Self-hosted controller firewall issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Self-hosted controller firewall issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Self-hosted controller firewall issue
Self-hosted controller firewall issue
2023-10-19 13:10:16

I run my own Omada SDN Controller v5.12.7 in a Linode VPS, with a firewall configured on the VPS to allow only the ports needed per TP-Link's documentation, and only from the IPs of the networks managed by the controller. I've noticed when rebooting the Omada routers at the sites, they are not able to reconnect to the controller unless I temporarily disable the firewall on the server. I do have the SDN instance linked to a TP-Link Cloud account for cloud management, so I'm thinking that the router's initial connection to my controller is being routed through the TP-Link Cloud, and therefore blocked by the firewall on the VPS. Once the router connects, I can re-enable the VPS firewall, and everything works fine, until the next reboot.

 

I need to keep the TP-Link Cloud association for the purpose of sharing admin access to the controller, so un-linking is not an option. Is it possible to get a list of IPs from the TP-Link cloud that need to have access to the controller so they can be added to the firewall?

  0      
  0      
#1
Options
5 Reply
Re:Self-hosted controller firewall issue
2023-10-19 13:57:38

  @TechTronic 

 

Are you linking the devices to the VPS cloud per a Public IP Address? Or a Domain name?  

 

Also at the client site... Are you using DHCP Option 138? (Which is recommended)

 

 

 

 

I can not teach anyone anything - I can only make them think - Socrates
  0  
  0  
#2
Options
Re:Self-hosted controller firewall issue
2023-10-19 13:58:48

  @TechTronic 

 

Can you confirm which ports are you using?

 

I'm using a self-hosted controller and L3 adopting all my devices with no issues.  

I can not teach anyone anything - I can only make them think - Socrates
  0  
  0  
#3
Options
Re:Self-hosted controller firewall issue
2023-10-20 03:37:33

  Hi,@TechTronic 
You can inspect your VPS server logs to see the source IP addresses that are being denied access by your firewall when the issue arises. By analyzing these logs, you can identify the IPs (likely those of TP-Link Cloud) that need to be whitelisted.

 

If TP-Link can't provide specific IP addresses due to the dynamic range, the log might provide you with domain names. Some firewalls and VPS platforms allow for rules based on domain names rather than IP addresses. These rules would resolve the domain names periodically and update the rules accordingly.

 

If you have to open up the firewall more broadly than you'd like temporarily, consider scripting this process so that it's only open for a limited time (e.g., 5 minutes) after a router reboot. Automate the process so that the firewall rule is added, waits for a certain duration, and then is removed.

 

  0  
  0  
#4
Options
Re:Self-hosted controller firewall issue
2023-10-20 12:05:09 - last edited 2023-10-20 12:05:53

 @KimcheeGUN 

The controller is linked to my TP Cloud ID using the built-in feature in the controller settings, which doesn't specify whether the IP or domain is used. I do have an A record pointing to the IP, as well as a reverse DNS entry.

 

Yes, I'm using DHCP option 138.

 

The ports I have open are TCP 8043, 8088, 8843, 29811, 29812, 29813, 29814, 29815, 29816 and UDP 29810. 

 

Adopting and rebooting switches and APs does not appear to be an issue, it's only routers, specifically the ER7206.

 

@KyrieM 

Yes, I considered reviewing logs, but would rather get the info directly from TP Link. Also, I don't see why the adoption request should have to be routed through the TP Link cloud, it should come directly from the router itself.

  0  
  0  
#5
Options
Re:Self-hosted controller firewall issue
2023-10-31 17:45:37

  @KimcheeGUN 

can you outline how you did your setup?

I have a windows 2019 server setup in my office with the latest controller software installed.

Devices in my office adopt just fine.

However, I am trying to setup other offices across the internet.

I have a DNS name registered  omada.bryma.cloud

I have the firewall ports open and forwarded in the firewall: 

TCP

8043,8088,8843,27217,29811,29812,29813,29814,29815,29816

UDP

29810

I go to a router (ER605) and set the INFORM URL to:

omada.bryma.cloud

 

but the device never shows up.

I have tried it with checking the ENABLE cloubd based controller and unchecking it.

 

Not sure what I am missing.

 

Any ideas?

  0  
  0  
#6
Options