How can we help?


RainMachine Pro 16

Comments

18 comments

  • Avatar
    Brandon Moyer

    This is from the web interface when you go to Settings > About
    This is a bug, I think it may be showing its internal web server IP.
    For now you should go to the app or unit itself to view the correct settings.
    Thanks in advance.

    0
    Comment actions Permalink
  • Avatar
    lanbrown (Edited )

    The app also shows a 192.168.13.1 IP address which when using SSH is that of ra0.  The internal IP address of any device should never be anything other than the lo0 or 127.0.0.1/8.  The ra0 interface has never been used but it thinks that it has an IP address but no SSID or netmask is shown.

    Oh, and this is shown via the local GUI and from the app on an Android device.

    0
    Comment actions Permalink
  • Avatar
    Brandon Moyer

    Thanks for pointing this out. We will look into it. 

     

    0
    Comment actions Permalink
  • Avatar
    lanbrown

    Poking around via the terminal I see this in 

    /etc/config/network

    config interface 'ap'

            option ifname 'ra0'

            option proto 'static'

            option ipaddr '192.168.13.1'

            option netmask '255.255.255.0'

            option ip6assign '60'

     

    So that is where the 192.168.13.1 IP address is coming from and it is set for static.

    I did go into that file and made the following change:

    #config interface 'ap'

    #        option ifname 'ra0'

    #        option proto 'static'

    #        option ipaddr '192.168.13.1'

    #        option netmask '255.255.255.0'

    #        option ip6assign '60'

    As well as the /etc/config/wireless:

    #config wifi-iface 'ap'

    # option device 'radio0'

    # option mode 'ap'

    # option network 'ap'

    # option ifname 'ra0'

    # option ssid 'RainMachine-00c9e4'

    # option hidden '1'

    # option encryption 'psk2

    That stopped it from broadcasting the RainMachine SSID.  That address no longer shows on the status page, so it shows a blank area for the IP address and the netmask now.  It appears that by default the machine is set to broadcast RainMachine so someone could connect to it.  While that is fine if all you have is a wireless interface, given that the Pro has a Ethernet port as well, for security reasons alone, when the Ethernet port is used, it should go and either disable the wireless interface completely or at the very least son't have it act as an AP by allowing someone to connect to RainMachine.

    0
    Comment actions Permalink
  • Avatar
    RainMachine Nicholas

    The 192.168.13.1 address is only for the AP mode and the address/network will only be used when a device connects to this AP. There can't be conflicts without actually connecting to this AP. 
    As a node the AP is disabled after setup although the interface is still up it won't be accessible. The setup/wizard should disable the AP at the end.

     
    0
    Comment actions Permalink
  • Avatar
    Matt

    This is definitely a bug and causes issues if your existing network happens to be 192.168.13.0/24.  Mine is and it was a PAIN to get this connected. 

    The configuration changes via SSH as lanbrown stated, does in fact fix the issue.  I agree with lanbrown, the AP interface should be disabled and the WLAN radio should also be disabled when the ethernet interface is being used.

    Rainmachine mods/developers, please test and fix this issue.

    2
    Comment actions Permalink
  • Avatar
    drmm8 (Edited )

    The network setup in the RMs is a mess, to put it nicely. Why do you need to run an AP with a hidden SSID after the device was set up?! And sometimes after setup, the AP is left open for anyone to connect to it. You should be shutting down the ra0 interface, flush the IP addresses and NOT run an AP at all after setup. While you are at it, there's no reason for dnsmasq to act as a DHCP server on the LAN past the initial setup this causes issues on the LAN as reported by other users too.

    You really need some network experts to take a look at your setup. The state of IoT devices in general is very sad, lots of bugs and security issues :(

    0
    Comment actions Permalink
  • Avatar
    RainMachine Nicholas (Edited )

    Sadly with this particular wifi chipset and driver it's not possible to shutdown ra0 interface and have it run only with client one (apcli0). The AP should be hidden after setup and have null password (disabled in driver) which will prevent clients connect to it. We will be also adding a enable/disable AP mode on our mobile/local UI.

    On Pro DHCP is not authoritative and should be bound only to ra0.

    0
    Comment actions Permalink
  • Avatar
    drmm8

    Should have picked a better SoC maybe? Sad that it has to run AP+STA at all times.

    And unfortunately it seems there is a problem when setting it up via the Android app, it leaves the AP wide open! I tried it from iOS and that seems to hide it. It's unreliable/buggy and people can be left with open APs which is not cool at all from a security perspective. I know how to fix it, but not a lot of people do.

    As for dnsmasq, I really don't understand why you need to have it running post setup at all, for either DHCP or DNS. The RM should be able to use the DNS servers served by the authoritative DHCP server directly or let the user set their own static ones. All you need is a proper /etc/resolv.conf

    This is a very sloppy, rushed setup IMHO. Please consider cleaning it up in a firmware update.

