The In.Touch 2 hardware has limited diagnostics available, but it does have a blue light which means “connected to the cloud server” and the iOS app will show whether your phone is connecting to the hardware device via a Local connection (e.g. via the same LAN subnet) or a “remote” connection using the cloud server.
After many trials & errors, I’ve narrowed it down to this set of issues:
In firmware 8.5 on a Balance One
With two VLANs (IOT VLAN, and untagged LAN)
If a Gecko In.Touch2 is hooked to an Ethernet Port set to Access for the IOT VLAN
and there is an Outbound Policy is set such that VLAN devices are set to Priority (with WAN2 in front of WAN1)
and there is an internal firewall rule with Source: VLAN network, Destination: Untagged LAN network, action = deny
Then the IOT device can not talk to its cloud server.
I wonder if in firmware 8.5, the first firewall rule is blocking something important (such as DNS?) and by adding the Allow rule, it’s working around that bug?
Hi soylentgreen, I appreciate your input and confirming that there is an issue (bug) in 8.5.0 with IOT devices on a VLAN no longer responding to commands. I don’t have any special Outbound Policy Firewall settings on this VLAN, but I do have these VLAN devices isolated from each other on the WIFI network APs. I have never had a problem with the previous Firmware versions using my WIFI configuration. I always keep my IOT devices isolated. I sure hope there are no data leaks in 8.5.0.
I hope someone is continuing to investigate as I don’t have the time right now to troubleshoot the problem.
Dave
I’m glad I noticed the problem right after I updated the firmware or I may have wasted a lot of time “going down the wrong rabbit hole”…
I’m sure others will discover the problem once they upgrade their firmware.
Hopefully it will be resolved in 8.5.1.
Thanks again,
Dave
@pbawesome , @Daking , @soylentgreen Has anyone raised a ticket with peplink support, I haven’t seen this issue, but perhaps I’m not replicating the problem exactly.
I just had a related bug with outbound policy on a VLAN. I needed a single device enforced to use a single connection, and I put it in the way I always have with the source as the single devices IP, but on 8.5, it would not work. I had to put the entire VLAN subnet as the source before it would work.
Enforce rule. Used many times on many devices, never had an issue before. The source address was in a /29 subnet this time, that was the only difference than “normal”.
@Jonathan_Pitts I have not submitted a ticket. If you want to do some internal testing, here is my setup. Although my system does have WiFi, I can reproduce the issue using only ethernet devices, so I’m not mentioning my WiFi settings.
Balance One with Firmware 8.5.0
WANs: Two. One Static IP with 4 Additional IPs, one DHCP
LANs: untagged LAN 10.0.32.x , guest (IOT) LAN 10.0.64.x. Inter-VLAN routing is ON for both (but see the firewall rule below). Normal DHCP servers on both.
LAN: Bonjour Forwarding is enabled: Service Network: VLAN. Guest network: untagged lan.
Firewall Rules: to prevent the Guest VLAN from talking to the LAN, there is a firewall rule (see above). Protocol: Any: Source: IP Network 10.0.64.0 / 24. Dest: IP Network 10.0.32.0/24.
Outbound Policy: Source: IP Network 10.0.64.1/24. Destination: Any. Protocol: Any. Algorithm: Priority: WAN 2, WAN 1. Terminate session on connection recovery: Disabled.
Network/ Port Settings: Port 4 is set to Speed: Auto. Port Type: Access/ Guest VLAN.
IOT Device: Gecko In.Touch 2 plugged into port 4.
there is a DHCP reservation for my IOT device on the VLAN network
With this test setup, I find that in firmware 8.4.1, my IOT device can connect to its cloud server. With firmware 8.5.0, it fails. I believe this device is UDP only. I’m not sure what the failure is (e.g. DNS? UDP packets being blocked?)
Note: In 8.5.0, if I add another firewall rule which allows the VLAN to connect to the balance one’s IP address on the LAN, this seems to be a workaround (see images above).
I created a ticket 24091109 as I am having connectivity issues with my IOT devices that are on a VLAN. Each time I reboot there are some IOT devices that don’t work.
Inter-VLAN routing has always been turned off as I want the IOT devices isolated.
My configuration has never had issues until firmware 8.5.0.
Rolling back to 8.4.1 has resolved the problems.
