NAT rule you have. I realize it shouldn’t matter since you have the ‘All_NAT’ rule above but I just wonder if there’s something broken/weird with having a linked NAT rule. The only other thing I can think of is if you have Advanced Threat Protection enabled, checking those logs to see if for some odd reason it’s being blocked.

Otherwise, I would try creating a new firewall rule with the source zone and network set to ‘Any’ to see if it works. If it does, start refining the rule (i.e. set just the desired zone first, check if it works then set the specific network/device).