    2
    Comment actions Permalink
  • Avatar
    Pilotboy72

    I agree with you DRMM8.  There is no reason to leave the device with an open AP at all.  I've been able to connect to it from other parts of the house, and the SSID is not only visible outside the house, but I can connect to it also.  Without any security on that AP, any vulnerabilities in the software could be exploited from outside the house, and given that I have this on WiFi inside the house, all it would take is packet forwarding / bridging enabled to be able to access my internal network without a password of any kind.  This definitely needs to be addressed quickly.

    0
    Comment actions Permalink
  • Avatar
    drmm8 (Edited )

    If you know how to enable ssh and ssh into the unit, here's how you can hide the AP and make sure nobody can authenticate to it:

    uci set wireless.ap.encryption='psk2'
    uci set wireless.ap.hidden='1'
    uci commit wireless
    reboot

    Disable ssh after the unit comes back up (or change the default root password to something secure).

    You'd have to repeat the above after a factory reset or if you ever see the AP come back.

    As for getting any quick fixes ... don't hold your breath. I reported issues for a Mini-8 via support tickets a year ago and still no fixes. It seems that you're buying the hardware here and some software but then it's DIY from there to finish the software. Sad but true.

    1
    Comment actions Permalink
  • Avatar
    lanbrown

    I still think that uncommenting those two files is the best method.  It no longer broadcasts the SSID, it has no SSID name to use, no IP address and overall should make the wireless interface unusable since there is no mapping or config to it.

     

    Even after a couple of firmware updates, it never has returned to an operational state.  So the firmware updates are not modifying those two files.  I think that as close as we're going to get in regards to disabling it.

    0
    Comment actions Permalink
  • Avatar
    drmm8

    @lanbrown while your approach does the trick, it seems very aggressive. And if you ever reset to factory defaults you will be locked out, you may be left with a bricked unit that you cannot connect to anymore. The wifi chipset/driver that's used requires AP and client at the same time, other devices also recommend just hiding the AP SSID and setting PSK2 encryption without setting a password. I looked at the python code of the RM and that's what the RM app is supposed to do to disable the AP, except it doesn't always work, it's buggy/unreliable.

    My suggested approach above gets reverted back by the RM app if you reset it to factory defaults, so you can do the setup again (and then you can re-apply the changes above).

    0
    Comment actions Permalink
  • Avatar
    RainMachine Nicholas

    The AP should be automatically closed after you complete the setup with the mobile phone. If not then there is a bug in the mobile app that we need to address.

    AP can also be closed with the commands mentioned by drmm8 or by going to API page http://<IP>:8081/api/4/ and clicking on POST /provision/wifi/ap (leaving the checkmark off on Enable/Disable AP).

     

     

    0
    Comment actions Permalink
  • Avatar
    drmm8

    Should be closed but it is not. Yes, there is a bug somewhere, possibly in the Android app, depending on the sequence of events.

    0
    Comment actions Permalink
  • Avatar
    lanbrown

    My changes do nothing to the LAN interface, only the WLAN interface.  The DHCP client is also still running on the LAN interface.  So the Rain Machine (Pro) can still get an address and you can connect to it and use the GUI or even the app (if you set it up for remote connection or even local connection) to configure the unit or even SSH into (would need to re-enable that after a factory defaults setting) where you could then (via SSH) revert the config changes for the WLAN interface.  I would actually think a factory default reset would revert the interface changes.  If you configured the device via the app to use the WLAN interface, would it not make changes to the system for the WLAN interface to not use AP mode but a client mode?  If the LAN and WLAN interface both had issues, yes you have a bricked unit but wouldn't that be the case anyway since there are no interfaces?

     

    On my network, the Rain Machine still gets an address from the DHCP server but it has a reservation; so the Rain Machine gets the address that I want it to get.  I really don't like to put static IP's on devices when a reservation accomplishes the same result.  If I make changes to say the DNS servers on my network, I don't have to go to various devices and update the DNS servers configured in them, they will just get the new DNS servers via DHCP.

    0
    Comment actions Permalink
  • Avatar
    RainMachine Nicholas

    We have identified certain pathways that would result in AP not being shut down when using mobile and especially Android app.

    These had been solved and a beta app has been published to the store. We will be also adding the possibility to disable AP mode from the local UI.

    1
    Comment actions Permalink
  • Avatar
    drmm8 (Edited )

    @Nicholas You should be calling it "hiding the AP" because there really is no way to fully disable the AP (as far as I can tell) for those of us who use STA. It's very unfortunate that this chipset/driver combo is so poor that it doesn't support STA only mode and it needs AP+STA.

    The documentation for MediaTek LinkIt Smart 7688 seems to imply that it should be possible, though it's fuzzy doesn't say anything about what happens to the AP:
    https://docs.labs.mediatek.com/resource/linkit-smart-7688/en/tutorials/network/switch-to-station-mode

    I would also suggest that the RM app be changed so that on startup it flushes the ra0 interface and sets it down after initial setup (it needs to be done after each reboot):

    ip addr flush dev ra0
    ip link set dev ra0 down

    This would help those who actually use 192.168.13.x as their LAN.

    Alternatively, you could just reconfigure ra0 in /etc/config/network to not have an IP address at all when AP is not needed.

    0
    Comment actions Permalink

Please sign in to leave a comment.