Blue Iris server <> Home Assistant server different VLAN subnet firewall issue for MQTT

Holbs

Holbs

IPCT+ Member
May 1, 2019
2,217
3,511
Reno, NV
I actually do try to learn by myself (through trial & error). But this has me stumped.
I have an Ubiquiti UDM router. Let's say I created 2 VLAN subnets: 192.168.1.x and 192.168.4.x
I must have "new" bullet turn on, along with "established" and "related" in my firewall rule.
When I set the Source to Blue Iris Server (grouped as 192.168.4.2) and port group to MQTT ports (grouped as 1883 and 8883), Blue Iris MQTT test fails:
unfi_MQTT.jpg
mqtt_fail.jpg
----------------------
But when I change Source Blue Iris Server and port group to "any", it works:
unifi_any.jpg
mqtt_success.jpg
-----------------------------
I can see the published topic in my Home Assistant/Node-Red debug output upon success.
I am stumped as to why using specific MQTT ports 1883/1883 does not work for Source.
And took me a long time to figure out I had to have "new" in the advanced/states. I know established/related are 99% common for things. Don't know nothing about "new" or "invalid"
 
  • Like
Reactions: djernie
Blue Iris SOURCE port could be anything, literally. If you set it to "any", like you show working, it's because you are passing traffic from Blue Iris which is bound for "Home Assistant" MQTT port. You don't have to worry about which outbound port Blue Iris selects to send the data it isn't a required rule.

That's a perfectly narrow rule imho. Based on that rule, Blue Iris can only talk to Home Assistant, and only on the MQTT port.
 
  • Like
Reactions: djernie
oooo. I thought it was a mandatory thing to source at port 1883 for MQTT. Learning firewall & port stuff as I go :) Thanks for the info.
BTW...the must inclusion of "new" state. Is that because coming from VLAN4 192.168.4.x to non VLAN 192.168.1.x ?
 
Ah. Thanks for the help @crw030 it made difference. Made my first Home Assistant / Node-Red home automation flow incorporating Blue Iris, MQTT, and a IP camera. If motion detected, it turned on doorway light. It works :) And now the fun begins....
first automation.jpg
 
Holbs said:
oooo. I thought it was a mandatory thing to source at port 1883 for MQTT. Learning firewall & port stuff as I go :) Thanks for the info.
BTW...the must inclusion of "new" state. Is that because coming from VLAN4 192.168.4.x to non VLAN 192.168.1.x ?
Click to expand...
Ok I dont have the Unifi firewall, but it appears to be used to filter packets (read here: Firewall rule State ? | Ubiquiti Community) , which indicates "New" just means the first packet passing between the machines, whereas "Established" means the rule should be applied if there is an existing connection between the hosts on the port, and "Related" seems to be if the two hosts have any kind of established connection already. You probably want "New" (to allow the initial connection between the hosts) and "Established" (since MQTT can be TCP connection based, it just means once a connection is established keep passing subsequent packets).

Maybe someone familiar with Unifi Firewall can clarify further. pfSense might have something similar and I just haven't stumbled upon it or might handle state differently, still learning my way around it.
 
You must log in or register to reply here.
Top Bottom