Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Sep 2020
    Posts
    3

    Default Rainbird Sprinkler Controller - no external connection via TCP port 80

    When my phone is on the same wifi network as my Rainbird sprinkler controller, it can connect just fine. If I turn off wifi on my phone and come at it from outside my network via cellular service, it can't make a connection.

    See attached network diagram.Network Diagram.jpg

    I contacted my ISP and they said they are not blocking TCP on Port 80.

    Since I started writing this, I decided to toggle applications on and off to see if one of the app is blocking it.
    When I toggle off Threat Prevention, I can connect to the rainbird... when Threat prevention is enabled, it blocks it.
    See the Threat Prevention/Blocked Web Events Report at the bottom.

    I tried various combinations of Apps as well as each App by itself. The Web Filter, Virus Blocker, and Threat Prevention apps all prevent connection to the Rainbird from a external internet connection, either together or individually. The Firewall App will allow the connection to happen.

    So I guess my questions right now are:
    1) Should I create a rule that allows this connection to happen, even though Untangle is flagging it as high risk? (what the heck is Rain Bird using hosting in Poland for???)
    2) How do I whitelist it? I tried adding 185.80.32.78 to the Pass site tab of the threat prevention app, but that didn't work. In the web filtering reports under "All http events", it showed rdz-rbcloud.rainbird.com so I tried adding that to the pass site, but that also didn't work.
    3) I can call Rain Bird and try to get the correct URL or IP address... but how do I white list it so that the WEb Filter, Virus Blocker and Threat Preventions all allow it to connect?

    Thanks in advance for any help you can provide.

    Timestamp 9/7/2022 22:13
    Client 185.80.32.78
    Server xxx.xxx.10.59 this is the IP address of the rainbird in untangle
    Server Port 80
    Client Country Poland
    Server Country Local
    Username
    Hostname xxx.xxx.10.59
    Host xxx.xxx.xx.xx:80 my external IP address assigned by my ISP
    URI /
    Blocked (Threat Prevention) TRUE
    Flagged (Threat Prevention) TRUE
    Reason (Threat Prevention) no rule applied
    Rule ID (Threat Prevention) (blank)
    Client Reputation (Threat Prevention) High Risk

  2. #2
    Untangler
    Join Date
    Jan 2021
    Posts
    94

    Default

    Remove the pass site rules you created and just make a bypass rule for your sprinkler IP. In config->network. If you can secure it with SSL, that would be ideal.
    Last edited by MP715; 09-08-2022 at 02:40 AM.

  3. #3
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    Quote Originally Posted by MP715 View Post
    Remove the pass site rules you created and just make a bypass rule for your sprinkler IP.
    Application scanning of IoT stuff does add overhead and consume disk space.

    I also generally recommend segregating IoT stuff using Filter Rules (right next door to Bypass Rules). A rule that allows your IoT stuff to reach the internet but not any internal devices is ideal.
    Last edited by gravenscroft; 09-09-2022 at 01:08 PM. Reason: correcting myself
    MP715 likes this.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  4. #4
    Newbie
    Join Date
    Sep 2020
    Posts
    3

    Default

    Thanks for the help.

    I created a bypass rule with the following parameters and I can access the Rain Bird controller from outside my network with the 4 app mentioned turned on.

    Enabled: yes
    Destination Port: 80
    Protocol: TCP
    Source Address: xxx.xxx.20.10 (which is the fixed internal network IP address of the RainBird on my IOT VLAN).

    Does this look correct?

    Also, per your comment on setting Filter Rules to isolate the IOT network from my main... a couple of questions:
    1) Does setting up separate VLANs not create this isolation: my main network is: xxx.xxx.10.var and my IOT network is: xxx.xxx.20.var.
    2) Can you give me an example filter rule that will further isolate my Main and IOT networks?

    Thanks again!

  5. #5
    Untangler
    Join Date
    Jan 2021
    Posts
    94

    Default

    Quote Originally Posted by Oilman View Post
    Does this look correct?

