MTU and iRobot Roomba

Hi,

1/. you don't SU to root on XG, you use the console CLI.

2/. the maximum MTU on the current version of XG is 1500. I believe there is patch for which you will need to search XG forum for. The patch needs to be applied every time there is an upgrade until a feature request is implemented. What is the use of having a device limited to 1500 in a network capable of using 9000?

Thank you Ian. The only issue is the Roomba communication. From my research, this has been an issue with MTU settings. I assumed it would be the case for XG as well. I see the MTU in the GUI as 1500. 

For now, Roomba can't communicate out to the Internet and we can't control it through its app. In UTM, changing the MTU made things work. 

Hi.

I have looked at the roomba site and not found anyway of controlling the devices via wifi.

What mtu size are you looking for and if need be you could I think create a new SSID with a smaller MTU?

Ian

I found this https://homesupport.irobot.com/app/answers/detail/a_id/9025/~/optimal-firewall-configurations.

I am no expert but not sure how to set this up in Sophos. Anybody willing to assist with screenshots would be much appreciated. I am sure other Roomba owners will benefit as well. 

Hi,

the quickest and easiest way is as follows.

1/. Assign you irobot a static IP address

2/. create a new clientless group in authentication irobotgp

3/. add the irobot to the clientless irobotgp and use a dummy email address eg ir@fred.me

4/. create a new firewall rule above your general rules destination -> any network -> any  source -> LAN source network -> create a new identity using the irobot IP address -> any service

5/. select match users -> select the irobotgp.

6/. add at least the LAN to WAN IPS.

7/. add MASQ and your outgoing interface.

That should get you connected and as you learn more about the XG you can refine this rule.

Ian

There is nothing on that website about MTU size.

Ian. Thank you. I have completed these steps. I will have to wait for the robot to get the static IP. I will report back if this works. I really do appreciate your assistance. 

Unfortunately - this did not work. I see traffic in and out on this firewall rule, however, I still can't connect to the Roomba. 

I added some screenshots if it helps. 

Unfortunately - this did not work. I see traffic in and out on this firewall rule, however, I still can't connect to the Roomba. 

I added some screenshots if it helps. 

Hi,

I can see a problem with your firewall rule you have tried to do too much with one rule.

You need a seperate rule for outgoing traffic and and another rule for incoming traffic.

You should not have your WAN and LAN in the same source zone, one is source and the other is destination depending on traffic direction.

Do you have an external address that you can access and point at your irobot via NAT rules?

I suspect most of these devices actually connect via the manufacturers website so in theory you shouldn't need an incoming rule.

I will re-read your original post to refresh my ideas.

Ian

I read through the help section of the roomba site and remote access to the robot appears to be through their cloud, so you should not need an incoming rule. One thing is the irobot actually getting the address, when you use logviewer can you see traffic going out from your irobot? Does it show in the wireless cientlist?

Thanks - Here is what i've done. 

Under logs, 

I see DHCP assigned it an IP after I reset the robot 10 minutes ago. No other activity under firewall, IPS etc. 

I open the IOS app and the same message - cannot communicate to the robot. The Robot itself is able to connect to the wireless access point. No issues there. 

Hi,

that screenshot indicates the robot is communicating with something in a big way. How does the IOS app connect to the robot, obviously not by a direct local connection?

Ian

I have an iRobot sitting behind my UTM-9.x and I had to create a rule to allow 8883 out to allow communication to roomba servers. Make sure that you are not proxying this traffic.

Hope this helps.

-Ron

Ron and Ian - thank you. 

I am going to setup these ports on the firewall. https://homesupport.irobot.com/app/answers/detail/a_id/9025/~/optimal-firewall-configurations.

Quick question. When it says UDP port 5353/5678 - what is the source and destination port? So I would go into services and select UDP. Source port is 5353? and the destination is 5678? Or is that incorrect. 

I have good feeling once I do the above this should work. 

Hi,

looking at the website that should be two ports. Source can either be * which XG translates to 1:65535 or just 1:65535.

Ian

Ugh - why in the world did iRobot plan this way of communication. What a pain. I added these ports with LAN as source and WAN as the destination. I assigned this rule specific to the robot IP. Still does not work. I see traffic on the rule. Any other suggestions?

There is something wrong if you can see traffic on the rule when you should only have the irobot passing traffic?

Looking at the logviewer can you identify which device is also using that rule because it sounds like the irobot is not using that rule.

Ian

ahh finally I see errors in the log for the robot IP. 

Not sure why this is denied. 

The above log shows that there is no rule associated so the traffic is denied. Assuming that your iRobot is in your LAN zone try the following:

• Firewall Rule:
  • Source ZONE: LAN           Source Network/Host: <iRobot>    
  • Destination Zone: WAN    Destination Network/Host: Any      Service: Any

Disable all protections and make sure you have your NAT set to MASQ and save. Make sure this is the first rule and test.

If the above works you can tweak the rule and its position. Keep in mind Sophos XG process firewall rules in the order you see them and once it matches a rule all other rules for that connection are no longer processed.

Hope this helps.

-Ron