How can we help?


Blocked access from alternate subnets

Comments

11 comments

  • Avatar
    Brandon Moyer

    From the app, you can try and use Direct Access to see if this helps. 

    RainMachine App > Menu Icon (3 horizontal lines) > Network Settings > Direct Access

    Here you can add the IP address of your unit (Local IP) in your case. 

    You can also rely on remote access by setting up an email and password under remote access. 

    Wrench > System > Remote Access

    Then you can add it on your app as well: 

    RainMachine App > Menu Icon (3 horizontal lines) > Remote Access

    Let me know if you still have trouble. 

  • Avatar
    Trent Hanson

    It sees the machine if I'm locally connected but still rejects the connection as it's being forced through the VPN. It doesn't respond to any connection attempt other than a direct connection from the same subnet. Of course using the remote access works but I consider this a bug in that I shouldn't have to bounce access off the cloud if I've got my own VPN.

    In fact I don't generally trust systems like this because it grants external access to my internal network by punching a hole through my firewall. But none of that is the point, there appears to be a firewall running on the internal Linux install that's force rejecting connections from RFC1918 addresses that don't correspond with the configured subnet. I'd like to disable this netfilter rule but I don't know that I'll have root if I SSH into the box. I've been using Linux for years so I'm pretty familiar with how this all works.

  • Avatar
    Nicholas

    Hi Trent,

    You can access RainMachine thru ssh if you enable it from Settings > System. The actual authentication step depends on the device model.

    For HD12/16 family: https://support.rainmachine.com/hc/en-us/articles/228652648-How-to-SSH-on-Touch-HD-2nd-generation-devices

    For Mini8: you can login with root user password rainmachine after enabling ssh.

    The RainMachine shouldn't reject connections from outside it's private network, I think you are referring to the connections on https port 8080 (for API calls) ?  You can try to access 

    https://RAINMACHINE_IP:8080/apiVer to check if it works.

    The only thing that won't work across subnets is the discovery protocol used by mobile devices which is UDP broadcast. If the mobile app doesn't see the broadcast it will revert to cloud connection when it's enabled.

     

  • Avatar
    Trent Hanson (Edited )

    I'm using a mini8, The thing I couldn't figure out was how to login as root. Are you just using key based authentication like discussed in the 2nd Gen device (the article I didn't look at because I don't have a HD12) or is it some other authentication method such as a default root password?

    Although the rain machine shouldn't reject alternate subnets (something I agree with), I can guarantee it most certainly is. My VPN address space is 192.168.95.X and my WIFI is on 10.95.X.X and the rain machine will not respond to web connections from the VPN even though the connections will successfully route. It appears there is a default netfilter rule to block RFC1918 addresses outside the configured subnet, these are common, especially in the OpenWRT distribution so I'm not surprised it's there, just frustrated by it.

  • Avatar
    Brandon Moyer

    Trent,

    Also try and disable "Local Discovery" 

    This is under RainMachine App > Menu Icon (3 horizontal lines) > Network Settings > Local Discovery

    To SSH, you will first need to upload your key to the RainMachine

    Instructions:

    https://support.rainmachine.com/hc/en-us/articles/228652648-How-to-SSH-on-Touch-HD-2nd-generation-devices

     

  • Avatar
    Trent Hanson

    Brandon, it doesn't say in the attached article if this procedure works for the Mini8 which is older hardware. Is this confirmation that this same procedure works for the mini8?

    I'm not sure what turning off local discovery on the app would do other than force all connections to bounce off the cloud as a remote connection through the proxy. I can see the device fine, but if I'm routing my traffic through the VPN the Mini8 won't respond to web requests....

    After typing that I realized that I'd only tried to use the Android app to access the rain machine, not use the web browser on my phone. In fact I can access the device directly over the web port, it's the application that's not connecting. Turning off discovery by the description forces remote use (via the RM proxy) just like I suspected and is the way I would prefer not to use it. My prefered mode of access pushes the connection through my VPN and not through a proxy someone else controls.

    Even when I go to network settings and configure direct access at the device IP which does route over the VPN and is accessible via a web browser (thank you for posting this as I hadn't even realized I hadn't tried direct web access) the app doesn't pull up the device, unless I use the remote access through the RM proxy. So this isn't a firewall rule, it's something in the android application refusing the connection.

  • Avatar
    Nicholas

    Hi Trent,

    For Mini-8 accessing thru ssh is as simple as enabling ssh and then connecting with ssh root@ip with password rainmachine. 

    When you configured direct access did you set the port ? You will need to enter a URL like: https://RM_IP:8080/. If that's so then we'll look at the Android app and try to replicate using 2 different networks with direct access, but that's something we actually use and it's working for general case (router port forwarding).

     

     

  • Avatar
    Ken Marsh

    I have exactly the same issue here. I have a subnet for my IoT thingies that I access through my own OpenVPN server. From outside the subnet, I am unable to access the Mini-8 via the iOS app, but CAN access it from outside via the web interface. I am running the latest RM firmware. Enabling or disabling Bonjour discovery does not help, since I am not accessing from the same subnet, and do not wish to use the cloud-based solution.

    I 100% agree with Trent that this is the preferred method to gain remote access, and I would love to see you post a solution.

  • Avatar
    Brandon Moyer

    What if you disable "Local Discovery" and use "Direct Access" using the local IP?

     

  • Avatar
    Ken Marsh

    That was not working, BUT adding the port number 8080 to the Direct Access URL did the trick!

    Voila!!  192.168.xxx.xxx:8080 in the RM iOS works, 192.168.xxx.xxx does not.

    Thanks for the quick response and great support sites.

  • Avatar
    Trent Hanson

    I added a direct access to the RM using the menu, network settings, direct access, added the device with the IP and with IP:8080 and neither connect.

    The IP only tries for a second and stops, with the 8080 port you get the accessing bar but it never connects.

Please sign in to leave a comment.