Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 52815 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 and iRobot Roomba 980 Port 8883

Joshua Van Buskirk

Want to take a quick moment to say hello before asking my question.  I've been a long time lurker on these forums, and this seems to be a great community.  I'm a corporate Sophos end user as we employ UTM on Sophos hardware in our IT environment.  However, I'm also now using UTM home edition at home so I can better learn how to take advantage of the hardware we use in our corporate environment.

So onto the question with a bit of background first.  Several weeks ago I purchase an iRobot Roomba 980 vacuum cleaner.  This model has the ability to connect to the Internet for the purpose of downloading firmware updates, and for remote control and scheduling.  The initial firmware that the robot came with communicated with the iRobot cloud via HTTP and HTTPS.  This posed no issue with my home UTM and I was able to access and control the robot remotely from outside of my home network.  However, after the first night the robot received an update.  The robot now communicates via HTTP, HTTPS, and MQTT (TCP Port 8883).  The problem is, after the firmware update to the robot I can no longer access the robot from outside of my home network.  iRobot also isn't receiving communications from the robot regarding its status.

My home UTM is running 9.413-4 and I have created several rules to allow the 8883 traffic (which I believe is the issue) but the remote access is still not working. I pulled a packet capture off the UTM for traffic going to the robot or from the robot.  I provided that capture to the iRobot Corporation and they said that it appears as though the robot is having trouble communicating via 8883.

Here's what I've done so far to fix:

  1. Created a DNAT rule to allow Any traffic via TCP 8883 to the external WAN address, change destination to robot, service to field was left blank - set automatic firewall rule
  2. Created a DNAT rule to allow Any traffic via TCP 1883 to the external WAN address, change destination to robot, service to field was left blank - set automatic firewall rule
  3. Created a firewall rule to allow Any traffic from the robot to Any and the Internal address
  4. Added robot to Transparent Mode Skiplist for both source and destination under the Misc tab of Web Protection Filtering Options
  5. Created an Exception in Intrusion Prevention skipping Intrusion, Portscan, TCP SYN Flood, UDP Flood, and ICMP Flood Protection for all requests from the robot OR going to the robot

If anyone can help me with my struggle to get this robot working properly online it would be greatly appreciated.  The robot has even been replaced once as iRobot wasn't sure it wasn't the robot when I told them I had forwarding rules in place for port 8883.

Any assistance would be greatly appreciated!

Kindest regards,

Josh



This thread was automatically locked due to age.
  • 0 in reply to Brandon E

    After further review and reviewing this Hak5 explanation of the retransmission (https://www.youtube.com/watch?v=tjZ2IgiG2PU), I wonder of my very low MTU is the cause?  The Sophos UTM does not allow me to adjust my MTU that I receive from my ISP, and it's around 500 if I remember correctly.  I also have problems with XBox latency when using UTM.  I didn't have the latency problem when using a Cisco ASA.

  • 0 in reply to Brandon E

    This is awesome.  It looks like the MTU setting problem was the fix. I was able to implement the workaround from another post on this forum and manually changed my ISP MTU from 576 to 1500. After a few hours, I was able to get a successful cloud connection from my iPhone app.  !!! I’ll let you know how it goes.

  • 0

    Hi, my Roomba had the same problem,  I will try some of these solutions to fix my problem. Thx for the possible answers!

  • 0 in reply to Tim Smitty

    Welcome. Also as an update, Roomba continues to communicate successfully with the cloud after the MTU update several days ago.  It also fixed other network problems I had with other devices.  I fully expect anyone running into this Roomba issue will solve it with the MTU adjustment. HTH!

  • 0 in reply to Brandon E

    Hello Brandon - you mentioned that another forum post was beneficial in solving the issue. I am not as tech savvy as you and I am unsure of how to find and change my MTU settings. If it's not too much trouble, some detail guidelines would be much appreciated. 

  • 0 in reply to Nonamegame

    Sure. Glad to.  Setting mtu autodisovery to 0 was the method I used.  See comments here.

  • 0 in reply to Brandon E

    Thank you. I see the changes need to be made at the console with the following commands. 

     

    cc 
    RAW 
    lock_override 
    OBJS 
    interface 
    ethernet (or cable, or other type) 
    REF_ (Tap TAB two times - then you can see the interface list. Mine is called "REF_IntCabExternaWan[WAN,interface,ethernet]"
    (You will get a look like this:)

    'additional_addresses' => [],
    'bandwidth' => 0,
    'comment' => 'Added by installation wizard',
    'inbandwidth' => 100000000,
    'itfhw' => 'REF_ItfEthEth1',
    'link' => 1,
    'mtu' => 576,
    'mtu_auto_discovery' => 1,
    'name' => 'WAN',
    'outbandwidth' => 20000000,
    'primary_address' => 'REF_ItfPri000024',
    'proxyarp' => 0,
    'proxyndp' => 0,
    'status' => 1
    }

    Then write:

    mtu_auto_discovery=0 
    w  (write the changes) 

     

    However:

    1. Isn't the advanced setting already enabled under WAN. I can override the MSS. I assume that won't fix the issue as it only changes on the WAN port. From what I understand, we need to change the MTU auto discovery from 1 to 0 for everything?

    2. If so, I was able to console in and access the advanced shell. How do I access the menu in the solution? Typing CC, RAW etc just produces errors. Typing CC on the advanced console says /bin/sh: CC: not found. 

    3. I did ping www.yahoo.com -f -l 1492 and identify my optimal MTU. I came to 1500 as the right setting. Is this the best way to find out the correct MTU. Also, the current WAN MTU setting is set to 500 in the web admin. 

  • 0 in reply to Nonamegame

    Hi and welcome to the UTM Community!

    You must be logged in as root at the command line to use cc.  Instead of following the instructions above, I prefer the following approach.

    To find the REF_, run:

     cc get_objects interface Ethernet |grep \'ref\'

    If you named your Interface External, you probably found REF_IntEthExternal.  You can make the two necessary changes with the two following commands:

    cc change_object REF_IntEthExternal mtu_auto_discovery 0
    cc change_object REF_IntEthExternal mtu 1500

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you. Right, I did attempt to SU to Root and it says /bin/sh: su: not found. 

  • 0 in reply to Nonamegame

    One more thing - I should clarify that I am using the latest XG version and not UTM. 

Unfiltered HTML