    Also, per your comment on setting Filter Rules to isolate the IOT network from my main... a couple of questions:
    1) Does setting up separate VLANs not create this isolation: my main network is: xxx.xxx.10.var and my IOT network is: xxx.xxx.20.var.
    2) Can you give me an example filter rule that will further isolate my Main and IOT networks?

    Thanks again!
    Yes, that looks correct. Also, no need to redact your private IP's, we all have them. It's probably 192.168.20.10 or some other Private IP range. No, setting up VLANs does not block inter VLAN routing. Filter rules do that. An easy way to test is to join one of your other networks and try ping a device on another VLAN. The rule I use is below. But it's quite restrictive if you want to access other devices on your network. You'll need to create pass rules.

    2022-09-08 23_32_46-Untangle - untangle715 - Brave.png

    Another example:
    2022-09-08 23_39_26-Untangle - untangle715 - Brave.png
    dashpuppy likes this.

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,969

    Default

    Quote Originally Posted by gravenscroft View Post
    IoT stuff mostly doesn't benefit from application filtering
    I've seen this fairly often now, and I disagree. There have been a few cases where certain classes of IoT device were compromised almost en masse. Right now this results mainly from having poorly secured devices exposed directly to the internet, which shouldn't really happen. But as IPv6 grows this will become more common, and as exploit kits get better at automating lateral movement within a network NAT alone is no longer good enough as the main protection.

    Application filtering for these devices prevents a compromised device from communicating with a command & control server. In some cases it could even prevent the full takeover after an initial exploit.

    ---

    But for the Rainbird issue... I have an older system that was here when we bought our house. I don't think the prior owner used it, so it has been idle for several years. This year I went over it, to see what it needs (two new sprinkler heads and a replacement backflow preventer). If next season goes well, I'm thinking about replacing my controller with a Raspberri Pi the year after.
    Last edited by jcoehoorn; 09-09-2022 at 09:29 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  7. #7
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    Quote Originally Posted by jcoehoorn View Post
    Application filtering for these devices prevents a compromised device from communicating with a command & control server. In some cases it could even prevent the full takeover after an initial exploit.
    You're absolutely right. Segregating these devices to internet-only does prevent them from communicating with anything else internally, but it won't stop a compromised device from calling home and could definitely worsen the situation. I retract my initial statement.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

  8. #8
    Newbie
    Join Date
    Sep 2020
    Posts
    3

    Default

    I started looking at ripping out the RainBird and installing a Rachio. I think Rachio uses port 443 / HTTPS so it should work with the Untangle Application filtering, but I'd want to confirm. The raspberry Pi is an interesting idea. I'll have to explore it.

    One more question on isolating VLANs:
    Does all network traffic go through the Untangle Router? As my diagram shows, I've got three unifi switches downstream of the router. Do devices ever "talk to one another through the switches" or does it all go back through the router (such that filter rules will wall off VLANs from one another)?

    Thanks again for the help.

  9. #9
    Untangler
    Join Date
    Jan 2021
    Posts
    94

    Default

    Quote Originally Posted by Oilman View Post
    One more question on isolating VLANs:
    Does all network traffic go through the Untangle Router? As my diagram shows, I've got three unifi switches downstream of the router. Do devices ever "talk to one another through the switches" or does it all go back through the router (such that filter rules will wall off VLANs from one another)?

    Thanks again for the help.
    if VLANs are setup correctly on your switches and AP's, then yes, everything is routed through Untangle.

    Check out this video. https://youtu.be/6wcbkE3TF3c I've learned a lot from this guy.

    2022-09-09 16_59_55-UniFi Network - Brave.png

  10. #10
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    143

    Default

    Quote Originally Posted by Oilman View Post
    One more question on isolating VLANs:
    Does all network traffic go through the Untangle Router? As my diagram shows, I've got three unifi switches downstream of the router. Do devices ever "talk to one another through the switches" or does it all go back through the router (such that filter rules will wall off VLANs from one another)?
    Traffic goes as far up the chain as it needs to in order to be routed to its destination. If your LANs are all on the same switch, then the switch knows how to route between them and shouldn't need to pass the traffic up to the NG Firewall.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2