Firewall and NAT issues

raspberrypi3

#1

Hi there, I am trying to setup a Raspberry Pi 3 behind our firewall but unable to see the device in the dash. I’m pretty certain its a firewall config issue but wanted to see if I was missing something obvious with the Resin config first.

We used to have a Watchguard firewall with (as far as Im aware) the same config in terms of NAT / open ports and this all worked fine. We now have a Cyberoam and the connection seems to be intermittent. Every now and then the device will show in the dash for a couple of minutes and then disappear again and the action light on the Pi will start showing the network connection error sequence.

We have NAT in place for HTTPS traffic as we have two services on two different servers here so the traffic is routed depending on the inbound IP to the appropriate box on the internal network. Ports are open for all outbound traffic. However the setup was the same on the Watchguard in terms of NAT etc so I’m struggling to understand why it no longer works on the new kit.

Any help appreciated.

TIA

Rob


#4

Hi. Here are the networking requirements we have: https://docs.resin.io/deployment/network/2.x/#network-requirements
Can you make sure those requirements are satisfied?


#5

Hi, thanks for responding.

Yes I’ve already gone through those and checked, all outbound ports are open. The only thing I thought may be causing an issue is the NAT on inbound SSL traffic however all worked perfectly on our Watchguard box which had the same NAT rules in place.

Thanks

Rob


#6

Are you using a .dev build?
If so, you cna login on that box (through ssh, on port 22222 if you are on the same network) or through serial console and check the output of

journalctl --no-pager -u openvpn-resin


#7

Hi, it is a dev build and I am on the same network but I cant get in on SSH. If I try and connect it just times out.

The screen on the Pi just shows the Resin logo and “Booted - check your resin dashboard” …

I have taken the unit home however and checked on my network. Everything boots up fine, I can see the unit in the dash and can SSH into it. If I run the command you suggested in the log I can see the entries below when it is is trying to connect out on the company network which I assume is causing the issue …

Mar 05 12:21:01 039bd73 openvpn[711]: RESOLVE: Cannot resolve host address: vpn.resin.io: No address associated with hostname
Mar 05 12:21:01 039bd73 openvpn[711]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mar 05 12:21:01 039bd73 openvpn[711]: RESOLVE: Cannot resolve host address: vpn.resin.io: No address associated with hostname
Mar 05 12:21:06 039bd73 openvpn[711]: RESOLVE: Cannot resolve host address: : No address associated with hostname

Ive attached the full log. The entries around 12:21 are on our company network. Those at 12:40 are on my home network. What is unusual is that when on the company network sometimes the unit will show on the dash for a minute or two before disappearing again.

Thanks again for your help!

Cheers,

Robresin_log.log (8.9 KB)


#8

Hi @floion, well dont I feel stupid :wink:

After all this it was a simple IP conflict on our network! One of our IP phones had been configured with a fixed IP rather than using DHCP.

Problem solved, many thanks for your help.

Cheers

Rob


#9

Phew, glad it was only that :slight_smile:

Enjoy using resin